The most often experienced HIPAA violations that have resulted in fines are the failure to complete a group-wide risk analysis to spot risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to complete a HIPAA-compliant business associate agreement; impermissible releases of PHI; delayed breach notifications; and the failure to secure PHI.
The settlements chased by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious breaches of HIPAA Rules. Settlements are also sought to highlight common HIPAA violations to raise awareness of the need to adhere with specific aspects of HIPAA Rules.
This article covers 10 of the most often experienced HIPAA violations that have led to settlements with covered entities and their business associates in recent years.
What are the 10 Most Common HIPAA Violations?
1. Snooping on Healthcare Records
Viewing the health records of patients for reasons other than those allowed by the Privacy Rule – treatment, payment, and healthcare operations – is a breach of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most commonly experienced HIPAA violations committed by employees. When noticed, these violations usually lead to the termination of employment but could also result in criminal charges for the employee involved. Fines for healthcare groups that have failed to prevent snooping are relatively uncommon, but they are possible as University of California Los Angeles Health System discovered.
2. Failure to Perform a Group-Wide Risk Review
The failure to perform an group-wide risk analysis is one of the most commonly witnessed HIPAA violations to result in a financial penalty. If the risk analysis is not carried out regularly, organizations will not be able to determine whether any flaws in the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain unaddressed, leaving the door wide open to hackers.
3. Failure to Control Security Risks / Lack of a Risk Management Process
Performing a risk analysis is vital, but it is not just a checkbox item for compliance. Risks that are identified must then be subjected to a risk management process. They should be prioritized and tackled in a reasonable time frame. Knowing about dangers to PHI and failing to address them one of the most common HIPAA violations penalized by the Office for Civil Rights.
4. Failure to Complete a HIPAA-Compliant Business Associate Agreement
The failure to complete a HIPAA-compliant business associate agreement with all suppliers that are provided with or given access to PHI is another of the most common HIPAA breaches. Even when business associate agreements are held for all suppliers, they may not be HIPAA compliant, especially if they have not been revised after the Omnibus Final Rule.
5. Insufficient ePHI Access Controls
The HIPAA Security Rule obligates covered entities and their business associates to restrict access to ePHI to authorized individuals. The failure to put in place appropriate ePHI access controls is also one of the most common HIPAA breaches and one that has attracted several fines.
6. Failure to Use Encryption or an Equivalent Measure to Secure ePHI on Portable Devices
One of the most effective methods of stopping data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also taken. Encryption is not required under HIPAA Rules, but it cannot be disregarded. If the decision is taken not to employ encryption, an alternative, equivalent security measure must be used in its stead.
7. Exceeding the 60-Day Deadline for Sending Breach Notifications
The HIPAA Breach Notification Rule requires covered bodies to issue notifications of breaches without unnecessary delay, and certainly no more than 60 days after the discovery of a data breach. Exceeding that time frame is one of the most commonly witnessed HIPAA violations.
8. Impermissible Sharing of Protected Health Information
Any sharing of protected health information that is not permitted under the HIPAA Privacy Rule can lead to a financial penalty. This violation category includes sharing PHI to a patient’s employer, potential disclosures following the theft or loss of unencrypted laptop computers, careless management of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and sharing PHI after patient authorizations have expired.
9. Improperly Destroying PHI
When physical PHI and ePHI are no longer needed and retention periods have expired, HIPAA Rules require the information to be safely and permanently destroyed. For paper records this could include shredding or pulping and for ePHI, degaussing, securely erasing, or destroying the electronic devices on which the ePHI is stored to stop impermissible disclosures.
10. Denying Patients Access to Health Records/Exceeding Timescale for Allocating Access
The HIPAA Privacy Rule allocates patients the right to access their medical records and obtain copies when they wish. This allows patients to check their records for mistakes and share them with other entities and individuals. Denying patients copies of their health records, overcharging for copies, or not providing those records within 30 days is a violation of HIPAA. While this is not one of the most common HIPAA violations to warrant a financial penalty, OCR has stated it will be cracking down on this area of noncompliance in 2019.