It is rare that a week passes where we do not hear or see media outlets covering yet another HIPAA violation provoked by the action or inaction of some hospital, insurer, or healthcare worker, but these often do not include the details of what exactly occurred and many of us can be left asking ourselves what is defined as a HIPAA violation?
What is defined as a HIPAA violation?
Introduced in the mid ‘90s, 1996 to be precise, the Health Insurance Portability and Accountability Act, or HIPAA, marked a seismic shift in how the healthcare industry was regulated. It introduced improvements such as a standardization of certain aspects to facilitate administrative tasks, it helped to reduce the amount of waste caused by the existing system, it made great strides in tackling insurance and healthcare fraud, and it offered millions of people the security of continued healthcare coverage even while they were between jobs.
HIPAA has been modified and affected by the passage of other laws since its introduction, with perhaps the most important changes coming in relation to data protection and privacy safeguards for patients. Such changes were introduced and strengthened by the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
HIPAA violations may come in many forms, but in a nutshell, a HIPAA violation is defined as a failure to comply with any aspect of HIPAA standards and provisions detailed in 45 CFR Parts 160, 162, and 164.
- The United States’ Department of Health and Human Services’ Office for Civil Rights is one of the main bodies which can prosecute HIPAA violations. State Attorneys General can also bring cases under HIPAA regulations. The full text of these regulations runs to over 100 pages with numerous stipulations. Consequently, there are many potential violations that can be committed by uninformed, careless, or unscrupulous actors. The most common breaches of HIPAA rules include the following:
- Impermissible disclosures of protected health information (PHI)
- Unauthorized accessing of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to provide patients with copies of their PHI on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when no longer required
- The disclosure more PHI than is necessary for a particular task to be performed
- Failure to train employees on HIPAA Rules or the failure to provide security awareness training
- Theft of patient records
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and mismailing PHI
- Texting PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
- Failure to notify an individual (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Failure to document compliance efforts
How are HIPAA violations found?
HIPAA violations may be discovered by internal audits, external audits, patient complaints, or from whistleblowers, among other ways. The penalties are hefty and, depending on the severity of the offense, classified from tier 1 to 4, the responsible party could face fines of $50,000 per violation, up to a maximum of $1.5 million per year.