Seven Very Common HIPAA Violations and How to Avoid Them

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) holds companies operating in the healthcare sector in the United States accountable for ensuring the privacy and security of protected health information (PHI). Failure to adhere to the HIPAA standards can result in a violation enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

This article discusses seven very common HIPAA violations and provides tips on how to avoid them and remain compliant with the privacy and security regulations.

Quick HIPAA Overview

Two rules form the core of the HIPAA regulations.

• The HIPAA Privacy Rule was established to protect patients’ medical records and personal health information. The rule defines safeguards designed to protect PHI as well as how the information can be shared without patient authorization. Covered entities and business associates responsible for following the HIPAA standards are also defined in this rule.

• The HIPAA Security Rule is concerned with electronic personal health information that is used by a covered entity. PHI transmitted in writing or orally is not covered in this rule. Administrative, physical, and technical safeguards are defined to protect the security and confidentiality of electronic protected health information (ePHI). They require that ePHI is robustly protected and requires the workforce of covered entities and business associates to be properly trained in following HIPAA standards.

Penalties for HIPAA Violations

Failure to comply with HIPAA exposes companies and individuals to civil and criminal penalties. The penalties for violating HIPAA regulations vary based on the type and severity of the offense. These criteria are employed when determining the extent of the penalty:

• The nature of the violation.
• If knowledge existed that HIPAA rules were being violated.
• If actions were taken to correct the violation.
• If HIPAA rules were violated maliciously or for personal gain.
• The amount of harm or damage caused by the violation.
• The number of individuals affected by the violation.
• If the criminal provisions of HIPAA have been violated.

Four tiers are used to determine the dollar amount of civil penalties for breaking HIPAA rules.

	Minimum penalty per violation	Maximum penalty per violation	Annual cap on financial penalties
No Knowledge	$100	$50,000	$25,000
Reasonable cause	$1,000	$50,000	$100,000
Willful neglect that has been corrected	$10,000	$50,000	$250,000
Willful neglect that was not corrected	$50,000	$50,000	$1,500,000

Criminal penalties can be assessed to individuals who violate the Privacy Rule by knowingly obtaining or disclosing PHI of up to $50,000 and a one-year prison term. If false pretenses are involved in obtaining the PHI, the penalties increase to $100,000 and up to five years imprisonment. When the perpetrator intends to sell the PHI they can face a $250,000 fine and up to 10 years in prison.

No company or individual wants to face these penalties. The way to bypass these penalties is to ensure HIPAA compliance.

Avoiding These Seven Common HIPAA Violations 

The extensive safeguards put in place by the Security and Privacy Rules all need to be followed to maintain HIPAA compliance. This can be an expensive proposition as companies need to implement new internal oversight, data handling, and access procedures. Remaining compliant can be challenging and there are many ways an organization can find itself facing HIPAA penalties. 

Let’s look at seven common HIPAA violations and identify how they can be avoided by covered entities and business associates in the healthcare field. In each case, one or more of the administrative, technical, and physical safeguards have been neglected to some degree.

1. Failure to Perform an Organization-wide Risk Analysis

This is one of the most common violations resulting in financial penalties. Without regular risk assessments, companies will be unaware of any vulnerabilities that affect the integrity, confidentiality, and availability of PHI. Therefore, the risks will persist and threaten the security and privacy of patients’ sensitive information.

The remedy for falling victim to this violation is to perform annual risk assessments that fulfill these requirements:

• Identify the systems that store, transmit, or process ePHI.
• Identify vulnerabilities that can result in data breaches that put ePHI at risk.
• Assess and document all threats and the security measures in place.
• Assign risk levels associated with all identified threats and vulnerabilities.

Very large financial penalties have been levied against companies for failure to perform the necessary risk assessments. Fines have been imposed on major healthcare organizations and individual medical practitioners.

2. Lack of a Risk Management Process

Vulnerabilities discovered as the outcome of a risk analysis needs to be addressed promptly to avoid a HIPAA violation. Companies need to prioritize the resolution of any issues identified during the risk analysis. Failing to address known vulnerabilities will result in offenders falling into the most excessive penalty tiers. 

The solution to this problem is to quickly attend to all issues uncovered in an organization’s risk analysis. This should be a priority for companies processing ePHI wishing to avoid HIPAA penalties. 

3. Implementing Insufficient ePHI Access Controls

Another common HIPAA violation that often results in financial penalties is the failure to adequately protect access to ePHI. Organizations that fail to protect access to patients’ health records risk allowing unauthorized personnel to compromise the information. 

Several steps need to be taken to address this violation. They include:

• Restricting access to ePHI to authorized users.
• Verifying the identity of all individuals requesting access to ePHI.
• Using secure communication methods and encrypting data at rest and in transit.

4. Failure To Enter into A HIPAA-Compliant Business Associate Agreement

Companies need to enter into a HIPAA-compliant business associate agreement (BAA) with all vendors with access to ePHI. The failure to obtain this agreement is a common way companies violate HIPAA rules. Reliable vendors should be willing to sign this agreement which defines:

• The type of ePHI the vendor can access.
• How the vendor will use and protect the information.
• Actions the vendor will take in the event of a data breach involving ePHI and patient notification.

Companies can avoid this violation by ensuring a valid BAA is in place.

5. Restricting Patient Access To PHI

Patients are afforded the right under HIPAA to access medical records and obtain copies on request. Failure to provide this access or overcharging for requested copies is a violation that can result in financial penalties.

Avoiding this violation requires organizations to provide access and copies within 30 days of the request. Security measures need to be taken that ensure only authorized individuals access the patient data.

6. Lack Of Safeguards to Protect ePHI

An overall lack of the safeguards necessary to protect ePHI is a common violation that can take many forms. Some examples of insufficient safeguards include:

• Improperly disposing of media containing ePHI.
• Failure to implement encryption to protect sensitive data.
• Insufficient staff training.
• Enforcing security measures to protect against the theft of devices containing ePHI.

Companies need to fully understand the required safeguards and make sure they are implemented across all systems associated with ePHI to avoid this violation. 

7. Exceeding The 60-Day Deadline for Issuing Breach Notifications

Security breaches need to be reported to covered entities, individuals whose data has been compromised, and the HHS. Companies that do not perform the necessary reporting within a 60-day deadline from when the breach was discovered violate the HIPAA Breach Notification Rule.

This common violation is easily avoided by making timely notifications in the event of a data breach.

HIPAA violations can be costly. Compliance rules are clearly defined, and it is an organization’s responsibility to abide by them. Since our sensitive personal health data is in play, violators should be prosecuted and made accountable for mishandling it.