10 Common Examples of HIPAA Violations
Is your practice guilty of committing common HIPAA violations? The truth of the matter is that HIPAA guidelines are ever-changing due to recent responses in cybersecurity and liability concerns nationwide. These guidelines also vary depending on how your practice operates, whether that includes how staff protects each patient’s Protected Health Information (known as PHI, or ePHI for digital records) and how they conduct day-to-day operations.
Due to the scope and complexity of HIPAA guidelines, there’s a significant grey area where medical practices may not be aware that they are in violation. And with the penalties for a HIPAA violation potentially costing millions in fines for non-compliance, medical practices need to be on the up-and-up when it comes to protecting their patients and livelihood.
To help your understanding of this important topic, we’ll cover some of the most common examples of HIPAA violations, as well as what you need to know about the penalties for non-compliance and what your medical practice can do to avoid violating HIPAA guidelines.
How Much Do HIPAA Violations Cost?
HIPAA violations break down into two categories: Civil or Criminal. Each category of HIPAA violation has a different fine structure and penalties.
Civil HIPAA Penalties
Civil HIPAA penalties are given out if the individual that committed the violation did so without any malicious intent. This can include either neglect or lack of awareness that their actions were wrong. Here’s a breakdown:
|Civil HIPAA Violation||Penalty|
|The individual was not aware that they were committing a HIPAA violation||$100 per violation|
|The individual had reasonable cause for their actions and did not act with willful neglect||A minimum of $1,000 per violation|
|The individual was acting with willful neglect, but then fixed the issue||A minimum of $10,000 per violation|
|The individual was acting with willful neglect and did not fix the issue||A minimum of $50,000 per violation|
Criminal HIPAA Penalties
If individuals that committed the HIPAA violation were determined to be acting with malicious intent, the violation leads to larger financial penalties and significant time in jail.
|Criminal HIPAA Violation||Penalty|
|The individual knowingly obtains and discloses PHI||
|The individual commits violations under false pretenses||
|The individual commits the violation for personal gain (i.e uses PHI to harm the patient or for personal gain)||
Common HIPAA Violations
Now that you understand the stakes involved with HIPAA violations, let’s take a look at the most common examples of HIPAA violations:
1) Social Media Exposure
Simply put, social media platforms are the biggest risk for HIPAA violations and data breaches.
According to the HIPAA Privacy Rule, posting any PHI is strictly prohibited without patient consent – and if consent is given for social media posts, it can only be used for the purpose mentioned in the consent form.
HIPAA outlines the following best-practices to avoid violations:
- Posting of images and videos of patients without written consent
- Posting of gossip about patients
- Posting of any information that could allow an individual to be identified
- Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
- Sharing of photos, videos, or text on social media platforms within a private group
2) Lack of Encryption for PHI
All PHI must be encrypted to ensure that it cannot be accessed without proper authorization. Even in the event of a data breach, hackers won’t be able to access this PHI data without the private key.
3) Lack of Encryption for Messaging
Similar to encrypting PHI, all internal communications of a medical practice should be using only encrypted messaging applications. While some staff may be tempted to send text messages or use other SMS services, encrypted messages can be intercepted by malicious cybercriminals.
4) Your Practice is Hacked OR Phished
Having your practice hacked is very seldom an intentional act on part of your staff or systems. That being said, it is still your responsibility to take adequate measures to protect your PHI beforehand – or face penalties.
Some of these best-practices include:
- Using encryption on all devices and communication channels
- Monitoring all networks for unauthorized access
- Regularly changing passwords on all devices
- Limiting access to devices and PHI based on the status of staff members
5) Failure to Notify Authorities of a Breach
Tied in with the HIPAA violation above, if you’ve been hacked, your practice needs to notify authorities and document the incident in accordance with the HIPAA Breach Notification Rule. This means that your practice must notify all affected entities, including business associates. And if the unauthorized access is large enough, then practices also have the added responsibility to their patients about the potential for their compromised data.
Enter your info to start your free consultation today!
Many practices are unwilling to do so, as this may affect their reputation, but failure to do so in a timely manner – typically 60 days from the first indicator of a breach – can lead to significant penalties that can rack up hefty fines per day of non-compliance.
6) Unauthorized Access to PHI
One of the most common HIPAA violations is when an employee accesses data they’re not authorized for. Whether they’re doing it out of curiosity or with malicious intent, HIPAA can fine the individual and may require an investigation into the information breach.
7) Loss or Theft of Devices
Lost company devices can expose patient data if they end up in the wrong hands. And while it is impossible to prevent every burglary or misplaced device, medical practices need to ensure that adequate safeguards are installed on those devices – which include encryption, multiple passwords, and other theft-deterrents.
8) Unnecessary Information Sharing
As a general rule, all confidential patient information should only be on a need-to-know basis. HIPAA defines this standard as the HIPAA Minimum Necessary Rule, and is also in the best interest of your medical practice to avoid information leaks or lawsuits.
Because social engineering is one of the most common ways of gaining access to patient PHI, it’s important to only share relevant information behind closed doors with authorized personnel. Even casually sharing information with family members is forbidden, so make sure that your staff understand their responsibility for security.
9) Improper Disposal of PHI
According to the HIPAA Security Rule, six years is the minimum time a medical practice is required to hold on to a patient’s medical records “after their creation”. After this period has elapsed, the practice has the option to retain these records or dispose of them.
Because PHI includes any form of patient information in a digital or physical format, practices must use proper data elimination methodologies on all networked devices, as well as destroy physical documents (i.e. using a shredding service).
However, these are just federally-mandated minimums. Many states have their own requirements for how long patient data must be kept – often extending well beyond 6 years and varies depending on which type of practice you operate.
For a complete list of state-based regulations regarding how long PHI must be kept before being disposed of, click here.
10) Accessing PHI from Unsecured Locations
Any time a clinician accesses PHI from a location or network that doesn’t encompass the practice (i.e. home, on a smartphone), that individual risks exposing the data – especially if the network can be hacked through malware.
Therefore, the best-practice to avoid this type of HIPAA violation is to have dedicated laptops/desktop computers that are kept in-house. And for employees that work remotely, those networks must be secured as well.
The Solution for Potential HIPAA Violations
Now that you’re aware of the common examples of HIPAA violations and the significant penalties for HIPAA violations, you may feel overwhelmed with all of the responsibilities and constant training required to meet strict guidelines. That’s where PCIHIPAA can help.
Trusted by 1,000’s of medical practices nationwide, PCIHIPAA offers a comprehensive HIPAA compliance platform called OfficeSafe. Covering network security, training modules, cybersecurity assessments, and more, OfficeSafe enables your medical practice to focus on what it does best: providing the best care for your patients. Learn more about PCIHIPAA today!