The Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA, was a landmark piece of legislation. It established national standards for health care organizations to prevent patients’ private health information from being disclosed without their consent.
Today, health care providers continue to adhere to HIPAA regulations to streamline their administrative process, protect their patients’ information, and prevent health care fraud.
What Is a HIPAA Violation?
A HIPAA violation is any failure to comply with HIPAA standards and provisions. Although HIPAA sounds like it’s just one act, there are many different rules that make up the act: the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
Each of these rules addresses a different aspect of protecting and sharing protected health information (PHI), and any breach of any of those rules is a violation of HIPAA.
All covered entities — including health care providers, health plans (e.g., health insurance companies), health care clearinghouses, and business associates of these entities — must follow HIPAA guidelines in everything they do.
Common HIPAA Violations
With numerous complex rules that can sometimes change as the technology itself changes, HIPAA violations can occur more easily than you might expect.
There are hundreds of possible HIPAA violations a health care entity and its employees can commit — and in many cases, employees don’t even realize they’ve made a mistake until the damage has been done.
To help you avoid this outcome, here are 11 of the most common HIPAA violations that can happen, so you can know what to look for as you go about your job.
1. Unsecured Records
To prevent unauthorized access of PHI, any records containing PHI should be kept in a secure location at all times. Physical files should be locked in a safe place, and digital files should have secure passwords.
For example, if you’re carrying anything with patient information on it, like notes from a shift report, don’t leave it outside a patient’s room or out on a desk where anyone can see it. If you’re using an electronic medical record system, turn off the screen and log out whenever you walk away from the computer.
2. Unencrypted Data
It is highly recommended that organizations encrypt any digital files containing PHI. If a device containing PHI is lost, stolen, or hacked, encryption provides an additional layer of protection beyond a password.
Although this is not required at the national level, several states have passed laws requiring health care entities to encrypt data.
Hacking is a major threat to patient privacy and digitally-stored PHI. Health care entities are expected to take every precaution to protect against hacking.
These protective measures may include updating antivirus software regularly, using firewalls, creating strong passwords (and changing them frequently), and encrypting data.
4. Loss of Device or Theft
When not in use, devices containing PHI should be stored in a secure location at all times; data should be encrypted or password-protected or, ideally, both. If the device is lost or stolen, all the PHI stored on it is vulnerable to access and potential exposure.
If you happen to carry devices that can access PHI, make sure you never leave it where it can be easily stolen, like out on a cafeteria table or in your car.
5. Lack of Employee Training
Every employee with access to PHI must be thoroughly and regularly trained on HIPAA compliance. This includes both HIPAA laws and the policies and procedures of your specific health care entity. Without this training, employees may unwittingly make mistakes and leave PHI vulnerable.
6. Sharing/Third-Party Disclosure of PHI
PHI should only be shared and discussed with those who need the information, such as the patient, the health care team, and the person or organization who is billing for health care services.
These discussions should happen behind closed doors in a secure place, where other parties cannot listen to or access the information. Don’t gossip about patients in public areas, like hallways or elevators.
7. Improper Disposal of Records
PHI records must be disposed of properly to avoid any unintentional data breaches. Paper files should be shredded or destroyed, while electronic files should be wiped from the hard drive.
Improper disposal of records can be prevented by training employees on proper disposal procedures and by making sure everyone knows where to dispose of PHI-containing information, like in shred bins.
8. Unauthorized Release of Information
PHI should only be released to the patient or other authorized family members, including dependents and individuals with Power of Attorney.
Health care entities must not release PHI to unauthorized family members, the media, or other individuals who should not legally have access to the information. This includes making posts on social media about patients or a patients’ condition, like in the form of a photo.
9. Failure to Run Risk Analysis
Conducting regular risk analyses can help identify any vulnerabilities in a health care entity’s system and prevent HIPAA violations from occurring in the first place. Conversely, entities that fail to run risk analysis can find themselves at fault for any data breaches that occur as a result.
Although a risk analysis is conducted by administrators, health care professionals can help contribute by speaking up if they identify areas that might need improvement.
10. No Risk Management Process
Once they’ve conducted a risk analysis, the health care entity needs to manage those risks appropriately. As a part of this management, any risks to PHI security and availability is prioritized and addressed in a timely manner. If an entity identifies risks without managing them, they are liable for any breaches to PHI.
Often in this process, health care staff might need to undergo further training. Take this training seriously to prevent the chance of a violation.
11. Denying Patient Access to Health Records
Under the HIPAA Privacy Rule, patients have the right to access and obtain copies of their medical records. Health care entities that deny patients access to their own health records, overcharge for copies or access, or fail to issue their records within 30 days are in violation of this rule.
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations by conducting compliance reviews of health care entities, as well as investigating any complaints filed against these entities.
If OCR accepts a complaint, they will notify the person who filed the complaint as well as the named entity when the investigation begins. Both parties are then asked to present information about the issue and are required by law to cooperate.
OCR then reviews the presented information; if a violation has occurred, they will attempt to resolve the case with the entity. Resolution may include voluntary compliance, corrective action (such as a change in policy), or a resolution agreement (settlement).
OCR may also provide technical assistance to help ensure compliance. Upon satisfactory resolution, both parties are notified of the outcome. Any criminal violations are referred to the Department of Justice for further investigation.
As part of the resolution process, OCR can also issue civil penalties to an individual or organization for violating HIPAA regulations. Fines can range from $100 to $25,000 for violations where the entity was unaware or not practicing due diligence, to as high as $1.5 million where violations were made willfully and with no attempt to rectify or prevent the situation.
The best way to prevent a HIPAA violation is to pay attention, be vigilant, and stay up to date on current regulations. If you are unsure whether an action is acceptable under HIPAA, ask your supervisor and conduct research on the issue. While this may take extra time and effort, the outcome for both you and your patients is well worth it.