HIPAA Violation Examples

In 2017, Memorial Healthcare Systems was fined a then-record $5.5 million for HIPAA violations. This broke the existing HIPAA violation record set by Cignet Health of Maryland, who had been penalized $4.3 million in 2010. Why are these HIPAA violation fines so important, and is there a problem that truly needs to be solved? According to Wikipedia, nearly 174 million people’s information has been improperly accessed, via error or breach, since the original passage of HIPAA.

The

, known more generally as HIPAA, is a US law that is intended to provide privacy standards to protect patient information from unapproved access. HIPAA was originally created to allow for the modernization of medical record-keeping, while maintaining the security of patient Personally Identifiable Information, PII. While the intentions behind HIPAA were entirely positive, the impact of the regulations that flow out of it have had profound impacts on the healthcare industry—and on the lives of patients, who frequently find themselves signing voluminous HIPAA agreements each time they visit a healthcare provider.

While the HIPAA violation examples cited above represent the most substantial penalties levied to date, the jeopardy in which healthcare-related organizations find themselves if their processes and procedures are not fully compliant is significant. The law defines two classes of violation, which can be reasonably summarized as those that stem from carelessness, and those that stem from unlawful intent. More specifically, violations can result in either civil or criminal penalties. 

1. Individuals who violate the law through ignorance

2. Violations that occur due to reasonable cause rather than willful neglect

3. Violations due to willful neglect, but which are corrected within a defined timeframe

4. Violations that are due to willful neglect

The implications of even a civil penalty can be substantial, ranging from $100 per violation in the first example (with an annual maximum of $25,000) to $50,000 per violation (with an annual maximum of $1 million) for the last example. By contrast, there are three classes of HIPAA violation that can result in criminal jeopardy.

1. Covered entities and specified individuals who knowingly either obtain or provide HIPAA-covered PII

2. Obtaining HIPAA-covered PII under false pretenses

3. Obtaining HIPAA-covered PII with an intent to sell, transfer, or use that information for commercial advantage, personal gain, or malicious harm

Criminal penalties can be extremely harsh, ranging from fines of $50,000 to $250,000, and jail sentences of one to ten years.

The ten most common examples of HIPAA violations include

1. Individuals accessing information to which they do not have access rights. 

2. Failing to execute organization-wide risk analyses

3. Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level

4. Making business associate agreements that are not, themselves, HIPAA compliant

5. Insufficient access controls to stored data, known as electronically protected health information(ePhi)

6. Failure to implement encryption, or a valid substitute, to protect ePhi

7. Failing to provide notification of data breaches within 60 days of its occurrence

8. Impermissible disclosures of any protected health information

9. Failure to dispose of protected health information properly

10. Denying patients access to their own protected health information, including exceeding the HIPAA-defined time limits for doing so

Each of these circumstances can have and will come to light and result in a civil and criminal action, and hefty penalties. For example, Dr. Huping Zhou, then of the UCLA Health System, was found to have improperly accessed the protected health information of celebrities and other patients, resulting in his being the first individual sent to prison for a HIPAA violation (a four-month sentence), and the UCLA Health System sustaining a fine of $865,000.

Other notable HIPAA violation examples include:

• Cardionet was fined $2.5 million for failing to design and implement an adequate risk management system, and running an incomplete risk analysis
• Psychotherapist

found himself in breach when he forwarded unpaid bills to a collection agency, unwittingly sharing codes that could reveal patient diagnoses

A nurse in a New York clinic faced civil jeopardy when she revealed a patient’s STD diagnosis to the man’s girlfriend—who was also the nurse’s sister-in-law

In 2016,  an orthopedic clinic ran afoul of HIPAA by contracting with a service to convert their past X-Rays to digital files so they could harvest the silver from the old physical copies—but failed to obtain a proper Business Associate Agreement

The University of Iowa was forced to terminate a student health care employee who inadvertently revealed a patient’s pregnancy while chatting with a colleague

And of course, 13 employees at a Los Angeles health provider were fired for sneaking a peek at Britney Spears’ medical records

While most HIPAA violations are defined in unsurprisingly technical terms, there is a range of easily-understandable ways to avoid them. One way to avoid violations is to carefully review the administrative, physical, and technical safeguards outlined in the

. Our top tips for avoiding HIPAA violations are:

1. Keep records secured, applying the principle of least permission, ensuring every user is strictly limited to only the information they must be able to access

2. Encrypt all data, at all times, including on portable devices such as hard drive and thumb drives

3. Keep all antivirus software up to date and install the latest updates to all routers and other networking devices to protect against hacking

4. Ensure all connected devices, such as laptops, iPads and mobile phones have strong passwords to protect against unauthorized accessed when devices are lost or stolen

5. Implement a comprehensive training program for all employees to avoid violations driven by ignorance

6. Implement strong HR policies against gossiping to protect against inadvertently protected healthcare information revelations

7. Provide clear processes around the disciplinary risks employees take when violating HIPAA

8. Contract, using an approved Business Associate Agreement, with a reputable service to destroy records

9. Update HR policies to ensure employees who provide information to unauthorized individuals are subject to swift dismissal

10. Educate all staff members on who would constitute appropriate individuals to whom protected healthcare information can be revealed, including specific instructions on the familial relationships that do or do not confer access right

Most importantly, ensure that any and all new or updated IT technology, software, and programs are carefully vetted for their adherence to HIPAA regulations. The Texas Health and Human Services Commission (formerly Department of Aging and Disability Services, or DADS) was fined $1.6 million in 2019 for a HIPAA violation when they migrated an internal application from a private secure server to a public one, resulting in a breakdown in access controls and making it possible for anyone to read any of the stored records. To avoid such a scenario, ensure that vendors provide documented evidence of HIPAA compliance.

The final sticky issue is instant messaging. Based on the complex restrictions of the law, communicating protected healthcare information across normal public SMS or messaging platforms (such as iMessage, or Facebook Messenger) is almost guaranteed to result in a HIPAA violation. The safest approach is to either purchase a pre-built, authorized solution or to build an internally-maintained one that is regularly reviewed for regulatory compliance.

As time goes by, the volume of HIPAA violation examples continues to grow, as do the sizes of the penalties imposed. To avoid becoming a cautionary tale, organizations managing protected healthcare information must dedicate substantial and regular time and effort to ensuring their total compliance.