- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: This article digs into Health Care Accountability and Portability Act (HIPAA) violations. Discover what they are and get examples of typical HIPAA violations in healthcare. Plus, learn how breaches are detected and reported and what you can do to protect your organization. After reading this article, you’ll clearly understand what violates HIPAA regulations and be able to identify easily avoidable violations. You’ll also learn which organization enforces HIPAA, how to file a complaint, and how to self-report breaches when required.
What Is a HIPAA Violation?
HIPAA violations occur when an organization runs afoul of the standards defined by this 1996 U.S. Federal legislation. Many HIPAA violations are related to accessing or sharing patients’ protected health information (PHI). However, violations can also include items such as not training staff or monitoring access logs.
HIPAA laws aim to modernize healthcare information in an era of digital records. They delineate patient data privacy regulations by requiring security measures around access to healthcare information with three primary rules:
- The Privacy Rule
- The Security Rule
- The Breach Notification Rule
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) administers HIPAA. Since HIPAA’s debut in 1996, the U.S. Congress has augmented it with updates like the 2009 HITECH Act.
Its rules affect “covered entities”:
- Insurance companies
- Healthcare clearinghouses
- Cash-only providers who don’t do business with insurance organizations
They also impact vendors who provide services to healthcare providers who might come into contact with PHI.
Examples of the 12 Most Common HIPAA Violations
What is considered a HIPAA violation? HIPAA violations span a wide range. They even include accidental HIPAA violations, for example, losing a personal cell phone that allows for access to workplace applications. Sadly, unintentional breaches don’t make them less damaging. However, many breaches stem from an imperfect understanding of what constitutes a violation. For example, one organization was fined when it had a third party convert x-rays to a digital format without a business agreement in place to ensure HIPAA regulations were met.
Since 2003, OCR has investigated almost 300,000 potential HIPAA privacy rule violations. Yet many healthcare employees still don’t know what constitutes a HIPAA violation despite the high stakes for these types of violations in the workplace. For example, any breach of HIPAA rules can result in a $50,000 fine. And obtaining PHI with reasonable cause or no knowledge of a violation can potentially result in jail time. To avoid these penalties, knowledge of examples of HIPAA violations by employees—and examples of HIPAA violations by employers—is crucial.
Categories of HIPAA breaches
HIPAA breaches can occur inadvertently or intentionally. Let’s look at the 12 common categories of breaches:
- Lack of HIPAA compliance training: Compliance training is required, as well as documentation of that training. Failure to provide either one often leads to a violation.
- Failing to perform an organization-wide risk analysis: You must perform this analysis to get detailed information about your organization’s vulnerabilities. The HIPAA Security Rule Toolkit can help you identify which areas to assess.
- Medical record mishandling: Stepping away from exposed computer screens or leaving paper records visible on your desk risks a greater chance of unauthorized third parties viewing PHI. It’s also common to leave physical charts in hospital rooms after a patient has moved. Increase security by requiring locked screens and using digital records. Also, develop a system to protect patient files from public view.
- Using unencrypted technology to share PHI: Do not share patient files in unsecured channels. In one HIPAA violation example, providers sent unencrypted PHI via email to patients. Use only devices and platforms that are protected and encrypted.
- Failing to plan for cyber attacks: Cyber attacks are increasingly common with so many records stored in the cloud. Ensure databases are secure and cloud providers have processes to avoid, detect, and contain breaches.
- Failing to get proper authorization to share records: Train employees to get written consent to share records in circumstances unrelated to treatment and billing. Also, train them to avoid sharing personal information without a patient’s consent, such as with the patient’s family.
- Failing to safeguard devices that might be stolen: Many cash-only providers believe the privacy rule doesn’t apply to them. But many common ways to share data don’t involve insurance and health management organizations. Computers are at high risk for theft, which poses a risk for this violation because digital devices contain protected patient information. If a theft occurs, ensure these devices are protected and patient files are inaccessible, encrypted, and secured with robust access permissions. Consider all types of devices where you keep records: computers, computer disks, phones, and USB drives.
- In-person discussions about patients: Casual discussions about patients violate HIPAA when they aren’t related to necessary treatment information and when they happen within earshot of employees that aren’t essential to that treatment. These unintentional HIPAA violations are examples of “gossip” HIPAA violations. Collaborations to treat a patient are acceptable but make sure they happen privately.
- Disclosing incorrect patient information: In busy practices, simple human error is common in transferring records. When sharing patient records with non-providers, destroy faxes, delete emails, and don’t share other patient information. Create a habit of double-checking records before errors occur.
- Improper disposal of PHI, digitally and physically: For authorized agents, shred physical records before taking them to the trash. With digital files, learn how to delete patient records entirely from hard drives. These situations are examples of physical HIPAA violations.
- Social sharing: Social media comes with various pitfalls for healthcare workers. For example, social posts have the power to make private hospital moments public. They also allow for potential sharing between patients, care providers, and the broader community. Minimize social sharing that involves the organization or patients.
- Forgetting a business associate contract: Vendors who work with covered entities and might access PHI must have a contract that requires HIPAA compliance. Don’t overlook this requirement.
Complex examples of HIPAA violations
For some issues, HIPAA violation examples are less clear. For example, is losing medical records a HIPAA violation? Some outcomes of record loss can violate HIPAA. According to HIPAA, patients have a right to their medical records within 30 days of a request; failure to provide them is a HIPAA violation. Losing a device or record that exposes patient records to unauthorized actors is also a HIPAA violation.
In another example of what qualifies as a HIPAA violation, law enforcement and military agencies can sometimes face a penalty for a HIPAA violation—but not always. Law enforcement agencies aren’t covered entities. However, if they operate their own medical service, only then can they face HIPAA violation fines.
What about HIPAA military requirements? The military exception means care providers can disclose PHI to military personnel to determine fitness for duty or a particular mission.
How Are HIPAA Violations Discovered?
In 2020 alone, 29.3 million health records were compromised. For the most part, responsible employees of covered entities reported these HIPAA violations to OCR. Covered entities can also uncover violations through internal auditing and self-reporting. Of course, co-workers also have a hand in reporting HIPAA violations in the workplace.
OCR’s own audits of covered entities and their business associates also reveal violations. OCR maintains an audit pool through random selection, pre-screening questionnaires, and pool selection. These audits can also occur due to a complaint or because the covered entity helps represent a cross-section of U.S. healthcare providers.
What happens after a HIPAA complaint is filed? OCR decides whether the complaint warrants investigation. It notifies the organization against which a complaint is filed. Next, it requests information related to its investigation of the claim. Covered entities must comply with OCR requests regarding HIPAA violation complaints. HIPAA stipulates that an entity should not retaliate against you for filing a complaint. Victims of retaliation can contact OCR for guidance. After an investigation, OCR finds covered entities compliant or requires them to take corrective action.
A resolution agreement is a settlement with OCR and the covered entity (or business associate) for remediation. It typically includes bringing violations into compliance and periodic reporting to the HHS. It can lead to civil HIPAA non-compliance penalties.
How to Avoid HIPAA Violations
Covered entities and individual healthcare workers have different concerns about HIPAA violations. The breadth of this law means organizations must focus on systems and training, while employees need ways to proactively protect themselves and their careers.
Tips for covered entities
Avoiding HIPAA violations means being prepared for audits and making sure you have policies to address areas of concern in your risk analysis. Here are some items to address:
- Regularly perform a comprehensive risk analysis.
- Train employees and store records of employee training.
- Ensure business associate contracts specify HIPAA compliance; also keep track of the policies you have in place with these vendors.
- Know where you store PHI, how it’s accessed, and what policies are in place to protect it.
Tips for employees, providers, and contractors
OCR has guidance for professionals about their requirements under HIPAA. Training employees on common violations is a primary way to ensure your organization avoids HIPAA violations. Address the following areas:
- Establish a protocol to check authorization requirements before disclosing medical information to avoid HIPAA violations by health care staff.
- Address where discussions of patient information can occur.
- Train contractors to not share login credentials, not to leave physical files or devices unattended, and never to share patient information on unencrypted devices.
- Limit social media. Examples of social media HIPAA violations include employees posting hallway pictures in a healthcare facility that can compromise patient privacy in ways they never considered. Address removing current patients as contacts from social media platforms.
- Designate a privacy and compliance officer to help manage questions, training, reports, and risk analyses. Even small organizations benefit.
How StrongDM Helps You Avoid HIPAA Violations
While your IT department has a small part to play in making sure your organization moves patient charts from room to room, it has an outsized role in protecting digital PHI. And with cybersecurity threats to healthcare institutions up 150% since the COVID-19 pandemic, its role in managing digital assets has become more critical.
That news provides little comfort to victimized entities. They’re often liable for losing patient records under HIPAA, with hefty settlement fees, and they incur significant costs to secure the systems they rely on to provide patient care. Crucial cybersecurity steps, like StrongDM’s infrastructure access platform, help prevent these breaches.
Securing access to critical infrastructure is at the heart of the StrongDM platform, helping upgrade security for PHI. With an infrastructure access platform, covered entities get:
- Just-in-time (JIT) access to needed records. Not only does it prevent hacking, it ensures employees aren’t misusing records by accessing them when there’s no immediate need.
- Auditing of sessions. Logging, alerts, and monitoring are inherent in the platform, making it possible to demonstrate an organization’s commitment to managing its records. IT, security, and compliance teams can quickly investigate HIPAA breaches and limit damages.
- Granular control of vendor and employee access such as one-click onboarding and offboarding, so unauthorized users never have access to sensitive files. It’s part of a secure, comprehensive authentication, authorization, networking, and auditing architecture.
HIPAA standards require covered entities to implement processes and procedures to detect and correct security violations. Access management solutions give teams a way to meet that standard. StrongDM creates administrative controls to provide employees only the permissions they need while preventing unauthorized users from accessing records.
HIPAA Violations: Frequently Asked Questions
Many frequently asked questions (FAQs) about HIPAA center on the process when an organization has a breach, a patient or employee needs to file a complaint, or OCR audits an organization. Yet, organizations and their employees should be confident they’re not intentionally violating HIPAA regulations. Follow the guidance in our FAQs to help your organization and employees be in the know.
Where to report a HIPAA violation?
Who do you report HIPAA violations to? File a complaint with HHS. Anyone can file a complaint, and it's easy to find out how to report HIPAA violations. The simplest way to get started is through the online complaint portal. File complaints within 180 days of the violation, although HHS makes exceptions if you can demonstrate a good reason.
How to report a HIPAA violation anonymously?
OCR requires the name and contact information of those filing complaints to start an investigation. However, you can download the complaint form and mail it to OCR without your contact information, which can result in no action taken against the covered entity.
A better option is to stipulate that OCR keeps your information private. By refusing to consent to reveal your identity, you can protect yourself from backlash, and your name won’t be given to the entity if OCR initiates an investigation.
Is a HIPAA violation a crime?
Yes, a HIPAA violation is a crime. Even seemingly minor items on the list of HIPAA violations can come with steep criminal HIPAA violation penalties. For willfully violating rules, individuals can face HIPAA violation fines from $50,000 to $250,000, plus restitution. HIPAA violation consequences can also include jail time of up to ten years. What happens when you violate HIPAA? Civil fines for HIPAA violations by individuals start at $100 and can be as high as $25,000 for multiple infractions.
Is a HIPAA violation grounds for termination?
Yes, HIPAA breach penalties can result in termination. However, if the breach was accidental and “in good faith,” HIPAA rules do not designate the breach as reportable. The results of an internal investigation, the scope of the breach, and the employee’s role in it are all factors in the ultimate outcome. Penalties for violating HIPAA can range from criminal liability to increased organizational security and training.
Who can commit a HIPAA violation?
HIPAA rules apply to covered entities who work with PHI and their contracted vendors who may access their data. So, can a non-medical person violate HIPAA? Yes, absolutely. Here’s who can violate HIPAA:
- Business associates of covered entities who might work with PHI
- Healthcare clearinghouses
- Healthcare providers and hospitals
- Health plans
- Volunteers, interns, contractors, and trainees of any covered entities or business associates
Who can sue for a HIPAA violation?
OCR offers guidance for individuals about their rights under HIPAA. However, patients cannot sue covered entities for violations of HIPAA alone. Individuals have some options to recover damages when they suffer harm following a privacy breach. They can bring a case against a provider on a related issue when they suffer provable injuries. Most often, the answer to whether you can sue for HIPAA violations is no. Lawsuits involving HIPAA stem from OCR and state attorneys general who take action against violators. They protect future individuals from harm but don’t provide relief for an affected individual.
When to self-report a HIPAA violation?
Breaches that demand reporting under HIPAA involve unsecured PHI that’s accessed in a way that violates the privacy rule. When that violation occurs, business associates and individuals need to report breaches to covered entities within 60 days. If the breach involves fewer than 500 records, covered entities have 60 days to report it to HHS, but organizations must report larger breaches immediately.
Manage Access and Protect Patients
Managing permissions, monitoring systems, and keeping up with compliance are long-term commitments. StrongDM makes them a little easier by automating least-privilege access, centralizing logging, and locking down your PHI to make it easier to stay HIPAA-compliant.
See how StrongDM protects your PHI from HIPAA violations. Start a 14-day free trial to get started.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.