What is a HIPAA violation, and what happens if you commit one?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that focuses on protecting private patient information. Since medical information is highly sensitive, it requires a comprehensive approach to security.

Healthcare organizations covered by HIPAA need to take measures to comply with this law. Otherwise, they can face significant penalties. Besides financial retribution, violating HIPAA could lead to prison time and serious reputational problems.

Understanding HIPAA violations can help you ensure compliance, protect patients’ data, and avoid penalties.

HIPAA is a comprehensive federal law enacted in 1996 with several key objectives.

HIPAA aims to combat abuse and fraud in health insurance and healthcare service delivery. It protects the integrity of the healthcare system and fosters patient trust. This law also seeks to improve access to long-term care services and health insurance while giving patients affordable healthcare options.

HIPAA consists of the five titles below:

Title I

The first title prevents people from being denied coverage or facing increased premiums due to pre-existing conditions.

By promoting portability and accessibility of health insurance, HIPAA provides protection and peace of mind for employees.

Title II

Title II streamlines the exchange of medical information and promotes efficiency in healthcare operations. HIPAA simplifies healthcare-related processes by establishing uniform standards for electronic transactions (such as claims and eligibility inquiries).

While all HIPAA titles are highly important for the healthcare sector, Title II gets the most attention. Violating this part of the law can have serious consequences.

Title III

Title III extends the scope of the law beyond privacy and security concerns to encompass tax-related provisions aimed at enhancing the affordability and accessibility of health insurance coverage.

Title IV

This title focuses on ensuring the availability and portability of health insurance coverage.

Title V

Title V encompasses provisions related to several topics, including company-owned life insurance and the treatment of those who lose US citizenship for income tax purposes.

Protected health information (PHI) is individually identifiable health information created or processed by a HIPAA-covered entity.

PHI includes any information related to a patient’s health condition, healthcare services the patient receives, and payment for these services.

Here are some examples of PHI:

• Medical records

• Lab results

• Diagnoses

• Treatment plans

• Insurance information

When information is individually identifiable, it means it can be used to identify a person. For example, blood test results that include a social security number point to the patient’s identity.

A HIPAA violation is the failure of the HIPAA-covered entity to comply with the standards listed in the Health Insurance Portability and Accountability Act.

Here are some examples of HIPAA-covered entities:

• Healthcare providers: doctors, nurses, hospitals, clinics, pharmacies, nursing homes, and other healthcare professionals or organizations that provide medical services

• Health plans: health insurance companies, health maintenance organizations (HMOs), employer-sponsored health plans, and government programs that pay for healthcare (such as Medicare or Medicaid)

• Healthcare clearinghouses: third-party entities that ensure the accuracy of information in claims before they are submitted to health insurance companies

• Business associates and their subcontractors: organizations that perform certain functions on behalf of covered entities that involve the use or disclosure of PHI (such as billing companies, IT vendors, or lawyers)

The entities above have to make sure that only authorized parties can access PHI. When the information is discovered by someone without proper authorization, it means that a HIPAA-covered entity has violated the law.

The HIPAA Privacy Rule clearly defines situations when a HIPAA-covered entity can legally disclose PHI. They are:

• Disclosure to the individual: providing PHI to the person whose information it is

• Treatment, payment, and healthcare operations: using PHI to conduct internal treatment, payment, and healthcare activities—for example, a doctor can disclose PHI when they need to consult with another practitioner in the same organization to arrange treatment or write a prescription.

• Permission from the patient: disclosing PHI with the patient’s permission. If the patient is temporarily incapacitated, the HIPAA-covered entity can decide to disclose PHI if doing so is in the patient’s best interest (in the entity’s professional judgment).

• Incidental use and disclosure: accidentally disclosing PHI even if the entity exercises reasonable caution—for example, someone might walk in and overhear a doctor discussing another patient’s blood test results.

In addition, the Privacy Rule allows PHI disclosure without the patient’s permission for “public interest and benefit activities.” It clearly lists 12 situations when this is appropriate. For example, a healthcare provider can release patient data according to a court order, to prevent or control a disease, assist government authorities to help abuse victims, or for certain research purposes.

In all other cases, disclosure leads to a violation and relevant penalties. To avoid penalties, healthcare organizations and providers need a clear understanding of how they should handle PHI. Before disclosing the information, they have to be sure that doing so is allowed by HIPAA.

Intentional versus unintentional HIPAA violations

A HIPAA violation can be intentional or unintentional. An unintentional violation is accidentally disposing of blood test results in a regular trash bin without shredding them. Another example is sending an email with patient data to the wrong recipient.

Meanwhile, an intentional violation involves disclosing PHI to an unauthorized entity for personal gain or with malicious intent.

Both intentional and unintentional HIPAA violations can result in penalties, fines, and legal action.

Penalties for HIPAA violations range from small fines to prison terms. The violation’s severity depends on several factors, including the following:

• Nature of the violation: the violation’s type and extent can determine the punishment. For example, unauthorized access to the records of one patient may be considered less severe than a widespread data breach affecting thousands of people.

• Level of harm: the violation may be considered more severe if it exposes sensitive medical information or leads to identity theft.

• Intention: intentional violations, where there is evidence of willful disregard for HIPAA regulations, are typically viewed more seriously than accidental PHI disclosure.

• Duration: the length of time the violation occurred for and whether it was a one-time incident or a recurring problem can affect severity. Prolonged or repeated violations may call for a more severe punishment.

• Corrective actions and compliance history: taking prompt corrective actions, implementing safeguards, and having a good compliance history can reduce the extent of the penalty.

• The entity’s size and financial state: the HIPAA-covered entity’s financial condition and size can also affect the punishment. For example, a large fine might be decreased if it would cause the entity to go bankrupt.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for determining the severity of HIPAA violations on a case-by-case basis.

HIPAA violations can range from civil to criminal. HHS OCR enforces HIPAA by arranging regular audits and investigations after learning about a violation. In many cases, OCR tries to resolve the violation without imposing punishment. For example, they can recommend corrective action plans.

However, penalties are unavoidable in some cases. When this happens, OCR uses a tiered penalty structure to assess the severity of the problem and impose a relevant penalty.

Civil penalties

There are four tiers of civil penalties. The first tier accounts for minimal penalties, while the fourth tier dictates the biggest punishment.

• Tier 1—lack of knowledge: the HIPAA-covered entity didn’t know (or couldn’t have known through reasonable diligence) about the violation.

• Tier 2—reasonable cause: the entity knew or should have known (through due diligence) that their action or lack thereof would lead to a HIPAA violation. However, the violation wasn’t caused by willful neglect.

• Tier 3—willful neglect, corrected within 30 days: the entity violated HIPAA through willful neglect but took corrective actions within 30 days of the violation.

• Tier 4—willful neglect, not corrected within 30 days: the entity violated HIPAA through willful neglect and didn’t take corrective actions within 30 days of the violation.

Each violation comes with a minimum and maximum fine. There is also a cap on the amount an entity can pay through fines within one calendar year. The amounts change annually according to inflation. They range from around $100 for the minimum tier-one fine to over $1 million for the maximum tier-four fine.

Criminal penalties

Serious HIPAA violations can lead to criminal penalties that are more severe than civil penalties. These can involve prison time.

The three tiers of criminal penalties are:

• Tier 1—wrongful disclosure of PHI: when an individual or entity discloses PHI without “knowing better” (not knowing the rules doesn’t excuse the entity from following them, but can soften the punishment)

• Penalty: a fine, up to a year in prison, or both

• Tier 2—wrongful disclosure of PHI under false pretenses: obtaining protected health information under false pretenses or sharing it without the patient’s permission

• Penalty: a fine, up to five years in prison, or both

• Tier 3—wrongful disclosure of PHI under false pretenses with malicious intent: obtaining and using protected health information for personal gain or malicious action

• Penalty: a fine, 10 years in prison, or both

Fines for all tiers change according to inflation. They currently range from around $50,000 for the first tier and up to $250,000 for the third tier.

Criminal HIPAA violations are handled by the Department of Justice—not by HHS OCR. Based on the above categories, the judge makes a decision about the penalty and its severity.

While HIPAA rules are easily accessible to all HIPAA-covered entities, violations still occur. The most common reasons for these violations are:

• Accessing or sharing PHI without proper authorization or for non-work-related purposes

• Failing to implement appropriate safeguards to protect PHI from unauthorized access

• Neglecting to arrange proper training for employees about HIPAA regulations (a common cause of accidental violations)

• Failing to securely dispose of PHI (not shredding paper records or not wiping electronic devices before discarding them)

• Not notifying affected individuals, the HHS, and (in some cases) the media in the event of a data breach involving PHI

• Denying or delaying a patient’s request to access their own medical records

• Failing to establish business associate agreements with parties that handle protected health information on behalf of a covered entity

• Neglecting to address potential risks and vulnerabilities to the confidentiality of PHI

• Failing to implement appropriate encryption or other security measures to protect electronic PHI from unauthorized access

• Not having documented policies and procedures in place to ensure compliance with HIPAA regulations

HIPAA compliance is an essential aspect of a HIPAA-covered entity’s successful operation. Establishing policies and procedures that foster a compliance environment and teaching all authorized personnel about PHI safety can help you avoid HIPAA violations.

If a violation occurs, the organization must take action to rectify the mistake and notify relevant parties. This way, it’s possible to avoid large penalties and reputational damage.

If gossiping involves sharing protected health information with unauthorized parties, it’s a HIPAA violation.

One of the most frequently violated patient rights is the right to informed consent. This right entails receiving sufficient information from the healthcare provider to make a decision about medical procedures and the course of treatment.