What is classified as a HIPAA Violation?
The Health Insurance Portability and Accountability Act of 1996 is legislation that was brought in make it easier to administer of healthcare, eliminate wastage, stop healthcare fraud, and ensure that workers could maintain healthcare coverage when between jobs.
There have been a number of significant updates to HIPAA to enhance privacy protections for patients and health plan subscribers over the years which help to ensure healthcare data is safeguarded and the privacy of patients is safeguarded. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA breach is a failure to adhere with any aspect of HIPAA standards and provisions listed in 45 CFR Parts 160, 162, and 164.
The combined copy of all HIPAA regulations released by the Department of Health and Human Services Office for Civil Rights runs to 115 pages and includes many provisions. There are hundreds of ways that HIPAA Rules can be breached, although the most typical HIPAA violations are:
- Impermissibly sharing protected health information (PHI)
- Unauthorized viewing of PHI
- Improper deletion of PHI
- Failure to carry out a risk analysis
- Failure to manage danger to the confidentiality, integrity, and availability of PHI
- Failure to implement security measures to ensure the confidentiality, integrity, and availability of PHI
- Failure to keep and review PHI access logs
- Failure to complete a HIPAA-compliant business associate agreement with vendors before giving access to PHI
- Failure to supply patients with copies of their PHI on request
- Failure to put in place access controls to limit who can view PHI
- Failure to disable access rights to PHI when no longer needed
- The disclosure more PHI than is necessary for a particular task to be completed
- Failure to supply provide HIPAA training and security awareness training
- Stealing patient records
- Unauthorized sharing of PHI to people not authorized to receive the information
- Release of PHI online or via social media without permission
- Mismanaging and mismailing PHI
- Sending PHI by text message
- Failure to encrypt PHI or use an different, equivalent measure to prevent unauthorized access/disclosure
- Failure to alert a person (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to record compliance efforts
How are HIPAA Violations noticed?
Many HIPAA violations are noticed by HIPAA-covered bodies through internal reviews. Supervisors may find employees who have breached HIPAA Rules and employees often self-report HIPAA violations and potential violations by colleagues.
The HHS’ Office for Civil Rights (OCR) is the main enforcer of HIPAA Rules and looks into complaints of HIPAA violations reported by healthcare workers, patients, and health plan members. OCR also investigates all covered bodies who report breaches of more than 500 records and carries out investigations into certain smaller breaches. OCR also completes periodic audits of HIPAA covered entities and business associates.
State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.
What are Punishments for Violations of HIPAA Rules?
The penalties for violations of HIPAA Rules can be significant. State attorneys general can apply fines up to a maximum of $25,000 per violation category, per calendar year. OCR can apply fines of up to $1.5 million per violation category, per year. Multi-million-dollar financial penalties can, and often are, issued.
While healthcare suppliers, health plans, and business associates of covered bodies can be fined, there are also possible fines for individuals who breach HIPAA Rules and criminal penalties may be appropriate. A jail term for breaching HIPAA is a possibility, with some violations carrying a penalty of up to 10 years in prison.