A HIPAA violation occurs when an entity covered by the HIPAA fails to protect the privacy and security of protected health information (PHI) by unauthorized access, disclosure, or failure to implement adequate safeguards, resulting in the potential or actual compromise of patient confidentiality. HIPAA was introduced in 1996 in order to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. HIPAA has seen several notable updates to improve privacy protections for patients and health plan members over the years with the aim to help ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA violation can be defined as a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The total text of all HIPAA regulations published by the Department of Health and Human Services Office for Civil Rights contains many provisions and runs to 115 pages. In total, there are hundreds of ways that HIPAA Rules can be violated. The following list contains the most common HIPAA violations:
- Failure to conduct a risk analysis
- Failure to document compliance efforts
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to implement access controls to limit who can view PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to provide HIPAA training and security awareness training
- Failure to provide patients with copies of their PHI on request
- Failure to terminate access rights to PHI when no longer required
- Impermissible disclosures of protected health information (PHI)
- Improper disposal of PHI
- Mishandling and mismailing PHI
- Sharing of PHI online or via social media without permission
- Texting PHI
- The disclosure more PHI than is necessary for a particular task to be performed
- Theft of patient records
- Unauthorized accessing of PHI
- Unauthorized release of PHI to individuals not authorized to receive the information
How HIPAA violations are discovered
Many HIPAA violations are uncovered by HIPAA-covered entities through internal audits. Employees who have violated HIPAA Rules may be identified by supervisors and employees often self-report HIPAA violations and potential violations by co-workers.
The HHS’ Office for Civil Rights (OCR) is the primary enforcer of HIPAA Rules. They investigate complaints of HIPAA violations made by healthcare employees, patients, and health plan members. OCR also investigates all covered entities who report breaches of more than 500 records and certain smaller breaches may also be investigated by OCR. Periodic audits of HIPAA covered entities and business associates are also conducted by OCR.
State attorneys general also have the power to investigate breaches. Investigations are often carried out by state attorneys general due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.
HIPAA Violation Penalties
HIPAA Rules violation penalties can be severe. State attorneys general can issue fines up to a maximum of $25,000 per violation category, per calendar year. OCR can issue fines of up to $1.5 million per violation category, per year. Multi-million-dollar fines can be issued, and indeed have been on a number of occasions.
While healthcare providers, health plans, and business associates of covered entities can be fined, there are also certain situations that can arise where potential fines for individuals who violate HIPAA Rules and criminal penalties may be appropriate. It is also possible to receive a jail term for violating HIPAA, with some violations carrying a penalty of up to 10 years.
HIPAA Violation Categories
Tier 1
$100 – $50,000 per violation
Maximum $1.5 million per year
This category means the covered entity was unaware of the HIPAA violation and through exercising reasonable due diligence would not have known HIPAA Rules had been violated.
Tier 2
$1,000 – $50,000 per violation
Maximum $1.5 million per year
With this category there must be reasonable cause that the covered entity knew about or should have known about the violation in question through exercising due diligence.
Tier 3
$10,000 – $50,000 per violation
Maximum $1.5 million per year
This category involves wilful neglect of HIPAA Rules with the violation corrected within 30 days of discovery.
Tier 4
$50,000 per violation
Maximum $1.5 million per year
Similarly to Tier 3, this category means that there has been wilful neglect of HIPAA Rules. However, in this case there has been no effort made to correct the violation within 30 days of discovery.
Largest HIPAA Penalties
The following is a list of the largest ever penalties issued to date as a result of a HIPAA violation:
- Anthem Inc., 2018 – $16,000,000
- Advocate Health Care Network, 2016 – $5,550,000
- Memorial Healthcare System, 2017 – $5,500,000
- New York and Presbyterian Hospital & Columbia University, 2014 – $4,800,000
- University of Texas MD Anderson Cancer Center, 2018 – $4,348,000
- Cignet Health of Prince George’s County, 2011 – $4,300,000
- Feinstein Institute for Medical Research, 2016 – $3,900,000
- Fresenius Medical Care North America, 2018 – $3,500,000
- Triple S Management Corporation, 2015 – $3,500,000
- Oregon Health & Science University, 2016 – $3,500,000
- Children’s Medical Center of Dallas, 2017 – $3,200,000
- Cottage Health, 2018 – $3,000,000
- University of Mississippi Medical Center, 2016 – $2,750,000
- Cardionet, 2017 – $2,500,000