Everything you need to know about HIPAA violations (and how to avoid them)

Simar Kohli
January 24, 2022

Introduction

Healthcare data should remain private, but over 40 million patient records were compromised in 2021 alone! Many of the affected organizations were not complying with The Health Insurance Portability and Accountability Act (HIPAA), and faced significant financial and legal penalties for failing to do so.  Keep reading to learn more about what constitutes a HIPAA violation, some common HIPAA violations, and how to make sure you remain HIPAA compliant.

What is HIPAA?

HIPAA is a set of regulations put forth by the United States Department of Health and Human Services (HHS) to protect people’s medical information and ensure individuals can access their records. These regulations are focused on how organizations create, store, or transmit protected health information (PHI). PHI is any data containing individually identifiable health information. 

What is a HIPAA Violation?

A HIPAA violation is when a covered entity or business associate fails to comply with any component of HIPAA. HIPAA has three main rules governing how protected health information should be handled: the privacy rule, the security rule, and the breach notification rule. Breaking any of the requirements set forth by these rules constitutes a HIPAA violation and must be dealt with immediately. 

HIPAA Privacy Rule

This rule is what one typically thinks of when someone mentions HIPAA. The HIPAA privacy rule defines what constitutes a covered entity or business associate. It also outlines what constitutes PHI, when organizations can use or disclose PHI, and the rights patients have over their medical information. It’s easy to accidentally break the privacy rule, so all healthcare employees should be well aware of the regulations surrounding PHI.

HIPAA Security Rule

This rule creates a set of standards for protecting electronic private health information (e-PHI). Covered entities must conduct a risk assessment and create a risk management plan to reduce any risks that could affect the confidentiality, integrity, and availability of e-PHI. All organizations that are required to follow HIPAA rules must have administrative, physical, and technical safeguards to keep PHI secure. Failure to protect e-PHI is a HIPAA violation.

HIPAA Breach Notification Rule

This rule mandates that covered entities and business associates report any data breaches within 60 days of discovering that a breach has occurred. Unauthorized disclosure of PHI is considered a data breach under HIPAA regulations. Any healthcare organizations that experience a breach must alert any affected individuals, submit a form to HHS, and potentially notify the media.

Most Common HIPAA Violations

Although HIPAA violations come in all shapes and sizes, there are a few examples that happen more frequently than others. Here are some common HIPAA violation examples to know about to help your company stay compliant.

Unauthorized disclosure of PHI

This is the most common form of HIPAA violation. This happens when an employee shares PHI outside of the scope of acceptable disclosure under HIPAA.  

Unencrypted data

HIPAA mandates that PHI is created, stored, and transmitted in a secure fashion. One important aspect of safe data handling is encryption. Unencrypted data allows unauthorized individuals to gain access to private information. 

Insufficient risk management

The security rule requires covered entities to conduct risk analyses and create a plan to deal with any risks that could affect PHI. Failing to account for potential risks leaves the door wide open for hackers.

Failure to enter into a HIPAA compliant business associate agreement (BAA)

Covered entities must create BAA’s with any companies they work with that come into contact with PHI. A BAA outlines both parties' responsibilities and liabilities and is mandated by the HIPAA omnibus rule.

Inadequate employee training

HIPAA’s security rule mandates that covered entities and business associates train all employees that have a reasonable likelihood of accessing PHI. Organizations must provide HIPAA privacy training and security awareness (cybersecurity) training.

Different Tiers of HIPAA Violations

Covered entities or business associates that violate HIPAA rules are at risk for a variety of penalties. The severity of these penalties depends on the nature of the HIPAA violation and what steps were taken to remediate it. Criminal charges typically require an element of malicious intent. The HHS Office for Civil Rights (OCR) is prohibited from issuing HIPAA fines to companies that correct violations within 30 days. Here are the various tiers of HIPAA violations and the penalties associated with them. 

Categories for Civil Violations

  • Tier 1: Unknowing HIPAA violations: The organization was unaware violations happened. The violation may still have occurred even if the organization followed HIPAA rules.
  • Tier 2: Reasonable cause HIPAA violations: A violation the organization should be aware of but may have still occurred with proper precaution. There is a reasonable cause for the violation, but not enough to be considered neglect.
  • Tier 3: Willful Neglect with Corrections: The violation occurred due to “willful neglect”, but was corrected within the 30 day time period required by HIPAA. 
  • Tier 4: Willful Neglect without Corrections: The violation occurred due to “willful neglect” and was not corrected within the 30 day time period required by HIPAA.

Civil Penalties

  • Tier 1: $100-$50,000 fine per violation.
  • Tier 2: $1,000-$50,000 fine per violation.
  • Tier 3: $10,000-$50,000 fine per violation.
  • Tier 4: $50,000-$250,000 fine per violation.

Categories for Criminal Violations

  • Tier 1: Knowingly using or disclosing PHI in violation of HIPAA.
  • Tier 2: Knowingly using or disclosing PHI in violation of HIPAA under false pretenses.
  • Tier 3: Knowingly using or disclosing PHI in violation of HIPAA for monetary benefits or personal gain.

Criminal

  • Tier 1: Imprisonment for up to 1 year and a maximum fine of $50,000.
  • Tier 2: Imprisonment for up to 5 years and a maximum fine of $100,000.
  • Tier 3: Imprisonment for up to 10 years and a maximum fine of up to $250,000.

How are HIPAA Violations Discovered?

Most HIPAA violations are discovered in one of three ways. The first is when someone in the organization internally reports a violation. The next section will cover more on self-reporting violations. 

The second main way employer HIPAA violations are found is when the organization undergoes an internal audit. All HIPAA covered entities should conduct periodic audits of their policies/procedures and security systems. Discovering a vulnerability before a third party does will protect your organization from security breaches and HHS penalties. 

The third primary method for discovering HIPAA violations is if the Office for Civil Rights audits an organization. OCR will sometimes randomly audit companies, and they must be ready to demonstrate compliance. OCR will also audit companies that have had complaints filed against them.

Self-Reporting Violations

Since HIPAA has exceptions for companies that remediate violations within 30 days, it is important to immediately report any potential HIPAA violations you come across. Reporting all violations, both inadvertent and intentional, enables organizations to solve the issue and protect themselves from increased liability.

If you believe your organization is violating HIPAA, you should inform your privacy officer as soon as possible. Your privacy officer will know the best course of action to take regarding the situation and will work to fix the HIPAA violation.

If you do not feel comfortable going within your organization, The Office for Civil Rights has a portal for people to report any HIPAA violations. The forms can be submitted anonymously and are intended to protect people from any potential retaliation. 

Creating a HIPAA Compliance Program

The best way to prevent violations is by implementing a compliance program to ensure your entire organization is abiding by HIPAA rules. Any healthcare providers or HIPAA covered entities that come into contact with medical records should have a compliance program in place to protect the organization from potential repercussions. 

7 Fundamental Elements of an Effective Compliance Program:

  1. Implementing written policies, procedures and standards of conduct. 
  2. Designating a compliance officer and compliance committee. 
  3. Conducting effective training and education.
  4. Developing effective lines of communication.
  5. Conducting internal audits.
  6. Enforcing standards through well-publicized disciplinary guidelines. 
  7. Responding promptly to detected offenses and undertaking corrective action. 

Effective HIPAA Compliance Training is the Best Way to Avoid Violations

Although employee training is only one out of seven items on the list, it is arguably the most important aspect of preventing many HIPAA violations. Many security breaches happen as a result of human error, but properly training employees reduces the risk of those errors. Healthcare workers rarely disclose patient information in violation of HIPAA standards on purpose. Every employer can reduce the risk an individual commits violations by making sure to offer HIPAA compliance training. It may shock you to learn that one in four healthcare workers aren't offered security awareness training!

Haekka as a Solution to your Compliance Efforts

Haekka is a great option to improve your employee training to prevent any HIPAA violations. Haekka has a large library of content including HIPAA privacy and security awareness training to meet your compliance needs. Haekka is integrated into Slack so employees can learn in the apps they’re already using on a daily basis. If you want to learn more about Haekka, schedule a demo with us today!