HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyberattacks and ransomware attacks on health insurers and providers.
What is the purpose of HIPAA?
HIPAA, also known as Public Law 104-191, has two main purposes: to provide continuous health insurance coverage for workers who lose or change their job and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions. Other goals include combating abuse, fraud, and waste in health insurance and healthcare delivery and improving access to long-term care services and health insurance.
HHS expanded the act when it put the HIPAA omnibus rule in place in 2013 to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These guidelines concern the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident.
Top 10 Most Common HIPAA Violations
With HIPAA violation fines reaching up to $50,000 per occurrence and a maximum annual penalty of $1.5 million per violation, it's important for medical practices to ensure they are HIPAA compliant at all times. And while all possible HIPAA violations should be considered potential threats to your medical practice, some are more common than others.
Because HIPAA regulations are complex and ever-changing, it's hard to stay up-to-date on the latest changes and common violations. By ensuring your staff is well-trained on HIPAA compliance and understanding which violations occur most often, your practice can more adequately protect against instances of violations.
We've combined a list of the ten most common HIPAA violations so your practice can take the necessary steps to prevent them. Here is the list of the top 10 most common HIPAA violations, and some advice on how to avoid them.
1. Keeping Unsecured Records
As part of your employee training, all staff members should be required to keep documents with PHI in a secure location at all times. Physical files containing PHI should be locked in a desk, filing cabinet or office. Digital files should require secure passwords to access them, in addition to being encrypted whenever possible.
2. Unencrypted Data
The dangers of leaving PHI data vulnerable without encryption are simple. Encrypting the data is an added protection if a device containing PHI is lost or stolen. It offers an additional layer of security if a password protected device is somehow accessed, such as through hacking. Although it is not a strict HIPAA requirement, it is highly recommended. You should also be familiar with your State HIPAA regulations as many States have passed laws requiring ePHI and PII to be encrypted.
Although we'd like to think it would never happen to us, hacking is a real threat to medical ePHI. There are people out there who want to use this information for malicious purposes, and therefore medical practices need to protect against hacking wherever possible.
Keeping antivirus software updated and active on all devices containing ePHI is a great place to start. Using firewalls adds another layer of protection as well. Finally, creating unique and difficult to remember passwords, and changing them frequently is another important measure to take to prevent hacking.
4. Loss or Theft of Devices
A case was settled in June of 2016, where an iPhone containing a vast amount of ePHI, including social security numbers, treatment and diagnosis information, medications, and more were stolen.
In addition, the iPhone was neither password-protected nor encrypted, leaving all ePHI vulnerable to access by anyone possessing the phone.
The violation occurred at a facility called the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). A combination of nursing home residents and family members totaling 412 people were affected by the data breach, and the facility was fined $650,000.
Unfortunately, if devices containing ePHI are not stored in a secure location at all times, they are subject to the possibility of loss or theft. If the information stored on such devices is not encrypted or password-protected, the loss or theft of the device becomes an even more severe issue.
5. Lack of Employee Training
When it comes to training employees on HIPAA regulations and compliance, it's important that every employee who comes in contact with PHI be thoroughly educated. Employee HIPAA training is more than a recommendation - it is a requirement of the HIPAA law. All staff members must be well-trained on the law, as well as on the particular policies and procedures set forth by your individual practice.
6. Gossiping / Sharing PHI
Although general gossip or chit chat by the water cooler can be harmless, PHI should always be off-limits. When talking to co-workers, there is no reason to discuss PHI. Plus, it comes with a hefty fine.
Medical practice employees with access to patient PHI need to be careful about the information they share with others. When discussing PHI, we should always be aware of who may be listening. Keep conversations about PHI behind closed doors, and only with appropriate office personnel.
7. Employee Dishonesty
Although not always done with a malicious purpose, when employees try to access PHI that they are not authorized to view, this is a HIPAA violation. Often it is merely out of curiosity, but the punishment is the same regardless of the intent. Thorough and precise training and procedures that outline who can access what, as well as a clear indication of the consequences that will result, can help prevent occurrences of this particular HIPAA violation.
8. Improper Disposal of Records
When training your staff members on HIPAA regulations, one of the most important procedures to enforce is proper disposal of PHI records. Staff members should understand that all information that contains PHI, such as social security numbers, medical procedures, diagnoses, etc., should be shredded, destroyed, wiped from the hard drive, etc.
If any of this information is left lying around in a trash can, in a computer's recent files folder, etc., it could get into the hands of the wrong person, and this would be a serious HIPAA violation. You can prevent this from happening with proper employee training and enforcement by a compliance officer or other staff.
9. Unauthorized Release of Information
This violation most often occurs when members of the media release PHI regarding public figures and celebrities. It can also happen when medical personnel release PHI to family members that are unauthorized, as only dependents and those with a Power of Attorney are allowed access to the PHI of a family member.
10. 3rd Party Disclosure of PHI
When it comes to discussing PHI, it should only be discussed with the people who need to know, such as the patient, the doctor(s), and/or the person(s) billing for the procedure, medication, or other related services. If you have access to PHI and discuss it with those who do not have the right access to this information is a direct violation of HIPAA.
However, it does happen frequently. Again, by educating all staff members with access to PHI about HIPAA regulations such as this, you can eliminate the majority of data breaches caused by this violation.
Another example of 3rd party disclosure would be if a staff member were to release the wrong patient's information due to human error. In this case, the act may be an accident, but the consequences would be similar to those for a purposeful violation.
What about the HITECH ACT?
The HITECH Act of 2009 expanded the scope of privacy and security protections available under HIPAA compliance by increasing the potential legal liability for non-compliance and it provides for more stringent enforcement. The HITECH Act specifies that by the beginning of 2011, healthcare providers will be given monetary incentives for being able to demonstrate meaningful use of electronic health records (EHR). These monetary incentives will be offered until 2015, after which time penalties will be levied for failing to demonstrate such use. Many of the HITECH Act’s requirements became effective 12 months from the date of enactment.
Audits for Neglect
The industry perception is that HITECH compliance has not been strictly enforced in the past. As time has shown us, the new powers that are in Washington have taken this rule to heart and are now performing audits on entities that have been reported to be in willful neglect or have severely breached ePHI data. The HITECH Act requires mandatory penalties for “willful neglect.” What “willful neglect” means will need to be determined on a case-by-case basis, but speaking from experience, if you do not have the necessary Privacy and Security documentation to present to an investigator, covering all aspects of the rule, you will likely be found in willful neglect.
The penalties for willful neglect are increased under the HIPAA HITECH Act. These HIPAA violation penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. Under certain conditions, HIPAA’s civil and criminal penalties now extend to business associates. As stated in the original HIPAA rule, which as of late has been ignored, if you are a covered entity and you share information with a business associate, you are supposed to get assurance that they were going to protect the data. In most cases that never happened.
Health and Human Services’ (HHS) obvious goal is to provide for “enhanced enforcement.” HHS has released reports that show significant fines and audits in 2012 show that HHS is serious about Healthcare Organizations complying with the enacted regulations.
HIPAA clearly outlined the release of information guidelines, and what can and cannot be released without authorization from the patient. HITECH notification requirements were built similar to many state data breach laws relating to personally identifiable financial information. The HITECH Compliance Act and its relationship to HIPAA and EMRs require that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then HHS must also be notified. In this instance, local media will need to be notified as well. Lastly, the State Privacy Officer will need to be notified. All breached patients will need to receive a first-class mailing that addresses personally what happened and what steps are being taken to resolve the breach, with the entity sometimes paying for the breached patients to have free access to their credit reports.
Electronic Health Record Access
If a provider has implemented an EHR system, HITECH compliance provides the patient the right to obtain their ePHI in an electronic format. The patient can also assign a third party to be the recipient of the ePHI. HITECH compliance provides that charge, equal to the labor cost, for an electronic request.
For providers that have an EHR, it should be rather easy for them to accomplish this task. However, on further examination, EHR vendors did not make this easy on them in some cases and more work is required to produce such a file.
HITECH Act’s incentives are driven by the implementation of “Meaningful Use.” “Meaningful Use” gauges your implementation of an EHR and if the EHR you have chosen meets all the requirements the government has laid out. Not being able to show meaningful use may decrease or eliminate incentive payments.
Business Associates and Business Associate Agreements
As stated in the opening, HITECH compliance now covers certain HIPAA provisions directly aimed at business associates. Privacy and Security requirements were always supposed to be imposed on business associates via contractual agreements with covered entities. What we have experienced is that many providers did not get the necessary assurances that the Business Associate had or was planning on doing, including the necessary documentation that showed they were meeting the regulation guidelines. In many cases, Business Associate Agreements exist but do not meet all the requirements of the rules. Because HHS failed to enforce the rules vehemently, this issue still exists today, which will prompt the Government to again make new rules to make sure that Business Associates that receive and store ePHI will be compliant under the HIPAA regulations.
The handwriting is on the wall with HITECH compliance. Business associates and providers will be sharing joint responsibilities with the protection of ePHI due to the increased amount of sharing that will be taking place. This will not only be between provider and EHR vendor but eventually to hubs that others will be able to access. Small providers are still having problems not only with the HITECH Act but with the original HIPAA rule as well. With new regulations on the horizon, specifically Omnibus, small to medium entities will continue to struggle to comply and understand the mass of rules that are being thrown their way to protect patient’s data privacy and security.
Other HITECH Hits
HIPAA HITECH compliance continues on with rules regarding marketing communications, restrictions to uses and disclosures, and accounting of those disclosures. HIPAA did a fairly good job at covering these items but it is good to note that you should have policies and procedures outlining the aspects of each type of Use and Disclosure and what you need to track and store this information.
The HITECH Act was mainly enacted to further elaborate on breach notification. What do you need to do as a provider when you have a breach? The HITECH Act helps answer what it is you actually need to do, who you need to report to, and more. The government knows you have small breaches every day. For example, you have a fax that went to Joe’s Bar and Grill, a phone that was lost, or numbers were transposed on a letter and it came back open. Those are things that happen every day, and the government is looking to you for answers, such as: what did you do after you found out, did you notify the patient, did you try to retrieve the document on the fax, was the phone encrypted, can you remotely wipe. Being able to answer and prove those are what needs to happen on a daily basis in your organization when it comes to HITECH Breach Notification.
What Are The Four Categories of Violations?
Section 13410(d) of the HITECH Act established four categories for HIPAA violations:
The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
The violation was due to reasonable cause, and not willful neglect;
Willful Neglect – Corrected.
The violation was due to willful neglect that is timely corrected (30 days); and
Willful Neglect – Not Corrected.
The violation was due to willful neglect that is not timely corrected.
What Are The Range of Penalties?
Under the HIPAA Privacy Rule, falling victim to a healthcare data breach, as well as failing to give patients access to their PHI, could result in a fine from OCR.
The minimum penalty for:
Unknowingly violating HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations.
Reasonable cause for violating HIPAA is $1,000 per violation, with an annual maximum of $100,000 for repeat violations.
Willful neglect of HIPAA, but the violation is corrected within a given time period, is $10,000 per violation, with an annual maximum of $250,000 for repeat violations.
Willful neglect of HIPAA and the violation remains uncorrected, is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
The maximum penalty for all of these is $50,000 per violation, with an annual maximum of $1.5 million for repeat violations.
Covered entities and individuals who intentionally obtain or disclose PHI in violation of the HIPAA Privacy Rule can be fined up to $50,000 and receive up to one year in prison. If the HIPAA Privacy Rule is violated under false pretenses, the penalties can be increased to a $100,000 fine and up to 10 years in prison.
According to the guidance, while HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of HITECH, these changes are effective until further notice.