The Health Insurance Portability and Accountability Act has been active since 1996. It required the development of national standards to safeguard patient privacy. Under this federal law, a patient’s Protected Health Information (PHI) can’t be shared or used without their knowledge or consent.
Laws as large and complex as the HIPAA will encounter problems. HIPAA violations are expected and inevitable. Even the most competent facility or highly trained staff will make mistakes. Minor violations are par for the course and resolved fast.
A data breach is another matter. One report stated that around 250 million Americans were affected by security breaches from 2005 to 2019. Violations due to human error and lack of training can also cause severe problems for healthcare organizations and patients.
HIPAA violations can be avoided. This article will discuss the frequently asked questions about HIPAA violations. The information provided will hopefully help companies be HIPAA compliant.
What’s a HIPAA Violation?
A HIPAA violation is a failure of a covered entity or business associate to follow HIPAA rules. The standards and provisions for this law are explained in 45 CFR Parts 160, 162, and 164.
HIPAA violations essentially occur when the gathering, access, use, sharing, or discussion of Protected Health Information results in the patient being placed at risk.
The HIPAA has several specific rules that every healthcare organization, worker, and business partner should learn and comply with. These are:
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
- HITECH Act
- HIPAA Omnibus Rule
What are the Most Common Violations?
HIPAA violations vary. The most common involves the use and disclosure of PHI. But there are other infractions a business associate or covered entity can commit. Here are examples of common HIPAA violations:
- Inappropriate access, disclosure, or use of personal health information
- Unauthorized PHI access
- Wrong disposal of PHI
- Failing to run appropriate risk analyses
- Failing to oversee risks to the availability, confidentiality, and integrity of PHI
- Failing to implement preventive measures to ensure the availability, confidentiality, and integrity of PHI
- Failing to monitor and maintain access logs to PHI
- Failing to secure a HIPAA-compliant Business Associate Agreement (BAA) before sharing PHI
- Failing to give patients an accounting of requested disclosures
- Failing to terminate workers’ access rights to PHI when they’re no longer with the company
- Failing to provide mandated security awareness training
- Sharing PHU on social media without written permission from the patient
- Texting unencrypted PHI
- Failing to encrypt PHI
What Happens When a Company/ Individuals Violate HIPAA Rules?
What happens when someone breaks HIPAA rules will depend on the type of violation and its severity. There are four possible consequences:
- The company will deal with the violation internally.
- The offender’s contract will be terminated.
- The company or employee will be sanctioned by professional boards.
- The company or employee will face criminal charges. The investigation into the violation can result in fines or jail time.
Several factors will determine the consequences of HIPAA violations. The affected organization, federal regulators, professional boards, the Office of Civil Rights (OCR), and the Department of Justice will consider the following:
- Nature of the HIPAA violation
- Whether there’s a clear indication HIPAA rules were violated or research conducted revealed an infraction occurred
- Action is taken to correct the error
- Proof that the violation of HIPAA rules was done with malicious intent or for personal gain
- Proof of the harm caused by the infraction
- Number of people affected by the HIPAA violation
- Proof of the violation of HIPAA’s criminal provisions
As the enforcing body for HIPAA, the OCR will investigate the alleged HIPAA violations as reported by healthcare organizations and patients. The department also investigates complaints against Covered Entities. State Attorney Generals can also investigate reports of data breaches.
What are the Penalties for HIPAA Violations?
HIPAA violations fall under two categories – civil or criminal. Each category has its penalty structure.
- Civil Penalties: These apply to cases where the violation happened without malicious intent. For example, the employee didn’t know their action was wrong. Mistakes caused by carelessness or neglect also fall under this penalty structure. This can cost the individual anywhere from $100 to $50,000 in fines.
- Criminal Penalties: HIPAA violations done with malicious intent falls under this category. A person who knowingly accesses and shares PHI can be fined $50,000 and receive a one-year prison sentence. The penalty for violations done for personal gains, like selling PHI, can be $250,000 in fines and a jail term of 10 years.
Source: Plato Data Intelligence: PlatoData.io