A HIPAA violation is the failure by a HIPAA covered entity or business associate to comply with any applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Regulations (45 CFR Subtitle A Subtitle C). The term can also be used to describe the violation of a workplace privacy or security policy by a member of a covered entity’s workforce.
What is HIPAA?
HIPAA is an acronym of the Health Insurance Portability and Accountability Act – an Act passed in 1996 to reform the health insurance industry. As the cost of the reforms would increase insurance premiums and reduce tax revenues, Congress added a second Title to HIPAA with the intention of reducing health insurance fraud and increasing the efficiency of health insurance transactions.
To increase the efficiency of health insurance transactions, the Secretary for Health and Human Services (HHS) was instructed to develop standards for electronic transactions such as health plan enrollments, first reports of injury, treatment eligibility checks, and health claim billing. The first sets of standards were published in August 2000 and have been regularly updated since.
In addition, the Secretary was instructed to make recommendations for the privacy of health information and develop standards for the security of individually identifiable health information transmitted in “covered transactions” (and maintained electronically thereafter). These instructions led to the publication of the Privacy Rule in December 2000 and the Security Rule in February 2003.
Both the Privacy Rule and the Security Rule have since been updated by the Omnibus Final Rule in 2013 and by other minor amendments. The Omnibus Final Rule also “finalized” interim Rules relating to breach notifications and a four tier penalty structure for HIPAA violations, and made business associates directly liable for HIPAA violations for which they are responsible.
What is a HIPAA Violation?
A HIPAA violation is the failure to comply with any applicable (*) regulation, standard, or implementation specification of the Administrative Requirements (for electronic transactions), the Privacy Rule, the Security Rule, or the Breach Notification Rule. A covered entity or business associate may also be in violation of HIPAA if they fail to cooperate with a HIPAA audit or investigation.
(*) HIPAA covered entities and business associates do not have to comply with regulations, standards, and implementation specifications that do not apply to their business activities. For example, a business associate that provides data storage facilities for a covered entity does not have to provide a Notice of Privacy Practices to the subjects of the stored data.
It is not necessary for a data breach or impermissible disclosure of Protected Health Information (PHI) to have occurred for an incident to be considered a HIPAA violation. Many financial penalties have been issued for the failure to respond to individuals exercising their patients’ rights, while other penalties have been increased due to the failure to conduct a risk assessment, provide HIPAA training, or enter into Business Associate Agreements before sharing PHI with a business partner.
With regards to HIPAA violations by workforce members, these are more accurately violations of their employers’ policies and procedures. In such cases, the penalty for violating HIPAA (typically a verbal or written warning) is usually enforced by the employer rather than HHS’ Office for Civil Rights (for violations of the Privacy, Security, or Breach Notification Rules) or the Centers for Medicare and Medicaid Services (for violations of the Administrative Requirements).
Examples of Common HIPAA Violations
It is not possible to provide a definitive list of examples of HIPAA violations because the only public source of information is HHS’ Office for Civil Rights. HHS Office for Civil Rights reports on breach notifications and complaints received from members of the public. These may only represent a fraction of all HIPAA violations because some complaints are made directly to the organization responsible, or – when violations are attributable to staff non-compliance – are dealt with in-house.
However, from the available information, it is possible to compile a list of the ten most common examples of HIPAA violations.
- Unauthorized access to PHI – attributable to members of the workforce snooping on family, colleagues’, and celebrities’ medical records.
- The failure to perform an accurate and thorough HIPAA risk assessment – making it impossible to identify where risks and vulnerabilities exist.
- The lack of a risk management process – which leads to failures in managing privacy and security risks and responding to security incidents.
- Failing to respond to individuals exercising their patients’ rights – or delaying the response beyond the time limits stipulated by the Privacy Rule.
- The failure to enter into a HIPAA-compliant Business Associate Agreement – or monitor compliance with the terms of the Agreement.
- Insufficient administrative, physical, and technical safeguards to control access to – and prevent the theft of – electronic PHI.
- The failure to use effective encryption – or an equivalent security measure – to protect electronic PHI stored on, or transmitted by, mobile devices.
- Exceeding the deadline for notifying individuals and HHS’ Office for Civil Rights of a breach of unsecured PHI.
- Impermissible disclosures of PHI by members of the workforce that could have been prevented by adequate HIPAA training or technical safeguards.
- The improper disposal of PHI maintained on paper (including labels on prescription bottles) or electronically (including purging electronic media).
How are HIPAA Violations Discovered?
HIPAA violations may be discovered during internal HIPAA compliance audits, supervisors could identify personnel who have broken HIPAA Rules, and employees may self-report HIPAA violations and potential violations by their co-workers. It is also the case that some healthcare organizations prompt patients to make complaints about privacy issues directly to them, rather than involve HHS’ Office for Civil Rights.
As the primary enforcer of HIPAA, HHS’ Office for Civil Rights may discover HIPAA violations while investigating data breaches. OCR investigates all covered entities that have notified breaches affecting 500 or more individuals and some smaller breaches. OCR also investigates privacy complaints from the public and employees of HIPAA-covered entities, and conducts periodic HIPAA compliance audits.