The Ultimate Guide to HIPAA Violations

HIPAA violations can crop up from the simple little things you do at the office, clinic, or hospital. From your everyday documentation system to your staffs’ mode of communication, violations of HIPAA are always looming around the corner.

That being said, everyone working in the medical field should treat the HIPAA or the Health Insurance Portability and Accountability Act as a bible. Treating the HIPAA law as an everyday guide would help prevent unintentional HIPAA violations and free you from paying any hefty fines in the future.

As you might have seen from watching the news, professionals in the medical industry often face civil and even criminal charges for violating HIPAA.  Since HIPAA was initially created to protect the privacy and security of patients, it is no wonder why the state and federal government works especially hard to enforce these guidelines and catch violators.

So if you are a professional working in the medical industry, then we highly suggest you stick around and read further. In this article, we would discuss some of the most common HIPAA violations, penalties, and sanctions, and even give you a few case examples.

Understanding HIPAA

Before we further delve into some of the most common HIPAA violations, let us discussed what HIPAA truly is and clear some of the common misconceptions about it.

HIPAA or the Health Insurance Portability and Accountability Act of 1996 is a set of regulations protecting the privacy of certain health information and medical record.

For HIPAA compliance and to prevent unintentional violations, you should know and understand the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.

To put it simply, the Privacy Rule protects individuals’ personal health information and sets a national standard on the uses and disclosures of information.

The Security Rule, on the other hand, requires every practitioner in the medical field to have appropriate administrative, physical, and technical safeguards to ensure the security and availability of every patients’ health information. The Security Rule is also commonly associated with ePHI or electronically protected health information.

The Data Breach Notification Rule is mainly about the requirement to notify all parties in case a HIPAA breach occurs (e.g. hacking incident).

If you have been in the medical industry long enough, then you probably already deduced that the HIPAA is mostly about securing medical records properly and protecting every patients’ health information.

However, since we are still human anyway, there are still some things that you might have missed and certain HIPAA regulations that you might have misunderstood. With that said, we have cleared a few misconceptions about the HIPAA below.

  • For compliance, a written statement is required from the patient before releasing PHI.
  • The HIPAA does not have a medical records retention period
  • Employers with fully insured medical coverage still need to comply with the HIPAA
  • HIPAA preempts different state privacy laws.
  • Employees cannot sue you for HIPPA violations
  • HIPAA is not the only law that governs medical records.

We highly advised you to consult with a legal professional if you need further clarifications on how the HIPAA works.

HIPAA Violations

As we have mentioned before, the HIPAA is a set of stringent guidelines that you should follow in order to prevent sanctions and penalties. HIPAA non-compliance is deemed as a violation and can result in you paying a large number of fines.

If you are included in the list below, then it is your responsibility to perform risk assessment, look out for potential violations, and abide by all the HIPAA rules.

Covered Entities

  • Covered Health Care Provider (e.g. Chiropractors, Clinics, Dentists, Doctors, etc.)
  • Health Plan (e.g. Health insurance companies, Company health plans, HMOs, etc.)
  • Health Care Clearinghouse (e.g. Billing services, Community health management information systems, Repricing companies, etc.)

This also includes any business associates who provide services to these covered entities. Examples of these said services from business associates are accreditation, billing, consulting, financial services, management administration, and many more.

As per the Security Rule, every HIPAA-covered entity and business associate must implement an appropriate measure to ensure the security of ePHI. According to the Centers for Medicare & Medicaid Services, all covered entities should do the following in order to prevent any violations.

  • Ensure the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit
  • Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure that your workforce abide all healthcare compliance regulations

Suggested reading:

Common HIPAA Violations

Impermissible PHI use and disclosure

Given that impermissible disclosure is a common HIPAA violation, the American Medical Association has come up with a 4-factor test for physicians in order to determine the severity and evaluate whether the use or disclosure is more than the necessary PHI.

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification
  2. The unauthorized person (or people) who used the PHI or to whom the disclosure was made
  3. Whether the PHI was actually acquired or viewed
  4. The extent to which the risk to the PHI has been mitigated

Despite the usefulness of these 4-step factor tests, talking to a legal professional would still be the best recourse if an impermissible PHI use and disclosure had happened.

Lack of PHI safeguards

Negligence and lack of oversight can often lead to bigger problems such as stolen laptops, lost USB devices, malware incidents, hacking, office break-in, social media posts from your staff, and many more.

Given that hacking and malware incident is a common occurrence these days, it is worth looking into your system’s security and encryption. Even though encryption is technically not mandatory under HIPAA, it would add another layer of protection and secure all your patient’s health information.

Lack of individuals’ access to their PHI

As per the Privacy Rule, covered entities are required to provide individuals access to their health information upon request. The U.S. Department of Health & Human Services argued that making patient data accessible would empower them to make their own decisions regarding their health and well-being.

Even though avoiding this violation might sound easy, there are a lot of guidelines, regulations, and provisions that you need to follow every time you provide access to their PHI. For example:

  • Individuals have a right under HIPAA to access their health information in human-readable form
  • Individuals have a right under HIPAA to have their PHI downloaded on portable media that they provide
  • Individuals have the right under HIPAA to have copies of their PHI transferred or transmitted to them in the manner they request

You can read more about this here or you can consult with an experienced legal professional to know more.

Sanctions and Penalties for Violators

As we have mentioned before, the federal government, especially the U.S. Department of Health and Human Services, enforces the HIPAA and has actively been trying to deter violators over the years.

To date, the Office for Civil Rights has managed to impose penalties that amounted to $135,298,482.00. The cases involve different types of entities such as pharmacy chains, medical centers, hospital chains, and others. Generally, the civil or financial penalties can range from a minimum of $100 to $50,000 per violation.

As for criminal violation, decisions are treated like any other medicare fraud cases or false claims act violations. It is based on the level of intent as well.

Fines can rack up to $250,000 and you might be even sentenced to prison for up to ten years. According to the Office of Financial Management in Washington, the categories of violation and respective criminal penalty are the following:

  • Knowingly and wrongfully discloses IIHI  – Not more than $50,000 and not more than 1 year in prison
  • Under false pretenses – Not more than $100,000 and not more than 5 years in prison
  • Intent to sell, transfer or use for commercial advantage – Not more than $250,000 and not more than 10 years in prison

Increased HIPAA Violation Discovery

HIPAA enforcement has been active and on the rise over the years because of the following:

  • Increased in civil penalty
  • Mandatory audits of covered entities
  • Whistleblower or the qui-tam-lawsuit provisions
  • Active and further training for State Attorney Generals
  • Continuous criminal prosecution for PHI misuse
  • Breach Mandatory Rule
  • HITECH or the Health Information Technology for Economic and Clinical Health Act clarified the criminal provisions of HIPAA and extend its enforcement to everyone (not just covered entities)

Examples of HIPAA Violations

To further illustrate the enforcement of the HIPAA and how even the little things you do at the office/clinic/hospital matter, we have cited a few examples from the U.S. Department of Health & Human Services website

Impermissible PHI use and disclosure & Lack of PHI safeguards

“A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.  Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI.  The practice trained all staff on the newly developed policies and procedures.  In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.”

Lack of individuals’ access to their PHI

“A patient alleged that a covered entity failed to provide him access to his medical records.  After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee.  The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual.  To resolve this matter, the covered entity refunded the $100.00 “records review fee.”

Lack of PHI safeguards

“A national health maintenance organization sent an explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six-month period and correct all corrupted patient information.”

Hopefully, you are now able to see the importance of these menial and trivial things through these examples.

We cited the examples above because we wanted to illustrate why HIPAA was created in the first place.

The everyday nuisance and administrative work that medical practitioners tend to brush off before proves to be just as important as the things they do inside the operating or emergency room.

Conclusion

With all that said, HIPAA is more than just the terms and conditions that patients tick off at the end of every form.

Complying with HIPAA is the equivalent of treasuring your patients’ trust. As a healthcare worker, it is also your duty and responsibility to protect your patients’ health information.

If you’re still having a hard time grasping and understanding HIPPA, then you can just reread some of the topics that we have covered:

  • Understanding HIPAA
  • HIPAA Violations
  • Common Violations
    • Impermissible PHI use and disclosure
    • Lack of PHI safeguards
    • Lack of individuals’ access to their PHI
  • Sanctions and Penalties for Violators
  • Increased HIPAA Violation Discovery
  • Examples of HIPAA Violations

Keep in mind that the information we mentioned above is not meant to be comprehensive nor should be construed as legal advice. We still highly recommend you seek guidance and consult a law professional on these matters.

Leave a Comment