Keeping up with HIPAA regulations is crucial for every business. While common violations of HIPAA laws vary from one company to another, the bottom line is that these violations relate to the loss or damage of HIPAA-protected health information. Protected health information includes any demographic data used to identify patients, such as names, home addresses, phone numbers, date of birth, email addresses, social security numbers, insurance IDs, facial photos, and other health care records.
Even though these violations can occur at several touchpoints, the American Medical Association report found that the common violators of these regulations are hospitals, private health practices, pharmacies, outpatient centers, and health plans.
What is HIPAA Violation?
HIPAA violations describe acts against the Health Insurance Portability and Accountability Act, passed in 1996. The HIPAA act is landmark legislation used to guide healthcare administration, prevent wastage, healthcare fraud, and employee compliance.
Since its adoption, there have been multiple notable updates that ensure that healthcare data and patient privacy is protected. Recent updates include the HIPAA Security Rule, HIPAA privacy rule, HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule.
Along with the updates, there are more than a hundred ways that healthcare providers and other data handlers can violate HIPAA regulations. Therefore, it is essential for everyone who can access Protected Health Information to undergo rigorous HIPAA training to avoid committing these violations.
3 Common HIPAA Violations
- Snooping on Healthcare Records
Snooping on family, friends, co-workers, and other peoples’ health records is a common HIPAA violation committed by most employees. In addition, accessing patients’ health records for reasons that differ from those permitted by the Privacy Rule Treatment violates patient privacy.
If discovered, this violation can lead to termination of employment contract and criminal charges. In addition, Healthcare organizations can also face financial penalties for failing to prevent this violation.
- Loss of Devices
Loss/stolen or failing to encrypt company devices is another common HIPAA violation. A good example is a 2016 case where an iPhone with a significant amount of protected health information was stolen, including SSNs and medications. To worsen the situation, the phone had no password and wasn’t encrypted.
While the case was settled and the company tried to fix the situation, this didn’t prevent patient information from being misused. Therefore, while preventing theft of company devices is impossible, you can avoid information leaks by encrypting stored data.
- Failing to Train Employees
All organizations should ensure that their staff is updated on HIPAA regulations. Unfortunately, most practices overlook or ignore training their employees on various ways of achieving HIPAA compliance. Companies should remember that employee HIPAA training isn’t a recommendation but a requirement of HIPAA laws.
How HIPAA Violations are Uncovered
HIPAA-covered organizations identify most HIPAA violations after conducting internal audits. In most cases, employers identify and report employees who have breached HIPAA provisions. Conscious employees who realize that they have violated these regulations can also self-report. Patients and health plan members can also file complaints.
Formal complaints of HIPAA violations are made to the civil rights HHS office, the primary enforcer of these regulations. The OCR then launches an investigation into these reports with over 500 records. The agency also conducts regular audits on all HIPAA-covered organizations and businesses. State attorneys can also launch investigations after formal complaints of HIPAA violations have been made.
HIPAA Violation Penalties
While this might appear as a simple matter, HIPAA violation penalties can sometimes be severe. Individuals can also be fined for these violations apart from healthcare providers, clinics, and health plans. That said, penalties for HIPAA violations are of two types. They include;
Civil penalties are given to individuals who violate HIPAA regulations without malicious intent. This usually occurs if the violation is due to forgetfulness or the individual is unaware that their actions were wrong. The penalties are as follows;
- If the person was unaware that their actions violated HIPAA provisions, they are fined $100 for every violation.
- If the person has a reasonable explanation for their actions and didn’t willingly violate the regulations, they attract a minimum fine of $1,000.
- If the person acted with intentional neglect and fixed the violation afterward, they are fined no less than $10,000 for every violation.
- If the person acted intentionally and didn’t fix the issue after, they are fined no less than $50,000 for every issue.
While these penalties for civil violators seem severe, they worsen if the violator knew what they were doing or had malicious intent.
Criminal penalties are harsher compared to civil violations. They include;
- A minimum fine of $50,000 and up to a one-year jail term for individuals who deliberately acquire and discloses protected information without permission.
- Individuals can also be fined for these violations $100,000 and up to 5 years jail term for individuals who commit HIPAA violations under pretense.
- A $250,000 fine and ten years jail term for individuals who commit HIPAA violations for personal benefits.
Understanding various HIPAA violations is just the beginning. To avoid these violations, you should know how to abide by HIPAA laws. As such, every business should have a strategy for maintaining HIPAA compliance.