What are HIPAA violations?

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to establish standards for the protection of health information (Protected Health Information, PHI) of patients. For everything covered by HIPAA, there are strict guidelines regarding the distribution of PHI and when it is appropriate practice.

The Office for Civil Rights (OCR), part of the Department of Health and Human Services, oversee HIPAA compliance. Since 2006, when the Enforcement Rule was added to HIPAA legislation, the OCR has had the power to issue fines for HIPAA non-compliance. Alongside state attorneys, the OCR can issue penalties to those seen to inappropriately share a patient’s PHI. HIPAA stipulates that, as well as financial penalties, covered entities (CEs) must adopt a corrective action plan to raise policies and practices to the accepted standard. The HIPAA Omnibus rule updated the guidelines for how financial penalties are decided. This also complemented the Health Information Technology for Economic and Clinical Health Act (HITECH), which primarily concerns the use and storage of electronic PHI (ePHI).

In some cases, for particularly severe violations, a CE or BA may be criminally prosecuted, potentially resulting in a prison sentence. However, such instances are uncommon, with most breaches resulting in a fine.

Any party charged with protecting PHI under HIPAA (all CEs and, since the Omnibus Rule was introduced in 2013, BAs) is also liable be penalised for non-compliance. These measures act as an additional form of PHI protection, as they act as a financial deterrent for HIPAA non-compliance.

Common HIPAA Violations

Broadly, HIPAA violations occur when PHI is not adequately protected by a CE or BA. This may or may not involve a breach of PHI: CEs or BAs can be considered HIPAA non-compliant if it is discovered during an audit that they do not have adequate safeguards in place. Thus, parties can be HIPAA non-compliant regardless of whether or not a breach occurred.

HIPAA violations often result from the following:

  • a lack of organizational-level risk analysis regarding confidentiality, integrity and sharing of PHI
  • a lack of associate agreements that are HIPAA-compliant (usually involving inadequate Business Associate Agreements, BAAs)
  • unlawful sharing of PHI (deliberate or accidental)
  • failure to report breaches of PHI or act on breaches (“wilful neglect”)
  •  failure to adequately protect PHI

It is important to note that even “accidental” PHI breaches will result in penalties. Such accidental breaches are usually the product of contravening the “Minimum Necessary Rule”, detailed in the Privacy Rule. The rule states that when PHI is being disclosed, only the minimum amount of information necessary to complete the task should be passed on. Often, too much information is disclosed, resulting in a breach. As this usually involves a judgement call based on the situation and what is considered to be “too much information” can be highly subjective, penalties for such offences are usually lower than deliberate sharing of PHI.

Deliberate violations are more nefarious, and can range from deliberately selling PHI to black market buyers or failure to notify the OCR if a breach is discovered. Some can be deliberate negligence: organisations may elect not to carry out regular risk assessments, deeming them “unnecessary” or too costly. However, the majority of accidental HIPAA breaches will be resolved via action plans or other OCR recommendations.

Though some violations may be accidental, the OCR does not consider “ignorance” a just reason for HIPAA non-compliance. Such “ignorance” can be very costly: in 2017, the OCR fined CardioNet – a medical device monitoring company – was fined a total of $2.5 million for ignorance of HIPAA legislation. They were also found negligent by not completing adequate risk assessments and audits. Because of this, PHI of over 1,000 patients was unnecessarily put at risk. No data was actually breached, but the threat of a breach is enough to attract a fine.

Data Breaches and HIPAA Compliance

HIPAA defines data breaches under the following criteria:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

It is rare a week goes by without headlines involving high-level data breaches. Unfortunately, PHI is often a target of such cyber-attacks. Whilst organisations are expected to do everything in their capacity to reduce the risk of data breaches, the OCR knows that an impenetrable security system is nigh-on impossible. Thus, data breaches that are the result of cyber-attacks are not considered to be violations of HIPAA. Nevertheless it is important that all employees are trained in cybersecurity and can identify threats such as phishing emails or websites harbouring malware.

However, if a data breach occurs and is not reported it is a violation of the Breach Notification Rule and thus incurs a penalty. Similarly, if the OCR issues a course of corrective action that is ignored by the CE or BA, they will also be penalised.

Risk Analysis, Business Associates and HIPAA Compliance

Likely to most common violation, the failure to perform an organisation-wide risk analysis of PHI often results in financial settlements with the OCR. Regular risk analysis is necessary to pinpoint vulnerabilities in the organisations’ practices. Thus, any potential risks are unaddressed and are more likely to lead to a violation of HIPAA.

Any party that is given access to PHI must comply with HIPAA. Violations of this sort often occur if business agreements have not been revised since the Omnibus Final Rule of 2013.

To ensure that a patient’s personal data is adequately protected, all digital messages containing the patient’s information must be encrypted. Though it is not an absolute requirement under HIPAA legislation, failure to encrypt (and thus a failure to maximally safeguard a patient’s PHI) may be used as evidence if a breach occurs.

Texting PHI can be seen as HIPAA non-compliant. If the text message’s content and recipient are deemed non-essential, then the message would be seen as a breach of HIPAA legislation. The security of the message is also considered – if the message is not well encrypted or protected, the text is a violation of HIPAA.

Classifying HIPAA Violations 

Usually, HIPAA violations will be resolved via “voluntary compliance”: the OCR will issue a course of corrective action, and the CE or BA will adopt the advice and thus prevent further violations or breaches. Fines – or even jail sentences – are reserved for more serious cases, usually involving some level of wilful neglect or deliberate negligence. To issue such financial penalties, the OCR assesses the violations based on four categories:

Description Financial Penalty (per violation)
Category 1 The CE or BA had taken steps to comply with HIPAA, but they were unaware of the violation and could not have otherwise prevented it. Minimum: $100

Maximum: $50,000

Category 2 Here, the CE or BA could not have prevented the violation, but should have been aware of it when they weren’t. Minimum: $100

Maximum: $50,000

Category 3 The violation was the result of wilful neglect by the CE or BA, but the party did take steps to mitigate damage. Minimum: $10,000

Maximum: $50,000

Category 4 The violation was the result of wilful neglect with no attempts at mitigation or correction. Minimum: $50,000

The OCR may waive fines for the first two categories, but they cannot once a violation is the result of wilful neglect. Within each category’s range, the OCR will determine the appropriate sum based on how the organisation acted, what measures were taken, how long the issue persisted etc.. The nature of the damage caused is also considered.

How fines are applied will also vary. For example, if patient’s records are accessed by unauthorised individuals because of wilful neglect, the CE or BA may be fined for each medical record that was compromised. Conversely, if patients were denied access to their medical records, organisations may be fined for each day they were denied access after their request. For each category, the maximum fine that can be levied per year is $1.5 million.

Criminal Penalties for Violating HIPAA

Though rarer, those affected by HIPAA violations have the right to file lawsuits against the negligent party. If resolved through the courts, this may result in criminal charges. These are classified into three different tiers, based on the nature of the violation, the damages incurred and the steps taken to mitigate the damages. Other, general factors are also taken into consideration: the organisation’s history of HIPAA compliance, for example, or how willing they were to engage with the investigation.

Tier 1 Reasonable cause/no knowledge of violation Up to 1 year jail sentence
Tier 2 Obtain PHI under false pretenses Up to 5 year jail sentence
Tier 3 Obtain PHI with malicious intent. Up to 10 year jail sentence

Due to the valuable nature of PHI on the black market, more and more employees have been caught stealing PHI and selling it to criminals. The criminal penalties act as a deterrent – as well as the jail sentences, any money made from selling PHI must be refunded to the courts. Employers should also be more cautious. They should enhance security implementing systems that detect unauthorised access and have confidential reporting systems for suspect behaviour.

Attorney Generals and HIPAA Violations

With the passing of the HITECH Act in February 2009, State Attorney Generals have been able to issue fines and file civil actions against for cases of HIPAA non-compliance. The upper ceiling of fines issued by State Attorneys is less than that of the OCR, with a maximum of $25,000 per violation.

If a CE or BA acts across state boundaries, and are found to be HIPAA non-compliant in multiple states, they may be issued fines by attorney generals in all affected states. Since 2009, only state attorneys Connecticut, Massachusetts, Indiana, Vermont and Minnesota have used their powers to prosecute HIPAA offenders. However, it can be expected that more State Attorneys will act in the future to crack down on data thefts.

Sanctioning Employees for Violations 

As well as OCR-enforced penalties, many CEs and BAs will chose to apply sanctions for violations conducted by individual employees. The OCR usually deals with the CE as a whole via fines or recommendations, so for smaller breaches CEs may wish to have their own system of sanctions. This may also involve sanctions for failure to report the negligence of another employee. These practices may simply involve further training, increased temporary supervision or even probation. If someone is a repeat offended, or has committed a particularly serious violation, they may be fired. Before this occurs, a full review of the employee’s work practices should take place. Nevertheless, having such sanctions in place will act as an additional strong deterrent for HIPAA violations, especially considering the cost of other violations may be absorbed by the CE or BA.

HIPAA Audits 

The first phase of HIPAA compliance audits took place between 2011 and 2012. Unfortunately, they showed that many CE were failing to meet the OCR’s compliance standards. Due to the scale of the problem, and the relatively minor nature of the offences, most of the cases were resolved with technical assistance and other recommendations. No CE received a financial penalty for their violations.

In 2016, after much delay, the OCR has rolled out its second phase of audits. These audits are not to “catch people out”, per se, but rather to assess the degree of HIPAA compliance and assess any points of HIPAA with which CEs and BAs are still struggling to comply. According to the Department of Health and Human Service’s website, the second phase of the audit program “will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules”. Still, if any breaches are uncovered during the audits, penalties will be in place.

During the first phase of audits, the OCR found that the lack of comprehensive risk assessment was the most common cause for HIPAA violation. Though it may seem like an unnecessary hassle, without this organisation-wide assessment the CE or BA cannot adequately protect their PHI as they do not know their main vulnerabilities. This is why the OCR puts such an emphasis on them, often issuing financial penalties for the violation.

Business Associate Agreements (BAA) 

Business Associates are any organisation contracted by the CE to carry out some task that brings them into contact with PHI. BAs may also be subcontracted by other BAs. Under HIPAA, before beginning work for a CE, BAs must sign a Business Associate Agreement (BAA) that clarifies their role in the processing of PHI, stipulates how it is to be used and disclosed and the measures that should be in place to maintain its integrity.

The OCR has ten primary requirements for BAAs to be HIPAA compliant:

(1) establish the permitted and required uses and disclosures of protected health information by the business associate

(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law

(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information

(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information

(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings

(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation

(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule

(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity

(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information

(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

The failure of a BAA to meet all of these requirements can attract substantial fines from the OCR. In 2016, the Care New England Health System was fined $400,000 for HIPAA violations, including the failure to update or revise a BAA signed in 2005. In 2013, the Raleigh Orthopaedic Clinic, P.A., was also issued a $750,000 fine for failing to obtain a BAA when contracting a third party vendor to  process old X-rays.

Five Largest HIPAA Fines of 2017

The following table details the largest HIPAA-related fines of 2017. Though it is rare that fines of that magnitude will be issued, they are illustrative of the severe nature of HIPAA breaches.

Organisation Nature of Breach Penalty Amount
Memorial Healthcare Systems Shared login credentials gave unauthorised employees access to PHI $5.5 million
Children’s Medical Centre Dallas Failure to encrypt devices. These devices were then removed from the property and subsequently lost. $3.2 million
CardioNet Lack of policies to protect PHI and ignorance of HIPAA requirements. $2.5 million
Memorial Hermann Health System Disclosing the name of a patient that attempted to commit fraud. $2.4 million
21st Century Oncology Inadequate encryption and security protection of PHI. $2.3 million

HIPAA Violations: Summary 

Since its inception in 1996, HIPAA has drastically changed how healthcare providers and related industries approach patient privacy. It continues to be updated in line with recent events and advancements in the field, and keeping up-to-date with such changes may pose a challenge for some CEs and BAs. Even so, the importance of HIPAA compliance cannot be underestimated: as well as threatening patients privacy and putting them at risk of becoming victims of fraud, violations also attract substantial penalties from the OCR.

Not all violations are treated equally: as well as being characterised based on the nature of the breach (such as how many people were affected, what kind of data was lost, who accessed the data), the CE’s past history of HIPAA compliance and their willingness to engage in investigations are also considered. Many breaches will not result in any financial penalties, instead being resolved via corrective actions or future training. Some extreme cases can, however, result in multi-million dollar fines or even jail sentences. There are some simple things that CEs can do to avoid such penalties – primarily, conducting regular risk assessments and employee training sessions – though the malicious intent of others always poses a threat. The OCR is forgiving of unavoidable breaches caused by cyberattacks, but if someone within the organisation accesses data and sells it for a profit the most severe penalties will apply.