The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created federal standards for protecting patient health information from disclosure without patient authorization.[1] HIPAA’s Privacy Rule addresses the use and disclosure of patient health information by entities subject to HIPAA regulations. Its Security Rule safeguards electronically protected health information (PHI).
HIPAA violations can be costly—financially and reputationally—for healthcare practices. That said, avoiding violations is imperative to the success of healthcare practices. Below explains what exactly constitutes a HIPAA violation, so you can ensure you and your healthcare practice avoid costly violations.
What is a HIPAA Violation?
A HIPAA violation occurs when there is a failure to comply with standards outlined in the Health Insurance Portability and Accountability Act. That’s the technical definition. For practical purposes, there are hundreds of ways in which violations may take place.
Often, supervisors discover employees have violated HIPAA rules and report said violations. Additionally, employees may report coworkers they suspect of violations. Internal audits frequently bring HIPAA violations to light as well.
The U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) is responsible for investigating and enforcing HIPAA’s privacy and security rules.[2]
HIPAA Violation Consequences, Penalties and Fines
Anyone violating HIPAA regulations faces potentially severe consequences.[3] Penalties are tier-based. For instance, those violating Tier 1 are “unaware of the HIPAA violation” and may not have know rules were violated.
The other extreme, Tier 4, includes violations in which willful neglect takes place. Additionally, no attempt is made to rectify the violation within 30 days of discovery.
Civil penalty
State attorneys general may issue fines up to $25,000 per violation category, per calendar year. Meanwhile, the Office of Civil Rights may issue fines up to $1.5 million per violation category, per year.
Criminal penalty
If found guilty, you could face jail time. Although rare, there are violations, like those of Tier 4, that could put a person behind bars for up to 10 years.
HIPAA Violation Example Cases
HIPAA violations run the gamut. For instance, one hospital adopted new procedures for telephone messaging in order to be HIPAA compliant after an employee left a message with a patient’s daughter detailing the patient’s medical condition and treatment plan.[4] In another violation case, computer screens in a waiting room containing sensitive patient information were visible to those in attendance.
The above are just two of many, many examples. Other examples of HIPAA violations often involve:
1. Lost or stolen device
Protected Health Information (PHI) may be compromised in a number of ways. One of the most common ways is through lost or stolen devices. A cellphone used for work may contain the medical information of hundreds of patients.
2. Unauthorized access
Unauthorized access is another top cause of a HIPAA violation. You may stop this by setting up an authorization system. Such systems ensure employees cannot access data outside of the parameters of the cases on which they work.
3. Lack of employee training
Arguably, nothing may compromise HIPAA security more so than a lack of employee training. Robust HIPAA compliance training is paramount.
4. Accessing PHI from an unsecured location
In an era when many people are working from home, accessing PHI from an unsecured location poses an even greater risk. Mitigate this risk by issuing dedicated laptops to those working away from the office. You should ensure these laptops are always used in a secure, private location.
5. Disposal of PHI
Proper disposal of PHI is critical. For example, employees cannot simply throw out patients’ medical records. Such records require shredding. Additionally, you must thoroughly wipe electronic records from hard drives.
6. Unencrypted data
All sensitive data requires encryption. That includes having staff use encrypted messaging apps for communicating sensitive details rather than texting said sensitive details.
7. Getting hacked
Protect yourself from hackers by ensuring your anti-virus software is up-to-date. Along with encryption, change passwords regularly.
HIPAA Violation Reporting
You can report a HIPAA violation by contacting the OCR. You may also contact the state’s Attorney General, a HIPAA Privacy Officer, or an attorney.
How to Avoid a HIPAA Violation
Staying proactive helps to avoid HIPAA violations. That includes keeping employees current on HIPAA compliance training and establishing a HIPAA-compliant policy for the use of personal devices.
Employees well-versed in HIPAA compliance standards are less likely to violate HIPAA.
Conduct a HIPAA risk assessment
HHS notes there are numerous methods for conducting a HIPAA risk analysis. One recommended method is by using the Security Risk Assessment Tool provided by HealthIT.gov.
FAQs
Do you still have questions about HIPPA violations? You may find the answer to your question below, where we’ve compiled some of the most common questions regarding HIPAA violations.
Is it a HIPAA violation to ask about vaccinations?
HIPAA covers vaccine information. However, HIPAA applies to healthcare providers, plans, and clearinghouses. It does not apply to most employers.[5]
In most cases, an employer may ask for proof of vaccination from an employee if it pertains to wearing facemasks or similar safety protocols. However, the employee’s healthcare provider cannot give the employer that information without employee authorization.
Who can violate HIPAA?
Healthcare providers, healthcare plan providers, and healthcare clearinghouses may violate HIPAA. The latter are entities processing nonstandard health information for data content or format standardization. Business associates of health-related entities, such as those engaged in billing or claims processing, may also violate HIPAA.
Is telling a story about a patient a HIPAA violation?
In telling a story about a patient, a healthcare provider must avoid certain identifiers if they have not obtained patient consent.[6] There are a total of 18 such identifiers. The basic identifiers include name, address, age, and Social Security number.
If the patient has been dead for at least 50 years, their health information is no longer protected under HIPAA.
Can a patient sue for a HIPAA violation?
No, a patient cannot sue.[7] However, state regulations do vary. It may be possible to take legal action on the grounds of negligence. An example is the covered entity failing to protect patient medical records.
How long do you have to report a HIPAA violation?
HIPAA violations require reporting within 180 days of discovery.[8] However, there are circumstances under which the reporting deadline is extended if there is a good reason for the delay.
Can you get fired for an accidental HIPAA violation?
A HIPAA violation is grounds for termination.[9] However, much depends on the violation’s severity. An accidental HIPAA violation may not get you fired.
For example, you accidentally view a patient’s medical records without authorization. If you report the inadvertent viewing immediately without causing patient harm, that is generally considered an internal disciplinary action matter. It may not lead to firing. Though, much depends on the specific circumstances.
What do you do if you are accused of a HIPAA violation?
If accused, you should launch an investigation immediately. Try to correct the issue within 30 days.
You may appeal an alleged HIPAA violation by requesting a hearing before an administrative law judge.
Keep in mind that filing a false claim is a crime. If someone tried to frame you by misuse of medical records, that person or entity may find themselves in serious trouble.
Final Thoughts: Avoiding HIPAA Violation Penalties
A HIPAA violation can occur at any point in the patient’s experience, from their checking in with the receptionist to their receiving an invoice for medical services. This is why the implementation of HIPAA-compliant strategies, including secure online invoicing software, is crucial to the success of healthcare practices. As noted, keeping employees up to date with the latest training and having a policy in place for dealing with potential violations is the best way to avoid penalties. Document, document, document to protect yourself.
Sources:
- Centers for Disease Control and Prevention. “Health Insurance Portability and Accountability Act of 1996 (HIPAA)“. Accessed February 10, 2022.
- U.S. Department of Health and Human Services. “Guidance on Risk Analysis“. Accessed February 10, 2022.
- HIPAA Journal. “What is a HIPAA Violation?“. Accessed February 10, 2022.
- U.S. Department of Health and Human Services. “All Case Examples“. Accessed February 10, 2022.
- HIPAA Journal. “Is it a HIPAA Violation to Ask for Proof of Vaccine Status?“. Accessed February 10, 2022.
- Johns Hopkins Medicine. “The Right to Write About Patients“. Accessed February 10, 2022.
- HIPAA Journal. “Can A Patient Sue for A HIPAA Violation?“. Accessed February 10, 2022.
- HIPAA Journal. “How to Report a HIPAA Violation“. Accessed February 10, 2022.
- HIPAA Journal. “Is a HIPAA Violation Grounds for Termination?“. Accessed February 10, 2022.
Leave a Reply