Everyday, there seems to be a new report about a healthcare provider or health plan that has been discovered to have violated HIPAA Rules, but what is a HIPAA violation?
What is a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 was created to streamline the administration of healthcare, reduce wastage, protect against healthcare fraud, and make sure that employees retain their healthcare coverage whenever they are between jobs.
There have been several major updates to HIPAA over the years to enhance patient and health plan members’ privacy protections and make certain that healthcare information is secured. The updates are known as the HIPAA Privacy Rule, HIPAA Omnibus Rule, HIPAA Security Rule and the HIPAA Breach Notification Rule.
A HIPAA violation is any failure to comply with any facet of HIPAA standards and conditions specified in 45 CFR Parts 160, 162, and 164. HIPAA regulations have been combined into a single document by the Department of Health and Human Services Office for Civil Rights which runs to 115 pages and contains many provisions. There are many ways that HIPAA Rules can be violated, but the most prevalent HIPAA violations are listed below:
- Impermissibly disclosing protected health information (PHI)
- Accessing PHI without authorization
- Disposing of PHI improperly
- Failing to conduct a risk analysis
- Failing to manage risks to the integrity, confidentiality and availability of PHI
- Failing to use safeguards to guarantee the integrity, confidentiality and availability of PHI
- Failing to retain and monitor PHI access logs
- Failing to sign a business associate agreement with vendors before providing PHI access
- Failing to give patients copies of their health records upon request
- Failing to employ access controls to restrict the individuals who can access health data
- Failing to end PHI access rights when an employee leaves the company or a job description changes
- Disclosing more PHI than is needed for a specific job to be done
- Failing to give employees training on HIPAA Rules
- Failing to provide security awareness training to staff
- Theft of patient data
- Unauthorized release of PHI to persons not approved to receive the information
- Sharing PHI on the internet or through social media sites without authorization
- PHI mishandling and mismailing
- Texting PHI
- Failing to encrypt PHI or to employ an equivalent control to stop unauthorized PHI access/disclosure
- Failing to inform a person (or the Office for Civil Rights) about a breach of PHI within 60 days after discovering a breach
- Failing to record compliance efforts and maintain documentation
- Disclosing PHI for reasons not permitted by the Privacy Rule without first obtaining consent
- Filming patients without consent
How are HIPAA Violations Discovered?
HIPAA violations may be discovered during internal HIPAA compliance audits, supervisors could identify personnel who have broken HIPAA Rules, and employees may self-report HIPAA violations and potential violations by their co-workers.
The primary enforcer of HIPAA Rules – the HHS’ Office for Civil Rights – often discovers HIPAA violations while investigating data breaches. OCR investigates covered entities that have experienced a breach that has affected 500 or more people and some smaller breaches. OCR also investigates privacy complaints from the public and employees of HIPAA-covered entities and conducts periodic HIPAA compliance audits. State attorneys general are also authorized to investigate breaches and potential HIPAA violations.
What Penalties are Issued for HIPAA Rules Violations?
The fines for violations of HIPAA Rules can be substantial. State attorneys general can issue a maximum penalty of $25,000 per violation category, per calendar year. OCR can issue a maximum penalty of $1.5 million per violation category, per year.
Besides healthcare companies, health plans and business associates of covered entities, individuals violating HIPAA Rules can also be fined and criminal penalties may be deemed appropriate. Imprisonment of up to 10 years is a possibility serious violations of HIPAA Rules (Theft of PHI for example).