What is a HIPAA Violation? + Common Mistakes and Fines

Are you HIPAA compliant? Get the answers you need to stay in compliance and avoid the consequences of failing to follow HIPAA standards.
Troy Fine

by Troy Fine

January 07, 2022
What is a HIPAA Violation + Common Mistakes and Fines

More than 40 million patient records were compromised over the past year. This impacts patients and organizations across the country by taking time and resources to manage these issues. If organizations aren’t following the mandatory HIPAA guidelines, it’s not a matter of if, but when they will deal with threats to patient data and the consequences of compromise. 

In this post, we’ll cover everything you need to know about common HIPAA violations and what you can do to stay in compliance

What is a HIPAA Violation?

A HIPAA violation is a failure to comply with an aspect of HIPAA rules and standards. HIPAA (Health Insurance Portability and Accountability Act) is the legal standard for patient health data protection. The goal of HIPAA is to set and enforce security standards for protected health information (PHI)—which is patient data that relates to past, present, or future physical or mental health or healthcare payment.

It’s important that organizations are aware of the HIPAA rules and that they have processes in place to help them operate in compliance. Adhering to HIPAA rules will help ensure that an organization is protecting the privacy and security of patients’ PHI. It also prepares your team to alert individuals and institutions in the case of an incident of noncompliance.

The top five issues in investigated cases in 2020 were impermissible uses & disclosures, safeguards, access, administrative safeguards, and technical safeguards. 

Here are a few specific examples of control failures related to the top five issues that could lead to a HIPAA violation:

  • Impermissible disclosures of PHI to a third party without a signed Business Associate Agreement

  • Failure to terminate access to PHI when no longer necessary

  • Theft of patient records

  • Mishandling PHI

  • Failure to complete an appropriate risk assessment

How Violations Get Uncovered

There are many different ways that organizations and their employees can violate HIPAA rules. Everything from failure to conduct risk analyses to allowing unauthorized access of PHI is a violation.

While there are a handful of ways that people discover violations, one of these three events will typically bring a HIPAA violation to light:

  • Investigations into a data breach

  • Investigations into complaints about covered entities and/or business associates

  • Compliance audits

The penalties your organization can face grow as any HIPAA violation persists. That’s why it’s critical to conduct HIPAA compliance reviews internally to ensure that you’re catching any potential problems as early as possible. 

What Are the HIPAA Violation Tiers?

The penalties that an organization faces depend on the severity of the violation. Financial consequences will result from significant violations or if you’ve allowed them to persist over a long period of time. Penalties are categorized into four tiers

Tier 1

These violations are not intentional. The person or entity in question might have been ignorant of a specific rule or standard and did not know they weren’t in compliance.

Penalty: Minimum fine of $100 per violation up to $50,000

Tier 2

These violations are not intentional, but it’s a case where the individual should have known about the violation before it took place.

Penalty: Minimum fine of $1,000 per violation up to $50,000

Tier 3

In this tier, the activity is negligent. The person or entity is aware of the violation and must take quick action to reduce penalties.

Penalty: Minimum fine of $10,000 per violation up to $50,000

Tier 4

The highest level of violation and proven to be willful or negligent. No attempt was made to protect information or correct the violation.

Penalty: Minimum fine of $50,000 per violation

Most of the time, the resolution lies in policy changes or creating a plan to become compliant.

Examples of Recent Violations and Resolutions

Below, we list a few recent examples of HIPAA violations that resulted in investigations by the Office of Civil Rights (OCR), fines, and pushed organizations to implement corrective action plans. 

Case 1: Timely Access

In May 2020, a parent filed a complaint with the OCR alleging that Children’s Hospital and Medical Center (CHMC) had failed to provide her with timely access to her minor daughter’s medical records. 

Following an investigation, CHMC agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

Case 2: Security Rules

In December 2017, OCR initiated a compliance review of Peachstate Health Management, LLC to determine its compliance with the HIPAA Privacy and Security Rules. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule. The investigation claimed failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. 

Peachstate agreed to pay $25,000 and implement a corrective action plan.

Case 3: Data Breach

In 2015, Excellus Health Plan first filed a breach report. Hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals. OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, implement risk management, and more. 

As a result, the MedAmerica Companies (collectively “Excellus Health Plan”) agreed to pay $5.1 million and implement a corrective action plan in 2021. 

Make Sense of HIPAA Compliance Processes

Need help planning, automating, and tracking your HIPAA compliance program? Schedule a demo to see how Drata can help.

Trusted Newsletter
Resources for you
Image - Drataverse '24 Agenda Preview

GRC Growth: Sneak Peek Into the Drataverse ‘24 Agenda

Join us at RSA

FOMO Alert: Why You Won’t Want to Miss Drata at RSA

Harmonize Announcement

Welcoming Harmonize To the Drata Family

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
HIPAA vs HITRUST hero image

HIPAA vs. HITRUST: Key Differences Explained

HIPAA Compliance Checklist Hero

HIPAA Compliance Checklist: Essential Steps for Compliance [2023]

HIPAA Compliance Healthtech

HIPAA Compliance: How Healthtech Companies Can Remain Compliant

How to Conduct a HIPAA Risk Assessment (1)

How to Conduct a HIPAA Risk Assessment