The most common HIPAA violations committed by healthcare organizations that have resulted in financial penalties are the failure to:
- Conduct a comprehensive risk analysis to pinpoint threats to the confidentiality, integrity, and availability of protected health information (PHI)
- Enter into a HIPAA-compliant business associate agreement (BAA)
- Prevent impermissible disclosures of PHI
- Send breach notifications without delay and within 60 days of discovery
- Safeguard PHI
The Department of Health and Human Services’ Office for Civil Rights (OCR) pursues financial penalties for egregious HIPAA violations. The penalties serve as a punishment for noncompliance and send a message to other covered entities of the importance of complying with HIPAA Rules.
This post addresses five of the most common HIPAA violations committed by covered entities and business associates that have resulted in civil monetary penalties or settlements in the past 5 years.
Not All Data Breaches Constitute a HIPAA Violation
Data breaches are undeniably a part of life now. Despite having multi-layered cybersecurity defenses, data breaches can still occur. OCR is aware that cybercriminals target healthcare organizations and that there’s no way to deploy impenetrable security defenses.
Becoming HIPAA compliant is not about ensuring data breaches do not occur. HIPAA Security Rule compliance is about minimizing risks to a reasonable and appropriate level. If an organization experiences a data breach, it doesn’t mean it happened because of a HIPAA violation.
The OCR breach portal is split into two parts. Breaches that are currently being investigated and those that have been investigated and closed. In many cases, the breach investigations are closed with no actions taken. Sometimes guidance is provided or technical assistance is offered. Sanctions and penalties are reserved for serious violations and compliance failures.
Discovery of HIPAA Violations
It can take months or even years before HIPAA violations are discovered. As a general rule of thumb, the longer they persist, the greater the fine that will be imposed. Therefore, HIPAA-covered entities should regularly review their HIPAA compliance efforts and conduct internal audits to identify potential HIPAA violations and data breaches and should take action before they are discovered by regulators.
There are three primary ways that regulators identify HIPAA violations:
- Investigations of data breaches
- Investigations of complaints
- Audits of HIPAA compliance
Even if a HIPAA violation has not led to a breach or a complaint is unfounded, OCR may discover noncompliance issues during its investigations and audits, which may result in a financial penalty.
Most Common HIPAA Violations
Listed below are the 5 most common HIPAA violations, along with cases where HIPAA-covered entities and business associates have been financially penalized. In a number of cases, multiple HIPAA violations were uncovered during investigations of data breaches and complaints. The amount of each settlement is based on the seriousness of the violation, the duration of the violation, the number of violations discovered, the impact of the violation on patients/plan members, and the ability of the entity to pay a fine.
1. Failure to Conduct a Comprehensive Risk Analysis
Failing to conduct an organization-wide risk analysis often results in HIPAA fines. If regular risk analyses are not performed, organizations cannot identify all risks to the confidentiality, integrity and availability of PHI. If risks remain unaddressed, they could be exploited.
Examples of covered entities that have failed to conduct an organization-wide risk assessment are listed below, along with the settlement amounts:
- Oregon Health & Science University – $2.7 million settlement
- Cardionet – $2.5 million settlement
- Cancer Care Group – $750,000 settlement
- Lahey Hospital and Medical Center – $850,000 settlement
2. Failure to Sign a Business Associate Agreement that is HIPAA-Compliant
A HIPAA-compliant business associate agreement is a contract between a HIPAA-covered entity and a vendor. Working without a BAA is a HIPAA violation. Keep in mind that a BAA might not be HIPAA compliant, particularly if it was not modified after the Omnibus Final Rule was introduced.
Examples of entities that committed this HIPAA violation and resultant fines are listed below:
- Raleigh Orthopaedic Clinic, P.A. of North Carolina paid a $750,000 settlement for failing to enter into a HIPAA-compliant business associate agreement.
- North Memorial Health Care of Minnesota paid a $1.55 million settlement for not having a BAA with a main contractor and committing other HIPAA violations
- Care New England Health System paid a $400,000 settlement for not updating business associate agreements
3. Failure to Employ Encryption or a Comparable Measure to Protect ePHI on Mobile Devices
One effective method of protecting against data breaches is encryption of ePHI. When breaches involve encrypted ePHI, it is not a reportable security incident except if the decryption key was also stolen. HIPAA does not demand encryption, but if encryption is not used, the entity must use an alternate, comparative security measure.
For failing to protect PHI, the following companies had to pay a financial penalty:
- Children’s Medical Center of Dallas paid a $3.2 million civil monetary penalty for failing to address identified risks, which included not using encryption on portable devices.
- Catholic Health Care Services of the Archdiocese of Philadelphia paid a $650,000 settlement for not using encryption, not conducting an organization-wide risk analysis, and not managing risks.
4. Going Beyond the 60-Day Deadline for Issuing Breach Notifications
The HIPAA Breach Notification Rule demands that covered entities issue breach notifications with no unnecessary delay and not later than 60 days after discovering a data breach. Two entities were issued penalties recently for exceeding the recommended time frame for issuing breach notification:
- Presence Health paid a $475,000 settlement for issuing breach notifications one month past the 60 day deadline.
- CoPilot Provider Support Services Inc. paid $130,000 to settle with the NY Attorney General for delaying breach notifications
5. Impermissible Disclosures of PHI
Any disclosure of PHI that isn’t allowed under the HIPAA Privacy Rule can attract a financial penalty. This violation category consists of
- PHI disclosure to a patient’s employer
- Disclosures related to the theft or loss of unencrypted laptop computers
- Sloppy handling of PHI
- Unnecessary PHI disclosure
- Not adhering to the ‘minimum necessary’ standard
- PHI disclosures when patient authorizations have expired
Two settlements agreed for impermissible disclosures of PHI include:
- Memorial Hermann Health System paid a $2.4 million settlement for exposing a patient’s PHI in a press release
- Luke’s-Roosevelt Hospital Center paid a $387,000 settlement for careless management of PHI and exposure of a patient’s HIV status.
Listed below is a tally of data breaches reported to OCR between January 2014 and April 2018
Theft (internal and external)
- 122 in 2014
- 81 in 2015
- 62 in 2016
- 57 in 2017
- 14 in 2018
Loss (of Device or Paper Records)
- 31 in 2014
- 23 in 2015
- 16 in 2016
- 16 in 2017
- 7 in 2018
- 95 in 2014
- 101 in 2015
- 129 in 2016
- 128 in 2017
- 39 in 2018
Hacking / IT Incidents
- 35 in 2014
- 57 in 2015
- 113 in 2016
- 147 in 2017
- 22 in 20
- 12 in 2014
- 6 in 2015
- 7 in 2016
- 11 in 2017
- 4 in 2018