The HIPAA violation examples that most often make the headlines are data breaches involving thousands of records that result in six- or seven-figure settlements. However, these events represent a small percentage of the HIPAA violations reported to the Department of Health and Human Services´ Office for Civil Rights (OCR) – most of which are resolved by technical assistance or Corrective Action Plans.
Although resolutions by technical assistance or Corrective Action Plans do not incur financial penalties, there are costs involved. A HIPAA-Covered Entity could be required to revise policies and procedures, amend working practices, and/or implement technology solutions to prevent a HIPAA violation being repeated. This may require the assistance of a compliance expert and will almost certainly involve retraining members of the workforce.
Therefore, it is advisable for Covered Entities and Business Associates to invest in HIPAA compliance, understand how violations occur, and develop best practices to mitigate the risk of a violation. The examples of HIPAA violations in this article may help Covered Entities and Business Associates better understand how HIPAA violations occur; but, as each organization is different, there is no one-size-fits-all solution to mitigating the risk of a HIPAA violation.
What is HIPAA and Who Does it Apply to?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law which led to the development of national standards for the privacy and security of Protected Health Information (PHI). Protected Health Information consists of any individually identifiable health information including name, date of birth, address, and social security number.
The standards apply to organizations known as Covered Entities. Covered Entities are health plans, healthcare clearinghouses and healthcare providers who transmit PHI electronically in connection with transactions for which the Department of Health and Human Services has adopted standards.
In addition, the standards apply to organizations known as Business Associates. Business Associates are third-party individuals or businesses with whom PHI is shared by a Covered Entity for a service or activity that helps the Covered Entity carry out its health care functions. Business Associates of Covered Entities include:
- Lawyers, accountants, and IT specialists.
- E-prescribing services.
- Independent medical transcriptionists.
- Cloud service providers.
What are HIPAA Violation Examples?
HIPAA violations are the failure to comply with the standards of the HIPAA Privacy, Security, and Breach Notification Rules, and amendments made to these Rules in the Final Omnibus Rule.
There are several ways in which a Covered Entity or Business Associate can commit HIPAA violations. The most common HIPAA violation involves the unauthorized use and disclosure of PHI beyond the permitted uses and disclosures set by the HIPAA standards. HIPAA PHI violation examples include:
- Improper disposal of PHI.
- Failure to manage risks to the confidentiality, integrity, and availability of PHI.
- Failure to implement physical, administrative, and technical safeguards.
- Failure to implement access controls.
- Failure to terminate access rights to PHI when no longer required.
- Unauthorized disclosure of PHI online or via Social Media.
There are a multitude of other ways in which Covered Entities and Business Associates can violate HIPAA law. Other HIPAA violation examples include:
- Failure to provide sufficient training for workforce members on the Covered Entity’s policies and procedures for HIPAA.
- Failure to record the training given.
- Failure to provide patients with their information or an accounting of disclosures upon request.
- Failure to provide sufficient information concerning a breach of unsecured PHI to the individuals affected.
- Failure to enter a Business Associate Agreement before disclosing PHI.
HIPAA Violation Examples in 2022
Violations to HIPAA are very common. However, the degree of violations can vary drastically from affecting very few to millions of individuals. From January 2022 to March 2022, 139 healthcare data breaches of 500 or more records were reported to the HHS Office for Civil Rights (OCR). Across the 139 breaches, 7,640,618 healthcare records were exposed. The causes of these healthcare data breaches are typically the result of hacking or an IT incident.
In January 2022, 18 breaches of 10,000 or more healthcare records were reported to the OCR. The majority of which are the result of phishing or ransomware attacks. The most significant HIPAA violation example occurred at Florida’s Broward Health. The medical center was subject to a major data breach involving the exposure of more than 1.35 million data records. With the use of a third-party healthcare provider who had been granted access to Broward Health systems, a hacker was able to enter the Brower Health network.
February 2022 had several HIPAA violation examples. However, the largest breach was reported by Morley Companies Inc. A hacking incident resulted in the exposure and potential theft of the PHI of 500,000 clients to its health plan. In addition, the Monongalia Health System reported a major data breach affecting just over 490,000 individuals. – the second significant data breach to affect patients of the West Virginia-based health system in the space of twelve months.
In March 2022, Christie Business Holdings Company, which operates the Christie Clinic in Illinois, discovered an employee email account had been accessed without authorization in an attempt to divert a payment to a third-party vendor. Although the company could not be certain that sensitive data was extracted from the email account, the unauthorized access was reported to OCR as this HIPAA violation example potentially affected over half a million patients.
What are the Consequences of HIPAA Violations?
Although the HIPAA violation examples highlighted above may ultimately have financial consequences for the offending businesses once the violations are investigated by OCR, the consequences of HIPAA violations not only affect the business responsible for the violation. They also affect the people who work for the businesses and those who have had their PHI exposed.
As mentioned in the introduction to this article, the most common outcome of an investigation into a HIPAA violation is a Corrective Action Plan which requires a change in working practices and workforce retraining. In some cases, this will create significant upheaval to workforces – especially when compliance shortcuts have become the cultural norm “to get the job done”.
For those who have had their PHI exposed, the risk exists that the person in possession of their PHI may try to use it to commit fraud or identity theft. There are multiple examples of people using other people’s information to obtain “free” healthcare, supplies, or equipment; and to recover their costs, health plans can charge a higher deductible or healthcare insurance premium.
Who Enforces HIPAA?
The primary enforcer of HIPAA is the HHS’ Office for Civil Rights (OCR). However, since the passage of the HITECH Act in 2009, authority has been given to State Attorneys General to issue penalties for HIPAA violations independent of the OCR. Furthermore, the Federal Trade Commission, the U.S. Food and Drug Administration, and the Centers for Medicare and Medicaid Services have limited roles in enforcing HIPAA.
Typically, OCR tries to avoid imposing financial sanctions for non-compliance with HIPAA. OCR prefers non-punitive measures, such as voluntary compliance or issuing technical guidance for Covered Entities to improve areas of non-compliance. However, serious violations of HIPAA Rules can result in financial penalties and/or custodial sentences.
The penalties for HIPAA violations issued by HIPAA enforcement agencies depend on the following factors:
- The extent of harm the violation caused.
- The degree of culpability.
- The efforts made to reduce the harm of the violation.
- The negligent party’s timely notification and cooperation.
Additionally, HIPAA violation fines imposed by OCR are categorized into 4 tiers. The HIPAA violation tiers are as follows:
Tier 1 – For Covered Entities and Business Associates that did not know – and could not have known by exercising reasonable due diligence – about the violation.
Tier 2 – For Covered Entities and Business Associates when an avoidable violation occurs due to a reasonable cause, but not willful neglect.
Tier 3 – For Covered Entities and Business Entities when a violation occurs due to willful neglect and the violation is corrected within 30 days.
Tier 4 – For Covered Entities and Business Entities when a violation occurs due to willful neglect and the violation is not corrected within 30 days.
Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit (2022) |
---|---|---|---|---|
Tier 1 | Lack of Knowledge | $127 | $63,973 | $1,919,173 |
Tier 2 | Reasonable Cause | $1,280 | $63,973 | $1,919,173 |
Tier 3 | Willful Neglect | $12,794 | $63,973 | $1,919,173 |
Tier 4 | Willful Neglect not Corrected within 30 days | $63,973 | $1,919,173 | $1,919,173 |
As of 2021, an amendment to the HITECH Act saw the introduction of a ‘safe harbor’ provision for Covered Entities and Business Associates that have implemented ‘recognized security practices’ 12 months prior to the discovery of a data breach. The Safe Harbor provision gives OCR the discretion to waive or reduce financial penalties for HIPAA violations and reduce the length of time a Covered Entity or Business Associate must comply with a Corrective Action Order.
Recent HIPAA Violation Cases 2022
In 2022, there have been several HIPAA violation investigations resulting in financial penalties. One HIPAA violation example relates to Dr. Brockley, a solo dental practitioner in Butler, PA, who had not provided a patient with a copy of their medical records within the time frame set by the HIPAA Privacy Rule. OCR notified Dr. Brockley of its intention to issue a financial penalty of $104,000. The dental practitioner requested a hearing to challenge the financial penalty. The parties came to an agreement whereby Dr. Brockley agreed to pay $30,000 and adopt a Corrective Action Plan to ensure future HIPAA compliance.
Another HIPAA violation example relates to a California psychiatric medical services provider called Jacob & Associates who were investigated by OCR with regards to a complaint submitted by a patient concerning a request of their medical records. Jacob & Associates had failed to provide the patient with timely access to their medical records and charged an unreasonable fee when the records were eventually provided. In addition, the psychiatric medical services provider failed to appoint a HIPAA privacy officer and there were several other issues with the notice of privacy practices. The HIPAA violation investigation resulted in a $28,000 settlement and the adoption of a Corrective Action Plan.
Another HIPAA violation example is the dental practice owned by Dr. U. Phillip Igbinadolor who was investigated by OCR after a client had issued a complaint with concerns of an unauthorized disclosure of their PHI in response to an unfavorable online review. After failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, and other communications, a penalty of $50,000 was issued for willful neglect with no correction.
Dr. David Northcutt, the owner and operator of Northcutt Dental, was investigated by OCR after a complaint was made regarding an alleged impermissible disclosure of PHI. The PHI was shared to a campaign manager and a third-party marketing company in relation to a state senate election campaign. Along with the unauthorized disclosure, OCR found several issues with the entity’s notice of privacy practices and no HIPAA privacy officer. The HIPAA violation case resulted in a $62,500 penalty and a Corrective Action Plan.
All the HIPAA violation examples above resulted in the offending entity adopting a Corrective Action Plan. The plan is a method of rectifying HIPAA violations when an investigation is conducted into the violation´s root cause and is resolved.
Recent HIPAA Violation Cases 2021
2021 saw several further HIPAA violation examples resulting in financial penalties – many coming as a result of Covered Entities failing to provide timely access to PHI to an individual after receiving a request. OCR regards violations of patients’ rights to access very seriously and issues penalties accordingly.
One HIPAA violation example in 2021 was Advanced Spine & Pain Management, a chronic pain-related medical services provider in Ohio, who agreed to settle the OCR’s investigation and paid a civil monetary penalty of $32,150. The investigation came from a complaint submitted by a patient who requested access to their medical records but was not provided with a copy until 3 months later.
A further HIPAA violation example is the Denver Retina Center HIPAA violation. The center agreed to pay $30,000 following a failure to provide a patient with timely access to their medical records. In addition, the Denver-based ophthalmological services provider will be supervised by OCR for a period of 12 months to ensure there is compliance with their Corrective Action Plan.
Another HIPAA violation example is the Cardiovascular disease and internal medicine doctor who agreed to provide $100,000 as a result of a HIPAA violation investigation. Dr, Robert Glaser failed to provide a client’s medical records within the appropriate time period. Furthermore, the doctor did not cooperate with OCR during the investigation resulting in a financial penalty of $100,000 for a HIPAA Right of Access violation.
Finally, the Rainrock Treatment Center LLC settled with OCR for $160,000. After failing to provide a patient with timely access to their medical information after a series of requests.
After reviewing a multitude of HIPAA violation examples, OCR Director, Lisa J. Pino, has stressed the importance of providing patients their requested medical record in a timely manner. In a statement, she states “timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding Covered Entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
How to Report a HIPAA Violation
It is essential for all members of a Covered Entity’s workforce to understand what constitutes a HIPAA violation and how to report it. Covered Entities and their Business Associates must investigate reported HIPAA violations to:
- Determine the severity of the violation.
- Determine the risk to affected individuals.
- To ensure the necessary steps are taken to mitigate the potential harm of any breach.
If an employee of a Covered Entity suspects a violation has occurred, they must report the incident to the organization’s Privacy Officer or to the individual who is responsible for HIPAA compliance in their department. The report will then be analyzed by the HIPAA Privacy Officer who will determine whether to notify the HHS under the provisions set by the HIPAA Breach Notification Rule.
Patients of organizations subject to HIPAA can report a violation of their rights to the Covered Entity’s Privacy Officer or to OCR via the online complaints portal. Patients and employees may avoid notifying the Covered Entity if it is believed that the Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. HIPAA violation reports must include:
- A written reason for the report.
- The date of when the alleged violation took place.
- The address where the violation occurred.
- If known, when the accuser learned of the suspected violation.
HIPAA violation reports must be issued within 180 days of the discovery of the event and although complaints can be issued anonymously, OCR will not investigate any reports without a name and contact information.
The discovery of a HIPAA violation should be reported without delay. For employees and patients, withholding reports may have a substantial impact if the violation is not addressed and there is a risk that the harm will increase.
Fines for Covered Entities who fail to report HIPAA breaches within the necessary time frame can be significant – evidenced by the Sentara Hospitals HIPAA violation case. The Hospitals, located in Virginia and North Carolina, agreed to pay a settlement fee of $2.175 million for violating the HIPAA Privacy Rule and failing to notify OCR of a data breach affecting over 500 patients. There are multiple HIPAA violation examples just like this case, whereby substantial punishment is issued to a non-compliant Covered Entity.
What to do if Accused of HIPAA Violations
There are several circumstances in which Individuals and organizations can be accused of breaching HIPAA laws. Accusations can be issued by various parties including patients, colleagues, HIPAA Security Officers, and OCR. When an individual is accused of a HIPAA violation, the actions the individual should take will depend on:
- the role of the individual,
- who the accuser is and what their role is, and
- the consequences of the violation.
One HIPAA violation example is if a student nurse disclosed more PHI than the minimum necessary amount, but no harm has taken place as a result, no punitive measure is needed. However, the student nurse must ensure that the violation is not repeated in order to avoid further sanctions.
In the circumstance whereby the student nurse has displayed an image of a patient on social media, the sanctions should be more severe. The image must be removed and the conversation between the Privacy Officer and the student nurse documented in order to demonstrate that corrective action was taken within 30 days of the violation being discovered.
There are several other scenarios as well. In the circumstance whereby a student nurse is wrongly accused of violating HIPAA by a misinformed senior colleague, the student nurse may feel uncomfortable correcting a senior colleague. In this case, the student nurse should escalate the incorrect accusation to a higher authority, in order to prevent further incorrect accusations.
When a Covered Entity is accused of failing to provide requested health records to a patient in a timely manner, it is essential to investigate the basis for the delay. The Covered Entity may need to rectify faults within their policies, procedures, or their workforce. The patient must be notified of the actions the Covered Entity is taking in order to rectify the situation to prevent an escalation of the accusation to the HHS.
How to Prevent being Accused of HIPAA Violations
There are a multitude of actions Covered Entities and Business Associates can take in order to avoid HIPAA violations. All individuals and organizations should be aware of the requirements set by the Rules of HIPAA. Covered Entities and Business Associates should implement adequate HIPAA-related training to ensure their workforces are fully knowledgeable about the HIPAA policies and procedures and how they apply to their roles within the organization.
Administratively, organizations subject to HIPAA law must designate a HIPAA Privacy and Security Officer to provide this training and to administer regular risk analyses of any new technology or procedures before they are implemented in order to avoid HIPAA violations due to ignorance.
The HIPAA requirements are frequently changing, and Covered Entities and Business Associates must ensure they keep-up-to-date with the current requirements to prevent avoidable HIPAA violations in their organizations. Ignorance of the current requirements is not a justifiable defense in the event of an OCR investigation; and organizations that are unsure of the current HIPAA regulations should seek advice from HIPAA experts in order to avoid punishment for HIPAA violations such as the HIPAA violation examples given above.
FAQ
What Constitutes a HIPAA Violation?
A HIPAA violation is the failure to comply with the requirements set by HIPAA standards and provisions. The HIPAA standards and provisions consist of multiple Rules such as the HIPAA Privacy, Security, and Breach Notification Rule along with the HITECH HIPAA-related provisions enacted by the Final Omnibus Rule of 2013. Covered Entities and Business Associates must make a reasonable effort to adhere to HIPAA requirements in order to avoid sanctions for non-compliance.
How to Report HIPAA Violations?
If a violation occurs, it must be reported without delay. When healthcare and insurance professionals discover a HIPAA violation, they must notify their organization’s Privacy Officer or their supervisor. Employees and patients may also notify the OCR if there is reason to believe there is a breach of the HIPAA Privacy, Security, or Breach Notification Rules. HIPAA reports can be issued via the OCR’s Complaint Portal online. Complaints must include the reason for the report along with information about the offending Covered Entity.
How to Prevent HIPAA Violations?
Covered Entities and Business Associates must implement the necessary safeguards in order to prevent HIPAA violations. Important preventive measures include appropriate workforce training on the policies and procedures of the Covered Entity and implementing an ongoing and security awareness training program for all members of the workforce. It is important that compliance with HIPAA is monitored to prevent shortcuts taken “to get the job done” developing into a culture of non-compliance.
What are some HIPAA Violation Examples?
HIPAA Violation examples can vary from exposure of sensitive healthcare data, to not providing requested health records to individuals within a timely manner. The most common HIPAA violation examples include:
- Failure to secure and encrypt data.
- Improper disposal of PHI.
- Failure to conduct adequate risk analyses.
- Inadequate staff training.
If an offender performs these HIPAA violation examples with willful neglect and no subsequent corrective measures, a maximum fine and custodial sentencing may be applicable.
Image credits: ©NetSec.news / Рудой Максим, AdobeStock