Are HIPAA Violations Common?
It is impossible to accurately answer the question are HIPAA violations common because there is no way of knowing how many violations occur, which of those are reported, and who they are reported to. However, from the limited amount of information available, it is possible to deduce that HIPAA violations are more common than many people realize.
When attempting to answer the question are HIPAA violations common, it is important to note that a HIPAA violation does not necessarily mean a breach of unsecured PHI has occurred. A HIPAA violation is any failure to comply with the HIPAA Administrative Simplification provisions – e.g., the Administrative Requirements, and the Privacy, Security, and Breach Notification Rules.
Therefore, the failure to apply transaction codes correctly, the failure to issue a Notice of Privacy Practices, and the failure to comply with the HIPAA password requirements are all violations of HIPAA in which no breach of unsecured PHI has occurred. Because – by themselves – these types of HIPAA violations do not cause harm, they continue unnoticed indefinitely.
How HIPAA Violations are Identified
Many HIPAA violations go unnoticed until a regulating agency conducts an investigation following a complaint from an individual or a breach notification from a Covered Entity. Furthermore, it is often the case that an investigation finds multiple HIPAA violations. For example, a data breach with its origins in a phishing attack could identify a failure to conduct a risk assessment, a failure to provide security awareness training, and a failure to comply with the HIPAA Password requirements.
More commonly, HIPAA violations are identified by the individuals affected by them. For example, HHS´ Office for Civil Rights has resolved more than 50,000 reports of HIPAA violations made via its Complaints Portal. However, these may only be the tip of the iceberg. Many organizations issue Notices of Privacy Practices asking individuals to contact them directly if they have a complaint. Some (example) do not even include the contact details for HHS´ Office for Civil Rights.
HIPAA violations can also be identified internally – either through a risk analysis or by a workforce member reporting a violation internally to a supervisor or compliance officer. In such cases, although the reports must be documented, they are never on the public record. Consequently, in the context of are HIPAA violations common, there could be one, ten, or a thousand HIPAA violations reported internally in each organization – and we will never find out about them.
HIPAA Violations on the Public Record
HIPAA violations can be reported directly to the organization (either externally or internally), to the Centers for Medicare and Medicaid (CMS – for violations of the Administrative Requirements), to the Federal Trade Commission (FTC – for violations of the Breach Notification Rule by organizations not covered by HIPAA), and to each state´s Office of the Attorney General. However, the only HIPAA Violations on the public record are those published by HHS´ Office for Civil Rights.
Even these records are limited, as they relate to approximately 4,000 breaches of unsecured PHI affecting more than 500 individuals (available via the Archive button). Breaches affecting fewer than 500 individuals are also reported to HHS´ Office for Civil Rights, but these do not appear on the public record and so it is impossible to ascertain exactly how many there have been. However, from the reports in the Archive, it is possible to identify trends in the most common reasons for breaches.
Over the past few years, there has been a significant increase in the proportion of data breaches reportedly attributable to hacking and IT incidents. While this implies cybersecurity incidents are responsible for most data breaches, it is important to be aware that not all cybersecurity incidents are attributable to external bad actors and the cause of data breaches is not always accurately reported. Furthermore – as discussed above – some may be caused by multiple HIPAA violations.
Conclusion: Are HIPAA Violations Common? Probably
It was mentioned in the introduction there is no way of knowing are HIPAA violations common. This is because many HIPAA violations are not identified, and – when they are – reported HIPAA violations are often not on the public record. What we can assume is that the tens of thousands of HIPAA violations reported to HHS´ Office for Civil Rights is likely the tip of the iceberg, and – if so – it is possible to deduce that HIPAA violations are more common than many people realize.