Join thousands of product people at Insight Out Conf on April 11. Register free.

Try for free
GuidesPatient experienceUnderstanding HIPAA violations

Understanding HIPAA violations

Last updated

1 September 2023

Author

Dovetail Editorial Team

If you are involved in the healthcare industry in any way, paying attention to Health Insurance Portability and Accountability Act (HIPAA) regulations is crucial. Violating these rules could land you in serious trouble. At the very least, you could be looking at monetary fines that range from $100 to $50,000 per violation. Grave and intentional violations attract criminal penalties, including potential imprisonment.

It’s not always easy to comply with HIPAA directives. The regulations change occasionally, so you have to stay up to date.

This article takes a deep dive into HIPAA violations, exploring the types, examples, penalties, and various ways to report a breach. It also highlights crucial tips for avoiding HIPAA violations and protecting your healthcare organization.

What is a HIPAA violation?

A HIPAA infringement, or violation, is a breach of the standards outlined in the 1996 HIPAA legislation. It sought to curb the wrongful disclosure of or improper access to patients’ protected health information (PHI).

The law also outlines strict regulations for when it is acceptable to divulge PHI and to whom.

The Department of Health and Human Services (HHS) administers this law via its Office for Civil Rights (OCR).

The HIPAA violations were updated in March 2013 with the introduction of the Omnibus Rule. This rule introduced charges outlined by the Health Information Technology for Economic and Clinical Health Act (HITECH).  

Who has to follow HIPAA regulations?

Currently, HIPAA regulations affect nearly everyone who handles information that could cause significant personal risk to a patient. This includes the following: 

  • Healthcare providers

  • Healthcare insurance companies

  • Healthcare providers who send claims electronically

  • Healthcare clearinghouses

  • Medicare prescription drug card sponsors

  • Business associates (BAs) of covered entities (facilities or individuals who deal with any task that includes handling PHI)

Types of HIPAA violations

HIPAA violations occur in several ways and are categorized based on severity. Below are the four major tiers of HIPAA violations:

Tier 1: Unintentional violations

This category includes violations that occur when reasonable precautions are in place to prevent breaches. For instance, an employee could send an email to the wrong recipient.

These violations typically attract the lowest fines.

Tier 2: Reasonable cause violations

This tier refers to instances where negligence or a lack of proper procedures and policies lead to a PHI breach. For example, facilities could fail to properly train employees on how to avoid violating HIPAA regulations.

Tier 3: Willful neglect (corrected) violations

This category includes violations caused by willfully neglecting HIPAA directives. For instance, a health insurance company could fail to respond promptly to security incidents or breaches.

These violations are handled and corrected within a specific period. 

Tier 4: Willful neglect (uncorrected) violations

This category of breaches refers to situations where serious violations occur due to willful neglect of HIPAA directives. For instance, a healthcare records handler could repeatedly fail to implement measures to protect PHI despite being warned about vulnerabilities.

Breaches in this category are not corrected on time. They typically carry the highest fines.

The 12 most common HIPAA infringements

HIPAA breaches are very diverse and even include accidental infractions—for instance, a data breach that occurred due to losing a personal cell phone. However, just because a violation was unintentional doesn’t make it less harmful.

Most violations result from an imperfect understanding of what amounts to a violation despite the serious penalties the breaches attract. Any infringement of HIPAA directives can end in a $50,000 penalty. You could also be jailed for accessing PHI with no reasonable cause or zero knowledge of a violation.

Familiarizing yourself with cases of HIPAA violations by both employers and employees can help you avoid breaking the rules yourself. Below are the 12 most common scenarios that lead to PHI breaches:

  1. Failure to perform an organization-wide risk analysis. This analysis provides detailed information about your company’s vulnerabilities. The HIPAA Security Rule Toolkit can help you determine key assessment areas.

  2. Lack of HIPAA compliance training. Training your staff about HIPAA regulations and documenting that training is an enforced requirement. Failure to offer training is a violation.

  3. Mishandling medical records. Leaving paper records on your desk or stepping away from exposed computer screens increases the risk of unauthorized third parties viewing PHI. You should improve security and protect patient data from public view by using digital records and locking screens, among other measures.

  4. Failure to plan and prepare for cyberattacks. With numerous organizations storing records in the cloud, cyber threats are becoming more common. Implement cybersecurity practices and ensure cloud providers have mechanisms for avoiding, detecting, and containing breaches.

  5. Sharing PHI using unencrypted technology. Avoid sharing patient data via unsecured channels. In one HIPAA violation case, providers sent unencrypted PHI to their patients by email. Using encrypted and protected devices and platforms is recommended.

  6. Failure to seek proper authorization before sharing sensitive data. Train your staff to obtain written consent before sharing records in instances that are unrelated to treatment and billing. Tell them to avoid sharing PHI without the patient’s consent—even with their family.

  7. Social sharing. Social media presents numerous risks to healthcare professionals. For example, social posts can make private hospital moments public. They also increase the chances of information disclosure between caregivers, patients, and the general public. Minimize social sharing that involves patients and your organization.

  8. Failure to safeguard devices that are at risk of being stolen. Computers containing PHI have a huge theft risk, increasing the chances of a violation. Ensure patient data is protected on stolen devices by keeping it inaccessible, encrypted, and secured with strong access permissions. This applies to crucial devices like laptops, phones, computer drives, and USB disks.

  9. Disclosing incorrect patient information. When transferring records in busy practices, a simple human error can result in a violation. This is why you need to establish a habit of double-checking records. Also, when sending patient files to non-providers, ensure that you destroy faxes, delete emails, and avoid sharing other patients’ details.

  10. In-person discussions about patients. Casual conversations about patients can result in a violation when the discussions are not related to relevant treatments or occur within earshot of employees who are not involved in that treatment.

  11. Improper physical or digital disposal of PHI. Anyone authorized to handle PHI should shred physical records before throwing them away. Digital files should be fully deleted from hard drives.

  12. Forgetting a business associate contract. Vendors who partner with covered entities and have access to PHI should have a contract that shows they have to comply with HIPAA regulations.

How are HIPAA violations discovered?

Over 40 million cases of compromised medical records were reported in 2022 alone. These HIPAA violations were mostly reported to the OCR by responsible covered entity employees. Covered entities can also discover violations by auditing themselves internally or through self-reporting.

OCR also discovers violations through its own audits of covered entities and their business partners. The office uses random selection to fill its audit pool and regularly undertakes pool selection after issuing pre-screening questionnaires. OCR can also conduct audits after complaints or when a covered entity represents several US healthcare providers.

How to avoid HIPAA violations

Individual healthcare staff and covered organizations have different concerns regarding HIPAA violations. The breadth of this legislation means companies have to focus on training and systems, while employees need mechanisms to protect themselves and their careers.

Tips for covered entities

Having policies that cover areas of concern in your risk analysis and being ready for audits can help you avoid HIPAA violations. The following tactics can also help:

  • Regularly conducting a comprehensive risk analysis

  • Specifying HIPAA compliance in your contracts with business associates and keeping track of your vendor policies

  • Conducting proper employee training and storing the relevant records

  • Knowing where you keep PHI, its access protocols, and protection policies

Tips for employees, providers, and contractors

OCR guidance for professionals helps employees, providers, and contractors know their HIPAA obligations. The following tactics can help prevent violations by individuals in this category:

  • Having a protocol in place to inspect authorization requirements before disclosing PHI

  • Handling instances where conversations about PHI can occur

  • Training contractors to avoid sharing login details, leaving physical devices or files unattended, and sending patient details using unencrypted devices

  • Limiting social media by implementing rules for posting content while inside the organization’s premises. For example, posting hallway pictures can significantly compromise patient privacy. You should also consider removing current patients as contacts on social media platforms.

  • Designating a privacy and compliance officer to deal with questions, training, reports, and risk assessments

Is a HIPAA violation a crime?

Yes. Violating HIPAA regulations is a crime. Even seemingly minor HIPAA violations can attract serious criminal penalties. The fines for willfully violating the rules range from $50,000 to $250,000, while civil fines for individual HIPAA violations range from $100 to $25,000.

Is a HIPAA violation grounds for termination?

Yes. In some scenarios, a HIPAA violation could lead to termination. However, an accidental breach or one done “in good faith” is not considered reportable according to HIPAA rules. The final outcome depends on several factors, such as the employee’s role in the breach, the result of an internal investigation, and the infringement’s scope.

Who can sue for a HIPAA violation?

OCR issues guidance for individuals regarding their rights under HIPAA. However, patients can’t independently sue covered organizations for HIPAA violations. This only occurs on rare occasions. The OCR and state attorney generals often initiate and take appropriate action against violators. However, they only aim to prevent harm in the future—not to offer relief to those currently affected by the violations.

Despite this, patients have several options to seek compensation for any damages, including initiating a lawsuit when they have suffered provable injuries.

When to self-report a HIPAA violation

Under HIPAA rules, breaches that involve unsecured PHI that violate the privacy rule need to be reported.

After an infringement, individuals and business associates should report violations to covered organizations within 60 days.

You should report breaches involving fewer than 500 records to the HHS within 60 days. Larger infringements should be reported immediately.

Where to report a HIPAA violation

The best way to report a HIPAA violation is to file a complaint with the OCR. This is easy to do using the online complaint portal, and anyone can do it.

Don’t wait more than 180 days to file your complaint. The HHS does make exceptions in cases with a good reason for the delay.

Reporting a HIPAA violation anonymously

To start an investigation, the OCR requires the name and contact information of the individual reporting a violation. If you want to make an anonymous report, download the complaint form and mail it to the OCR without your contact details. Note that this could result in no action being taken against the covered organization.

FAQs

What is the HIPAA Enforcement Rule?

The HIPAA Enforcement Rule outlines provisions and procedures for investigating and enforcing HIPAA regulations, including issuing fines for breaches.

What patient right is violated most often?

The right to privacy of protected health information is often violated, most often through improper handling or unauthorized disclosure of medical records.

What is the highest HIPAA penalty?

Willful neglect of HIPAA regulations can incur penalties of up to $1.5 million per violation category per year.

What is the difference between HIPAA authorization and informed consent?

HIPAA authorization refers to specific written consent permitting the release of PHI. In contrast, informed consent refers to a situation where a patient confirms they understand and agree to certain medical procedures and treatments.

How do I check my HIPAA compliance?

You can perform risk assessments, train your staff, ensure policies and procedures align with regulations, and consider third-party evaluations or audits to verify your HIPAA compliance.

Get started today

Go from raw data to valuable insights with a flexible research platform

Try for freeContact sales

Editor’s picks

What does ‘access to healthcare’ mean?

Last updated: 27 June 2023

What is healthcare management?

Last updated: 18 July 2023

What are the 18 HIPAA identifiers?

Last updated: 16 November 2023

PHI vs. PII: What’s the difference?

Last updated: 28 September 2023

What are quality measures in healthcare?

Last updated: 25 November 2023

Related topics

Product developmentPatient experienceResearch methodsEmployee experienceSurveysMarket researchCustomer researchUser experience (UX)

Your customer insights hub

Turn data into actionable insights. Bring your customer into every decision.

Try for free

Product

InsightsAnalysisAutomationIntegrationsEnterprisePricingLog in

Company

About us
Careers9
Legal

© Dovetail Research Pty. Ltd.
TermsPrivacy Policy

Log in or sign up

Get started with a free trial


or


By clicking “Continue with Google / Email” you agree to our User Terms of Service and Privacy Policy