Who can violate HIPAA?

Common HIPAA Myths

Who can violate HIPAA? Can anyone violate HIPAA? To answer this, it is essential to first know who HIPAA applies to, and under what conditions HIPAA applies. 

One of the main purposes of HIPAA is to stipulate who can access and use patient data, and what safeguards must be in place to prevent it from entering into the wrong hands. All organizations that meet the definition of HIPAA covered entities are required to comply with its Rules. The consequence of this requirement for compliance also means that the covered entity has the potential to violate HIPAA.

Though there are some exceptions, covered entities include any health plans, healthcare providers, or healthcare clearinghouses that carry out healthcare-related administrative or financial activities transmit Protected Health Information (PHI) electronically. This definition is a bit misleading, because in reality, all PHI is protected, irrespective of its format (verbal, physical or electronic). 

Any organization that is considered a “business associate” (BA) of a covered entity must also be HIPAA compliant (again, giving it the possibility of violating HIPAA). These BAs usually carry out a specific task for the CE; for example, if a hospital saves files on Google Drive, Google is then considered a BA. However, before the services are used, the CE must enter into a business associates agreement (BAA) with the third party. This agreement will stipulate how the BA is expected to adhere to HIPAA rules, helping to avoid potential violations. Any subcontractors of BAs are also required to be HIPAA compliant.

Safeguarding PHI is of vital importance. The sensitive nature of the information contained in health records means that, if they are accessed by unauthorized individuals, the results could be very damaging for the patient. For example, if an individual got access to a patient’s name and social security number, they may be able to commit identity theft. Exposing data on bank accounts could leave the patient vulnerable to fraud. More nefariously, if the patient’s healthcare status is made public, it could lead to a restriction of their employment opportunities or affect their social standing. 

This is why the Department for Health and Human Services has the power to penalize those who violate HIPAA. The penalty structure depends on both the nature of the violation (whether it was intentional, preventable etc.) and the scale of the breach. In some cases, criminal prosecution may follow. 

Only those who are subject to HIPAA have the potential to violate it. The main parties that are required to be HIPAA compliant are CEs and their BAs (including, of course, their employees). Due to the severe consequences associated with violations, all employees should receive HIPAA training to minimize the risk of them occurring.