Almost every day of the year there’s a report of a HIPAA violation happening whether in a hospital, health plan or by a healthcare professional. But what is a HIPAA and in what ways is it violated?
The Health Insurance Portability and Accountability Act is a legislation approved in 1996 which aims for the proper administration of healthcare, prevention of healthcare wastage and fraud and provision of appropriate healthcare coverage to employees. The HIPAA Act has been updated over the years with more specific rules such as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule and the HIPAA Omnibus Rule.
Any failure to comply with any of the HIPAA rules as detailed in 45 CFR Parts 160, 162, and 164 is regarded as a HIPAA violation. The Department of Health and Human Services’ Office for Civil Rights published a more concise text that is 115 pages long explaining the many provisions of HIPAA. There are many ways how covered entities and business associates violate the HIPAA rules. The most common among them include the following:
- Impermissible protected health information (PHI) disclosures
- Unauthorized PHI access
- Wrong disposal of PHI
- Failure to perform a risk analysis
- Inability to deal with the risks to the confidentiality, integrity, and availability of PHI
- Non-implementation of safeguards to make sure the confidentiality, integrity, and availability of PHI
- Lack of PHI access logs monitoring
- Giving vendors access to PHI without a signed HIPAA-compliant business associate agreement first
- Failure to give patients the copies of their PHI upon request
- Failure to control system access and restrict viewing of PHI
- Failure to delete employee access rights to PHI upon termination from work
- Disclosing more PHI than is required for performing a particular task
- Lack of training for employees regarding HIPAA Rules or security awareness
- Stealing of health records
- Unauthorized release of PHI to unauthorized recipients
- Sharing of PHI online or via social media without valid patient permission
- Mishandling and mismailing PHI
- Sending SMS containing PHI
- Failure to employ encryption or an alternative, equivalent measure to avoid unauthorized PHI access or disclosure
- Failure to send data breach notification to an individual and/or the Office for Civil Rights within 60 days of discovering a breach
- No documentation of compliance efforts
There are different ways of discovering HIPAA violations. One is through internal audits. Sometimes, supervisors know about employees who have violated HIPAA Rules and report them. There are also employees who self-report HIPAA violations or the potential violations by co-workers. Patients and health plan members may also submit complaints of HIPAA violations.
When the HHS’ Office for Civil Rights receive complaints of HIPAA violations, it investigates the issue. It’s a standard protocol to investigate all data breaches that affect over 500 health records. Smaller breaches may be investigated on a case to case basis. OCR also performs periodic audits on covered entities and business associates. State attorneys general may also conduct an investigation complaints of breaches.
Penalties for HIPAA violations can be serious. Fines of up to $25,000 per violation category per year can be issued by the state attorneys general while the OCR can issue fines of up to $1.5 million per violation category per year. It’s not just the healthcare providers, health plans and business associates that get fines for HIPAA violation. Individuals who have been found to violate HIPAA rules may face criminal penalties such as up to 10 years in jail.