Those who work in the healthcare industry know: HIPAA compliance is often fiercely enforced by the Department of Health and Human Services, and penalties can be steep.
“Each covered entity is required to implement safeguards to prevent the unauthorized disclosure of PHI. These safeguards will vary depending on the size of the covered entity and the nature of healthcare it provides, but the penalties for failing to safeguard the integrity of PHI can be extremely high. Healthcare organizations that deliberately or negligently fail to adhere to HIPAA privacy laws can be fined up to $50,000 per offense per day,” wrote the HIPAA Journal.
Nevertheless, many health organizations — especially hospitals — struggle to secure protected health information. Here are some of the most common HIPAA violations and the penalties that occur as a result.
Background: What are the HIPAA requirements?
The Health Insurance Portability and Accountability Act (HIPAA) is enforced by the Department of Health and Human Services (HHS) to protect PHI (protected health information).
There are 18 PHI identifiers that make medical information “identifiable” and traceable back to a specific individual. Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, and names of patients, relatives, or employers are all considered identifiers. You can read more about PHI that HIPAA protects in this guide: PHI Compliance: What It Is and How To Achieve It.
HIPAA violations are considered either civil, meaning they were committed without any malicious intent, or criminal (with malicious intent). The very worst criminal violations can lead to a fine of up to $250,000 and jail time of up to 10 years.
While HIPAA requires organizations to safeguard the confidentiality, integrity, and availability of PHI, there are few specifics in the HIPAA regulations as to how to go about securing patient information. Many HIPAA violations are the result of human error and misconfigurations, as well as the way data is shared.
Impermissible uses and disclosures of PHI
One of the most common HIPAA violations occurs when PHI is accessed by those who should have access. Accessing the health records of patients for anything other than treatment, payment and healthcare operations is a violation of patient privacy.
Often, this violation is committed by employees, rather than hackers (considered to be a separate issue). These employees could simply be curious, or they could be snooping for information on celebrities, family members, and friends. In worst-case scenarios, employees could be selling PHI for personal gain.
“Patients’ digital medical records are 50 times more valuable than financial information, according to cybersecurity experts,” reported the American Medical Association.
Penalties: These types of violations can result in termination of employment, as well as criminal charges for the employees, depending on the motivation behind the inappropriate access. Financial penalties can add up quickly: the University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records after a physician accessed the medical records of celebrities and other patients without authorization.
Failure to perform organization-wide risk analysis
HIPAA requires healthcare companies and those who work with healthcare companies to perform an organization-wide risk analysis.
This analysis aims to determine if there are any vulnerabilities in the organization’s systems that could put PHI confidentiality, integrity, and availability at risk. Businesses that do not carry out this risk analysis create an opportunity for hackers to infiltrate their systems and steal patient data.
Failure to manage security risks and the lack of a risk management process leads to further violations. Risks that are identified in the analysis must then be addressed through a risk management process. Threats and vulnerabilities should be prioritized and addressed in a reasonable time frame.
The HHS has worked with NIST to create the NIST HIPAA Security Toolkit Application. This toolkit helps organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. In addition, the HHS offers a HIPAA Security Risk Assessment (SRA) Tool to help small and medium-sized health care practices and business associates comply.
Penalties: Violations for failing to perform the risk analysis have ranged from over $6 million to $100,000 to an individual doctor that did not properly secure the practice’s systems.
Lack of patient access to their PHI
HIPAA’s Privacy Rule empowers patients to have access to their medical records on demand. Patients must be able to check their records for errors and get copies of them as needed. Many HIPAA entities face penalties for denying patients copies of their health records or failing to supply those records within 30 days of the request.
Penalties: This HIPAA violation has led to penalties ranging from $3,500 to over $4 million.
Lack of encryption
“Perhaps the most common of all HIPAA violations is the failure to properly secure and encrypt data. In part, this is because there are so many different ways for this to happen,” wrote HIPAA Exams.
This violation is a complicated one for health organizations. On one hand, encryption is not mandatory under HIPAA Rules. But, if the organization decides not to use encryption, an alternative, equivalent security measure must be used in its place.
Other times, this violation occurs as a result of human error. When physical charts of files are left in exam rooms where patients might see them, or when a staff person downloads records onto an unsecured mobile device, lack of encryption can cause an issue.
Lack of encryption is often paired with a second violation: device theft. “The OCR estimates that between 2009 and present, up to 50 percent of Americans have had their PHI compromised. A large proportion of these breaches are due to the theft of unprotected and unencrypted mobile devices,” reported HIPAA Exams.
Penalties: In 2010, the HHS was notified that an unsecured device with unencrypted ePHI had led to a breach at the Dallas Children’s Medical Center. This breach involved the loss of ePHI of 3,800 patients. Children’s Medical Center was fined $3.2 million for this incident as well as other violations.
Non-compliant agreements with third parties
Finally, partnership agreements with vendors that are given access to PHI can be the source of many HIPAA violations. The average health organization works with many different vendors, and with the rise of telehealth, this includes many SaaS companies that enable remote work.
It’s important to carefully read the terms and privacy protocols for every platform your organization uses to ensure it is HIPAA compliant. Check out some of these guides we’ve designed to help you get started:
- How to Make Slack HIPAA Compliant in 2022
- Is Docusign HIPAA Compliant?
- Is Microsoft Teams HIPAA Compliant?
- Is Dropbox HIPAA Compliant?
- Is Google Drive HIPAA Compliant?
- Is Zendesk HIPAA Compliant?
- Is Atlassian Cloud HIPAA Compliant?
Penalties: We expect the financial repercussions for sharing PHI on unsecured platforms to rise over the next decade. Recently we’ve seen penalties ranging up to $1.5 million. Make sure to work with a tool like Nightfall to ensure your tools and platforms are HIPAA compliant.
Learn how Nightfall can help achieve HIPAA compliance by setting up a demo at the link below.