What is a HIPAA Violation? + Common Mistakes and Fines
More than 40 million patient records were compromised over the past year. This impacts patients and organizations across the country by taking time and resources to manage these issues. If organizations aren’t following the mandatory HIPAA guidelines, it’s not a matter of if, but when they will deal with threats to patient data and the consequences of compromise.
In this post, we’ll cover everything you need to know about common HIPAA violations and what you can do to stay in compliance.
What is a HIPAA Violation?
A HIPAA violation is a failure to comply with an aspect of HIPAA rules and standards. HIPAA (Health Insurance Portability and Accountability Act) is the legal standard for patient health data protection. The goal of HIPAA is to set and enforce security standards for protected health information (PHI)—which is patient data that relates to past, present, or future physical or mental health or healthcare payment.
It’s important that organizations are aware of the HIPAA rules and that they have processes in place to help them operate in compliance. Adhering to HIPAA rules will help ensure that an organization is protecting the privacy and security of patients’ PHI. It also prepares your team to alert individuals and institutions in the case of an incident of noncompliance.
The top five issues in investigated cases in 2020 were impermissible uses & disclosures, safeguards, access, administrative safeguards, and technical safeguards.
Here are a few specific examples of control failures related to the top five issues that could lead to a HIPAA violation:
Impermissible disclosures of PHI to a third party without a signed Business Associate Agreement
Failure to terminate access to PHI when no longer necessary
Theft of patient records
Failure to complete an appropriate risk assessment
How Violations Get Uncovered
There are many different ways that organizations and their employees can violate HIPAA rules. Everything from failure to conduct risk analyses to allowing unauthorized access of PHI is a violation.
While there are a handful of ways that people discover violations, one of these three events will typically bring a HIPAA violation to light:
Investigations into a data breach
Investigations into complaints about covered entities and/or business associates
The penalties your organization can face grow as any HIPAA violation persists. That’s why it’s critical to conduct HIPAA compliance reviews internally to ensure that you’re catching any potential problems as early as possible.
What Are the HIPAA Violation Tiers?
The penalties that an organization faces depend on the severity of the violation. Financial consequences will result from significant violations or if you’ve allowed them to persist over a long period of time. Penalties are categorized into four tiers:
These violations are not intentional. The person or entity in question might have been ignorant of a specific rule or standard and did not know they weren’t in compliance.
Penalty: Minimum fine of $100 per violation up to $50,000
These violations are not intentional, but it’s a case where the individual should have known about the violation before it took place.
Penalty: Minimum fine of $1,000 per violation up to $50,000
In this tier, the activity is negligent. The person or entity is aware of the violation and must take quick action to reduce penalties.
Penalty: Minimum fine of $10,000 per violation up to $50,000
The highest level of violation and proven to be willful or negligent. No attempt was made to protect information or correct the violation.
Penalty: Minimum fine of $50,000 per violation
Most of the time, the resolution lies in policy changes or creating a plan to become compliant.
Examples of Recent Violations and Resolutions
Below, we list a few recent examples of HIPAA violations that resulted in investigations by the Office of Civil Rights (OCR), fines, and pushed organizations to implement corrective action plans.
Case 1: Timely Access
In May 2020, a parent filed a complaint with the OCR alleging that Children’s Hospital and Medical Center (CHMC) had failed to provide her with timely access to her minor daughter’s medical records.
Following an investigation, CHMC agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Case 2: Security Rules
In December 2017, OCR initiated a compliance review of Peachstate Health Management, LLC to determine its compliance with the HIPAA Privacy and Security Rules. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule. The investigation claimed failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.
Peachstate agreed to pay $25,000 and implement a corrective action plan.
Case 3: Data Breach
In 2015, Excellus Health Plan first filed a breach report. Hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals. OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, implement risk management, and more.
As a result, the MedAmerica Companies (collectively “Excellus Health Plan”) agreed to pay $5.1 million and implement a corrective action plan in 2021.
Make Sense of HIPAA Compliance Processes
Need help planning, automating, and tracking your HIPAA compliance program? Schedule a demo to see how Drata can help.