The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created “improve the portability and accountability of health insurance coverage” for employees between jobs. Additional objectives of the Act were designed to fight against fraud, waste, and abuse within the health insurance and healthcare delivery verticals. The Act also included sections that were designed to promote the use of medical savings accounts by introducing tax breaks, provide healthcare coverage for employees and their dependents that may have pre-existing medical conditions, and to simplify the administration of health insurance. The latter became a vehicle of encouragement to the healthcare industry for computerization of medical records for patient, which was then reinforced with the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009.
When HIPAA became the law of the land, the US Department of Health and Human Services created the first HIPAA Privacy and Security Rules. The Privacy Rule requirement for compliance was April 14, 2003, which gave the medical industry the time that it needed to accommodate the law. The law defined PHI (Protected Health Information) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”
The US Department of Health and Human Services and the US Attorney General established serious financial penalties as well as criminal intent for lack of compliance with the strict HIPAA guidelines.
Compliance with HIPAA guidelines entails both the organization and any business associations that are involved in the sharing or exchange of PHI (Personal Health Information). The most common violations of HIPAA have involved financial penalties due to
Failure of an organization to create an organization-wide risk analysis to expose any risks in the potential confidentiality, availability, and integrity of PHI.
Failure to enter into a HIPAA-compliant agreement with a business associate.
Disclosures of PHI that were not permissible.
Delayed breach notifications.
Failure to take precautions in safeguarding PHI.
The Department of Health and Human Services’ Office for Civil Rights (OCR) pursues investigations and settlements for egregious HIPAA Rules violations and look to the settlements as a method to raise awareness for HIPAA compliance.
The success of the transition of health and medical records to digital/electronic versions have also opened up the ability for a network system breach. A system breach is viewed a bit differently due to the fact that cybercriminals are specifically targeting healthcare organizations. Even with high levels of cybersecurity, a data breach can happen, and therefore a data breach is not necessarily considered as the result of a HIPAA violation. OCR investigations into data breaches have found that they don’t involve violation of HIPAA rules and are closed without any action taken.
Methods of Discovering HIPAA Violations
If a healthcare organization is lax about HIPAA compliance, violations can occur without discovery for months to years. This is viewed poorly, as the longer they violations occur, the more the penalty. Any entity that is involved in PHI should conduct regular HIPAA compliance reviews to locate and correct any violations and ensure that all information is protected.
A majority of HIPAA violations are discovered by:
OCR (or state attorneys general) investigations into a data breach.
Complaints receive about covered entities and business associates that prompt investigations.
HIPAA compliance audits.
10 Most Common HIPAA Violations
Spying on Healthcare Records: This involves the access of patient healthcare records for a purpose other than those permitted within the Privacy Rule for payment, treatment, and healthcare operations. Spying, intruding, or snooping of patient healthcare records, those of family friends, neighbors, co-workers, or celebrities of this type is considered to be a violation of patient privacy and is the most common of all HIPAA violations that is committed by employees. Once discovered the staff member may be terminated as well as result in criminal charges for the violations, however, the healthcare organization may also be fined. An example of this situation occurred in a Los Angeles, California healthcare organization that was fined $865,000 for their failure to have medical records restricted so that an individual that knew he was going to be let go was accessing celebrity medical records without authorization. In this case, the individual because the first employee of a healthcare organization to be sent to jail for HIPAA violations.
No Organization-Wide Risk Analysis: The importance of a risk analysis for location potential HIPAA violation risks is a priority within the industry. The longer the time period lapses the higher the possibility of HIPAA violations. This lack of risk-analysis is both time consuming and costly and is why it is one of the most common HIPAA violations and why it also results in financial penalties. The longer the duration, the higher the chances of vulnerability for patient data exposure and less likely for the violation to be stopped. This condition is also an invitation for cyber hackers to access and steal PHI. One might assume that it would be the smaller healthcare organizations that would take the chance and save money on an organization-wide risk analysis, but surprisingly, many in the healthcare industry that are larger organizations such as hospitals, universities and even state health and social services have been fined including: $2.7 million in Oregon, $2.5 million in Pennsylvania, $750,000 for a well-known care organization in New York, and $850,000 in Massachusetts.
Lacking any Risk Management Process and Failing to Manage Security Risks: Just performing a risk analysis isn’t enough as any risks that are found must then be subjected to a risk management process. They are required to be prioritized and taken care of in a reasonable amount of time. The failure of either of these areas is another common HIPAA violation and is penalized by the OCR. Fines can be extensive, as was found out with the fines of $1.7 million and $150,000 in Alaska, and $650,000 in Massachusetts.
HIPAA-Compliant Business Associate Agreement Failures: Each organization that is involved with access to PHI must have a HIPAA-Compliant Business Associate Agreement with each other. This includes all vendors that are required to have an updated agreement since the Omnibus Final Rule. Some of the highest penalties for this type of HIPAA violation have included: $750,000 for a clinic in North Carolina, $1.55 million for a hospital in Minnesota, and $400,000 for an organization in New England.
Inadequate ePHI Access Controls: This violation has become more common due to the expansion of PHI through digital electronics. The HIPAA Security Rule has a requirement for covered entities and their business associates so that only authorized individuals have access to ePHI. Some of the most notable penalties for these violations have included $16,000,000 to a large health insurance provider, $5,500,000 fine to a California hospital organization, $1,600,000 to a state organization in Texas, $865,500 to a California University organization, and $111,400 to a Colorado Medical Center.
Failing to Safeguard ePHI on Portable Devices through the Use of Encryption or Equivalent Measure: Encryption is one of the most effective ways to assist in keeping data breaches from occurring and any criminal that tries to steal the data requires the “key” for de-encryption. If an organization chooses to not use encryption they must supply an equivalent alternative to ensure the security of PHI. Lack of attention to this important detail resulted in fines including: $3.2 million in a Texas medical center and $650,000 in a Philadelphia religious health care services organization.
Overstepping the Breach Notification 60-Day Deadline: When a system breach occurs an organization is required by the HIPAA Breach Notification Rule to issue notifications of breaches without unnecessary delay and within 60 days after the breach was discovered. Going over that deadline is a common violation and which resulted in fines of $475,000 of an Illinois healthcare system and $130,000 for a New York provider.
Any Form of Impermissible Disclosure of PHI: This is a broad statement that covers any disclosure under any circumstances of PHI that is not permitted via the HIPAA Privacy Rule. It can include an employer disclosure PHI, possible disclosure due to loss or theft of a computer, careless handling of PHI, or even by not adhering to “minimum necessary standards” and disclosing PHI after expired patient authorizations. Fines and penalties for this form of HIPAA violation have included $2.4 million to a Texas health system, $2,200,000 for a New York hospital, $515,000 for a hospital in Massachusetts, and $387,000 for a hospital in New York.
Improper Disposal of PHI information/records: Once the physical information for PHI or ePHI is no longer required and there has been an expiration of retention period, HIPAA rules require that the records, whether electronically or in paper form, be securely and permanently destroyed. Pulping or shredding is typical for paper records and for ePHI, securely wiping, degaussing, or the destruction of the electronic device is acceptable to avoid the data exposure. Organizations that did not comply with these requirements resulted in HIPAA violation fines including: $800,000 for an Indiana Hospital, A New York University Pharmacy for $125,000, and $100,000 to an Illinois company.
Denial of Patient Access to their PHI or Exceeding the Time Period to Provide Access: HIPAA Privacy Rules allow patients to have access to their PHI upon request and all healthcare organizations are required to comply with the requests within 30 days. Any form of denial for the patient’s PHI or failure to provide the records within 30 days of the request is a HIPAA violation. The most notable of this type of violation occurred with a $4,300,000 penalty to a Maryland health insurance provider.
Whether OCR, state attorneys general, or both investigate a HIPAA violation, it may result in the discovery of multiple violations. Violation penalties both financial and criminal are assessed based on the severity of the violation(s), length of time the violation(s) occurred, the number of identified violation(s), and the financial position of the business associate(s)/covered entity(ies).
Healthcare Employees HIPAA Violations
Healthcare staff have onsite access to PHI and as such are sometimes caught violating the rules by accessing for purposes other than those that have been allowed for appropriate healthcare. This is another priority reason for ensuring that all staff member receive HIPAA training for compliance. Some of the most common of these violations can include:
Sending emails to Personal accounts that include ePHI
Removing PHI from the authorized healthcare facility.
Allowing PHI paperwork or portable devices that contain PHI unattended.
Releasing PHI to any individual that isn’t authorized to have it.
Releasing any PHI without a Signed Authorization on an electronic signature device or with the correct authorization form.
Revealing PHI to any Third Parties after authorization has expired.
Disclosure of PHI records to any individual that has not been authorized to receive them using a HIPAA authorization form.
The downloading of PHI onto devices that are not authorized.
Allowing unauthorized access to medical records via login/password credentials.
Old Pharmacy Rules Violated HIPAA Privacy
In the initial stages of HIPAA, pharmacies in the U.S. used their overhead announcements systems to notify a patient that their prescription was available. This quickly changed as pharmacies were told that the announcement was a violation of HIPAA privacy rules. The same condition occurred in the automated systems that once dialed out to call an individual to state that a prescription was ready to pick up. To comply with HIPAA privacy, pharmacies ceased these types of identifying notifications. A majority of pharmacies now make use of electronic notifications via mobile apps that automatically notify only the authorized individual for their prescriptions.