In 1996, the Department of Health and Human Services adopted national standards for securely managing health information. Called the Healthcare Insurance Portability and Accountability Act, or HIPAA, these strict guidelines require all healthcare employees and every medical center to carefully manage protected health information (PHI). PHI includes any identifiable information by which someone could recognize an individual, including:
- Contact information
- Medical history
- Lab and test results
- Insurance information
… and more. HIPAA encompasses the following four rules that control how protected healthcare information is safeguarded and managed.
- Privacy Rule: Instructions regarding an individual’s right to manage how their identifiable health information is used
- Security Rule: A series of guidelines to safely manage the confidentiality, integrity, and accessibility of electronic PHI as it’s created, distributed, managed, and received
- Enforcement Rule: Provisions for holding covered entities and associates accountable through financial penalties and court procedures
- Breach Notification Rule: Requirements for when and how covered entities and business associates notify related parties about a breach of PHI
As technology continues to serve as a catalyst for improving patient outcomes, engagement, and satisfaction, it’s more important than ever that the healthcare industry understands how to comply with HIPAA and avoid costly penalties. That’s why we’re proud to offer HIPAA compliant text messaging and other secure solutions that safeguard PHI while leveraging the benefits of technology.
What is a HIPAA violation?
A HIPAA violation is a noncompliant disclosure of PHI that compromises the privacy and security of healthcare information. Essentially, a HIPAA violation occurs when someone learns something they shouldn’t because there weren’t enough precautions in place to protect the information.
In most instances, any unauthorized use or disclosure of PHI is considered a breach, unless the organization or employee can prove there is a low probability that the PHI was compromised. Regulation of HIPAA compliance is strict and a HIPAA violation can be expensive for covered entities (e.g. every hospital, medical center, doctor’s office, healthcare provider, and health plan) and business associates (any third parties who work on behalf of covered entities).
What are the penalties for HIPAA violations?
The Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA compliance by penalizing any involved hospital, health center, or health-related service for both small and large HIPAA violations. Even if patient health information has not been compromised, HIPAA violation penalties can be severe.
The cost of HIPAA violations ranges from $100 to $50,000 based on a variety of factors, including:
- Whether or not there was malicious intent (civil vs. criminal penalties)
- The degree of negligence
- If a breach occurred
- The number of records exposed or potentially exposed
- Future risk as a result of the breach
In HIPAA violation court cases that result in penalties issued by the Office for Civil Rights, violators may pay the following fines per violation:
- $100 to $50,000 when a violation is attributed to ignorance
- $1,000 to $50,000 when a violation occurs despite reasonable vigilance
- $10,000 to $50,000 when a violation is attributed to willful neglect but is corrected within 30 days
- $50,000 (maximum fine per violation) when a violation occurs due to willful neglect and is not corrected within 30 days
- $50,000 plus up to one year of jail time if a violation occurs when someone knowingly disclosed PHI
- $100,000 plus up to five years of jail time if a violation occurs under false pretenses
- $250,000 plus up to 10 years of jail time if a violation is committed for personal gain (e.g. selling PHI)
Individuals can also file civil or state lawsuits for HIPAA violations against state laws that result in harm due to negligence. In some instances, these HIPAA violation lawsuit cases can result in fines over $1.5 million, which is the maximum penalty per violation that OCR can issue.
7 Examples of HIPAA violation cases
It can take months and years for the Department of Health and Human Services Office of Civil Rights to discover and resolve intentional and accidental HIPAA violation cases. And sometimes, additional HIPAA violations are found during investigations. Learn about some of the most disastrous violation of HIPAA cases below.
Illinois-based healthcare network fails to conduct a thorough risk analysis.
In 2016, the largest HIPAA settlement resulted from three data breaches affecting four million people. A healthcare network in Illinois paid $5.5 million after an unencrypted laptop was stolen from an employee’s car, and, in a separate incident, four computers were stolen. The Office for Civil Rights noted that the hospital system failed to establish a risk analysis that accounted for physical and administrative safeguards, in addition to the technical safeguards in place.
Lesson to learn: HIPAA violations are common as a result of lost or stolen organizational devices, which is why it’s so important to analyze potential risks and mitigate them with the proper safeguards.
An imaging company in Tennessee violates multiple HIPAA rules.
In 2018, a Tennessee-based medical imaging services company paid $3 million in penalties and adopted a corrective action plan (CAP) to resolve their HIPAA violations. The FBI discovered one of their servers was accessible on the Internet, allowing anyone to search and view PHI for over 300,000 individuals via search engines. Following the discovery, they initially failed to admit that the protected information had been exposed and didn’t notify affected individuals for 147 days. This resulted in additional penalties because of a delayed investigation and a violation of reporting rules. Throughout the investigation, the OCR also found instances where they did not enter into a business associate agreement for services with third-party vendors—a requirement under HIPAA.
Lesson to learn: When suspected or known security breaches arise, covered entities must follow reporting guidelines to notify affected individuals within 60 days.
Member data stolen by cybercriminals using phishing.
A large health insurer in the U.S. was the victim of a targeted cyberattack in 2015. The investigation, which concluded in 2018 with a $16 million settlement, revealed a data breach of over 78 million member records as cybercriminals used phishing to enter the network and access plan members’ data. The OCR identified multiple HIPAA violations, including failure to prevent unauthorized access to ePHI as a result of insufficient technical policies and procedures to maintain ePHI privacy. As the largest HIPAA settlement ever, they also paid damages to members whose privacy was compromised.
Lesson to learn: Large health organizations are specific targets for hackers, which is why large healthcare entities must establish strong password policies and regularly monitor information system activity to mitigate potential risks.
A Texas health system discloses unauthorized identifiable information in a press release.
In 2015, Texas-based health system responded to an incident involving the use of a fraudulent ID card by a patient with a memo to the press. In the press release, the hospital system violated the privacy of the involved patient by including their name in the title, which the OCR determined to be an intentional failure to protect the patient’s rights to privacy. Although releasing the patient’s name to police was permissible, the issued public statement by the hospital system should have protected the patient’s privacy. Failure to do so cost them $2.4 million.
Lesson to learn: While most HIPAA violation settlements affect a large number of medical records, the OCR takes serious measures to uphold HIPAA laws, even when just one individual’s medical data is involved. HIPAA’s Privacy Rule requires that unauthorized PHI must not be disclosed.
A cancer center exposes patient data after the theft of unencrypted devices.
Also located in Texas, a cancer center paid over $4.3 million in civil monetary penalties after three data breaches that violated HIPAA. The Office of Civil Right’s investigation revealed that three devices were stolen, resulting in a breach of PHI for over 34,000 patients. While the center had encryption policies in place to prevent any potential breach from theft, the involved laptop and USB thumb drives were not encrypted or password protected.
Lesson to learn: Reasonable safeguards, such as encryption policies, are required to protect the integrity, confidentiality, and availability of private health data.
Two Maryland hospitals refuse to provide patients with copies of their medical records.
Two hospitals in Prince George’s County, Maryland, violated 41 patients’ rights to their medical records under HIPAA. HIPAA states that patients can request copies of their medical records and healthcare providers must comply within 60 days without charging for the service. In this case, each hospital refused, resulting in a $3 million settlement as the first OCR penalty for violations of the Privacy Rule. Their penalty was compounded by their unwillingness to cooperate, leading to the highest possible penalty attributed to “willful neglect”.
Lesson to learn: HIPAA’s security rule grants patients access to their records. Although the OCR’s goal is to improve security standards to prevent HIPAA breaches and protect patients’ civil rights, penalties may be more severe when covered entities in violation are unwilling to cooperate.
A Florida-based health system accesses unauthorized PHI, revealing numerous HIPAA violations.
In Florida, a health system received a $2.15 million civil penalty from the Office for Civil Rights after violating several HIPAA rules, including impermissible disclosure of PHI, risk analysis failures, infrequent reviews of information system activity, and unauthorized and intentional access to patient’s medical information for selling purposes. They also neglected to notify individuals of a potential breach when a box of files went missing and they failed to report this for 160 within 60 days, as required by law.
Lesson to learn: Every hospital, medical center, and health system needs to prioritize HIPAA compliance and make reasonable efforts to prevent, detect, and correct HIPAA violations or they can expect to pay a significant financial price.
Common HIPAA violations
The Department of Health and Human Services Office for Civil Rights is diligent in penalizing HIPAA violators in order to protect the confidentiality, integrity, and availability of patient information. While following HIPAA rules is important, the OCR understands that breaches are possible. In fact, not every data breach is a violation of HIPAA, so long as the involved hospital or health system takes the appropriate measures to reduce their risk and protect PHI.
HIPAA violations most commonly occur when a medical center, hospital, or other health-related organization and its business employees and vendors:
- Fail to encrypt devices
- Are hacked
- Access data for which they’re unauthorized
- Leak PHI or other confidential information
- Lose company devices
- Improperly dispose of PHI
- Access PHI from unsecured devices
Any of the above violation categories can involve PHI. And under HIPAA, any incident in which PHI is compromised must be reported to the Department of Health and Human Services in accordance with regulations, or additional penalties can accumulate.
How to prevent HIPAA violations while using technology
Many of the most common causes of HIPAA violations can be attributed to a lack of education for employees regarding HIPAA. That’s why it’s important to provide regular HIPAA training for new hires when there are changes to regulations, and sporadically just to keep the rules fresh in everyone’s mind.
Similarly, it’s imperative that healthcare organizations and providers establish business associate agreements with any third-party solution. And, ask the right questions to be sure that whoever you’re working with clearly understands HIPAA regulations and is in full compliance.
Technology is a great tool to streamline and improve patient care, especially when it is used by companies who value and prioritize HIPAA compliance. At Providertech, we’re serious about protecting identifiable patient data, which is why all of our solutions are fully compliant with HIPAA and the Telephone Consumer Protection Act.