Compliance Portal |  Customer Portal
Free Quote, Call Today!

10 Most Common HIPAA Violations

October 8, 2021

Home » Compliance Training » 10 Most Common HIPAA Violations

10 Most Common HIPAA Violations

HIPAA Violations

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created “improve the portability and accountability of health insurance coverage” for employees between jobs. Additional objectives of the Act were designed to fight against fraud, waste, and abuse within the health insurance and healthcare delivery verticals. The Act also included sections that were designed to promote the use of medical savings accounts by introducing tax breaks, provide healthcare coverage for employees and their dependents that may have pre-existing medical conditions, and to simplify the administration of health insurance. The latter became a vehicle of encouragement to the healthcare industry for computerization of medical records for patient, which was then reinforced with the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009.

When HIPAA became the law of the land, the US Department of Health and Human Services created the first HIPAA Privacy and Security Rules. The Privacy Rule requirement for compliance was April 14, 2003, which gave the medical industry the time that it needed to accommodate the law. The law defined PHI (Protected Health Information) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The US Department of Health and Human Services and the US Attorney General established serious financial penalties as well as criminal intent for lack of compliance with the strict HIPAA guidelines.

Failure to enter into a HIPAA-compliant agreement with a business associate.

Common HIPAA Violations

Compliance with HIPAA guidelines entails both the organization and any business associations that are involved in the sharing or exchange of PHI (Personal Health Information). The most common violations of HIPAA have involved financial penalties due to

The Department of Health and Human Services’ Office for Civil Rights (OCR) pursues investigations and settlements for egregious HIPAA Rules violations and look to the settlements as a method to raise awareness for HIPAA compliance.

Data Breaches

The success of the transition of health and medical records to digital/electronic versions have also opened up the ability for a network system breach. A system breach is viewed a bit differently due to the fact that cybercriminals are specifically targeting healthcare organizations. Even with high levels of cybersecurity, a data breach can happen, and therefore a data breach is not necessarily considered as the result of a HIPAA violation. OCR investigations into data breaches have found that they don’t involve violation of HIPAA rules and are closed without any action taken.

Methods of Discovering HIPAA Violations

If a healthcare organization is lax about HIPAA compliance, violations can occur without discovery for months to years. This is viewed poorly, as the longer they violations occur, the more the penalty. Any entity that is involved in PHI should conduct regular HIPAA compliance reviews to locate and correct any violations and ensure that all information is protected.

A majority of HIPAA violations are discovered by:

10 Most Common HIPAA Violations

Whether OCR, state attorneys general, or both investigate a HIPAA violation, it may result in the discovery of multiple violations. Violation penalties both financial and criminal are assessed based on the severity of the violation(s), length of time the violation(s) occurred, the number of identified violation(s), and the financial position of the business associate(s)/covered entity(ies).

Healthcare Employees HIPAA Violations

Healthcare staff have onsite access to PHI and as such are sometimes caught violating the rules by accessing for purposes other than those that have been allowed for appropriate healthcare. This is another priority reason for ensuring that all staff member receive HIPAA training for compliance. Some of the most common of these violations can include:

Old Pharmacy Rules Violated HIPAA Privacy

In the initial stages of HIPAA, pharmacies in the U.S. used their overhead announcements systems to notify a patient that their prescription was available.  This quickly changed as pharmacies were told that the announcement was a violation of HIPAA privacy rules. The same condition occurred in the automated systems that once dialed out to call an individual to state that a prescription was ready to pick up. To comply with HIPAA privacy, pharmacies ceased these types of identifying notifications. A majority of pharmacies now make use of electronic notifications via mobile apps that automatically notify only the authorized individual for their prescriptions.

Make The Switch

Join thousands of other practices working with HWM.
"The only company you will ever need."

Learn More        Click to Call