Understanding why they happened can help you safeguard your own practice and build your own plan in regard to how to prevent HIPAA violations
Depending on your experience with HIPAA, you may find the law rather boring or maybe even intimidating. But the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to simplify health care administration, prevent fraud, and protect patients’ private medical information, and can have serious ramifications for your practice. How to prevent HIPAA violations needs to be at the top of your priority list.
While you may think of HIPAA primarily as a set of rules to protect patient information, it also outlines consequences for when those rules aren’t followed. When HIPAA has been violated, it can result in costly fines and in certain cases, jail time.
Below, we’ll walk you through what HIPAA violations are and offer you tips on how to avoid them to better safeguard your business and your patient information today.
Simple to extreme HIPAA violations
A HIPAA violation is a failure to comply with any of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules. A violation could be something as simple as gossiping about protected health information (PHI). It could also include the failure to properly train employees or the failure to implement HIPAA policies and procedures.
HIPAA violations are also judged based on whether the organization or individual knowingly or unknowingly put PHI at risk.
The primary rules of HIPAA include:
- Privacy Rule: Organizations can’t share a patient’s personal health information without their knowledge or permission.
- Security Rule: Organizations must have physical, technical, and administrative measures to protect health information.
- Omnibus Rule: Individuals have greater rights over access to their protected health information.
- Breach Notification Rule: Organizations must notify affected individuals within 60 days of a data breach.
How are violations discovered?
One of the HIPAA requirements is that regular risk assessments and internal audits be conducted. These can often identify weaknesses or gaps that are mandated by the Privacy and Security Rules.
Additionally, employees are able to self-report on violations they or their co-workers commit. When violations are uncovered, organizations must report them to The Department of Health and Human Services Office for Civil Rights (OCR).
The OCR also conducts periodic audits of HIPAA-covered entities and their business affiliates. When data breaches occur, OCR investigates cases involving 500 or more records. State attorneys general may also look into complaints about potential violations.
HIPAA penalties
HIPAA violations are broken down into two categories: civil and criminal. Violations can include fines, corrective action plans, and even jail time.
The OCR issues penalties for HIPAA violations that range in severity based on the nature of the offense and the knowledge the offender had of the violation.
How to avoid HIPAA violations: Civil penalties
Civil penalties are usually issued in cases where the offender was unaware they were committing a HIPAA violation.
Those penalties include:
- A $100 fine if an individual was unaware that they were violating HIPAA rules
- A minimum $1,000 fine if an individual had reasonable cause for their actions and were not “willfully neglectful”
- A minimum $10,000 fine if an individual acted with willful neglect but worked to fix the issue afterward
- A minimum $50,000 fine if an individual acted with willful neglect and failed to fix the issue afterward
When issuing fines, the OCR takes into account information about the organization before it comes to a decision.
Some of the factors that influence the OCR’s decision-making include:
- The number of individuals affected
- Whether the violation caused physical, financial or reputational harm or hindered a patient’s ability to obtain health care
- The organization’s history of prior compliance or noncompliance
- The financial condition of the organization
- Whether the imposition of a civil penalty would jeopardize the organization’s ability to continue to provide health care
- The size of the organization
How to avoid HIPAA violations: Criminal penalties
Criminal penalties are usually issued in cases where individuals knowingly obtain or use PHI without permission.
Criminal HIPAA violations and penalties fall under three tiers:
- Tier 1: Deliberately obtaining and disclosing PHI without authorization — up to one year in jail and a $50,000 fine
- Tier 2: Obtaining PHI under false pretenses — up to five years in jail and a $100,000 fine
- Tier 3: Obtaining PHI for personal gain or with malicious intent — up to 10 years in jail and a $250,000 fine
To give you an example of this type of penalty, let’s take a look at a 2015 case. A former district manager of Warner Chilcott, a pharmaceutical company, pleaded guilty to wrongfully disclosing PHI.
He was sentenced to one year of probation and fined $10,000. His employer paid $125 million in 2016 to resolve its criminal and civil liability.
11 common HIPAA violations
Small actions can result in HIPAA violations, so it’s helpful to understand common examples.
Here are 11 common HIPAA violations:
- A lost or stolen device that contains PHI
- Lack of employee training
- Database breaches
- Gossiping about or sharing PHI
- Improper disposal of PHI
- Employee dishonesty
- Non-compliant partnership agreements
- Failure to perform a risk assessment
- Failure to provide patients with access to their PHI
- Failure to encrypt mobile devices
- Lack of business associate agreements
HIPAA violation examples
Within the health care industry there have been a number of large HIPAA violations you should know about, ranging in both cause and severity.
Understanding why they happened can help you safeguard your own practice and build your own plan in regard to how to prevent HIPAA violations.
Tillamook Chiropractic Clinic violation — In 2018, the medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, Ore., were stolen due to a malware infection.
After the clinic conducted an internal security audit, they noticed that malware was detected on their network. Despite having a firewall in place and up-to-date antivirus software and antimalware software, hackers were still able to infiltrate their system through their primary insurance billing system.
This resulted in patients’ sensitive data such as addresses, birth dates, driver’s license information, employee payroll data and more being breached.
The lesson: Not only should your practice be conducting regular internal security audits, but you should also ensure that your antivirus and antimalware software are regularly checked to ensure they’re up-to-date and working effectively.
Elite Dental Associates violation — In October 2019, the OCR fined the Dallas, Texas-based dental practice was fined $10,000 for disclosing PHI on Yelp.
The violation was reported by a patient when the practice replied to a review they had left on Yelp with the patient’s full name and health condition. After a 39-month investigation the OCR found that the practice was in violation of the HIPAA Privacy Rule.
The lesson: You should provide training for employees regarding how to prevent HIPAA violations and what they can and cannot share on social media. Training should also be provided in how to answer online reviews so that PHI is not disclosed.
Lifespan Health System Affiliated Covered Entity (Lifespan ACE) violation — Lifespan ACE, based in Rhode Island, is a nonprofit system that includes many health care provider affiliates within the state.
The organization was fined $1,040,000 by the OCR to settle Privacy and Security Rules violations related to the theft of an unencrypted employee laptop. A hospital employee’s laptop was stolen that contained patient names, demographic information, medical record numbers, and medical information that was estimated to affect 20,431 individuals.
Lesson learned: Encryption of PHI is a crucial step in how to prevent HIPAA violations in protecting patient information, and it will also save you money and headache should a device containing PHI be stolen.
Tips for how to prevent HIPAA violations
HIPAA violations can be a scary prospect for a business of any size. However, there are steps you can take in how to prevent HIPAA violations and to minimize your business’ potential for falling out of compliance with HIPAA rules and regulations.
One of the best ways to avoid potential data breaches is to properly train your team on HIPAA compliance. Annual or bi-annual training is a great foundation for ensuring your team is up to date on any new policies and procedures.
For any employees who handle PHI, a few other simple ways in how to avoid HIPAA violations include:
- Never share passwords or login credentials
- Never leave portable devices unattended
- Never send SMS text messages containing PHI
- Don’t throw out PHI in the trash
- Don’t share ePHI on social media
- Don’t access patient records without a valid purpose
- Don’t take medical records with you when changing jobs
- Report potential HIPAA infractions
- Conduct regular HIPAA risk assessments
- Create policies for granting facility access only to necessary employees
- Create policies outlining proper and improper use of company devices such as laptops and mobile devices
- Invest in antimalware and antivirus software
- Keep all antivirus and antimalware software up-to-date
- Use encryption
- Regularly change passwords on all important devices
- Limit access to devices and data based on employee status
For even more information on how to avoid HIPAA violations see the infographic below that outlines disastrous HIPAA cases and their lessons as well as statistics that highlight the importance of HIPAA compliance.
Remember, HIPAA compliance is an ongoing journey. Understanding the ins and outs of how to avoid HIPAA violations will help safeguard your practice (and your patient’s information) from ending up in the wrong hands.
LYDIA MCALLISTER is a content creator who develops helpful and compelling stories. Her passion for digital marketing and creative writing has led her to cover unique topics ranging from risk and security to healthcare. She calls Texas home and enjoys cooking, catching up on a never-ending to-read list, and traveling in her spare time.