What is considered a HIPAA Violation?

A paradigm-changing piece of legislation, the Health Insurance Portability and Accountability Act of 1996 iwas formulated to make it easier to manage healthcare, eliminate wastage, prevent healthcare fraud, and see to it that staff members could carry with their existing healthcare coverage when they were between jobs.

There have been some considerable updates to HIPAA to better privacy security for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is safeguarded. Those changes would be known as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.

A HIPAA violation is referred to as a failure to comply with any part of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.

The combined text of all HIPAA regulations released by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and includes a large number of provisions. There are hundreds of ways to violate HIPAA Rules, although the most commonly experienced HIPAA violations are:

  • Impermissibly sharing of protected health information (PHI)
  • Accessing PHI with adequate authorization
  • Failure to dispose of PHI properly
  • Not conducting a risk analysis
  • Failure to tackle the identified risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement security measures to ensure the confidentiality, integrity, and availability of PHI
  • Not managing and monitoring PHI access logs
  • Failure to agree into a HIPAA-compliant business associate agreement with relevant vendors before allowing access to PHI
  • Failure to give patients requested copies of their PHI on request
  • Failure to implement access management controls to oversee who can view PHI
  • Failure to disable access rights to PHI when no longer needed
  • Allowing access to more PHI than is necessary for a particular task to be completed
  • Failure to have HIPAA and security awareness training for staff provided
  • Patient records being stolen
  • Unauthorized handing over of PHI to individuals not authorized to receive the data
  • Sharing of PHI on the Internet or via social media without permission
  • Mishandling and incorrect emailing of PHI
  • Sending PHI via SMS
  • Not encrypting PHI or using a different, equivalent measure to stop unauthorized access/disclosure
  • Failure to alert a person (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the identification of a breach
  • Not documenting compliance efforts

How are HIPAA Violations Found?

Many HIPAA violations are found by HIPAA-covered entities through internal review audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential breaches by colleagues.

The HHS’ Office for Civil Rights is the chief enforcer of HIPAA Rules and looks into all complaints of HIPAA violations reported by healthcare workers, patients, and health plan holders. OCR also reviews all covered entities who report breaches of greater than 500 records and carries out investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA covered entities and business associates from time to time.

State attorneys general also have been allocated the power to look into breaches and investigations are often carried out due to complaints about potential HIPAA breaches and when reports of breaches of patient records are registered.

What Fines for Violations of HIPAA Rules are Possible?

The fines for breaches of HIPAA Rules can be very high. State attorneys general can apply fines up to a highest amount of $25,000 per breach category, per calendar year. OCR can apply fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be – and have been – applied.

While healthcare providers, health plans, and business associates of covered entities can be be sanctioned with fines, there are also possible fines for people who breach HIPAA Rules and criminal penalties may be applicable. A prison term for breaching HIPAA is a possibility, with some breaches resulting in a prison term of up to 10 years.