Most Common Examples of HIPAA Violations, Breaches and Mistakes
Learn the most common examples of HIPAA violations, breaches & mistakes, as these can result in substantial financial penalties!
About HIPAA Violations
HIPAA violations often result in substantial financial penalties and are due to an organization's failure to:
- Perform a firm-wide risk analysis with the goal of identifying security risks related to protected health information (PHI)
- Execute HIPAA-compliant Business Associate Agreements (BAA)
- Allow through mistake or oversight unauthorized disclosures of PHI
- Delay of notifications to patients and others affected of breaches
- Safeguard PHI
The Department of Health and Human Services' Office for Civil Rights (OCR) imposes significant financial penalties for violations of HIPAA. HIPAA violation cases are pursued by the OCR to spread awareness to the health care community of the HIPAA Rules. HIPAA violation fines imposed can easily exceed tens of thousands or even millions, so it is important to understand examples of HIPAA violations and examples of unintentional HIPAA violations.
HIPAA violations or often not discovered from months or even years. It is therefore important for healthcare organizations to perform regular compliance reviews to make sure that any weaknesses are quickly mitigated, and any HIPAA violations are properly reported. It is better that a healthcare organization can find its own potential HIPAA violations before they are identified by state or federal regulators. If a regulator is investigating a PHI breach and it determines that there was no HIPAA violation, it is common that they find other violations resulting in a financial penalty. There are several factors used to determine the financial penalty; how long the violation(s) persisted, the number of violations and the financial position of the health care organization or the business associate.
HIPAA violations are reported typically in the following manner:
- The state attorney general may perform investigations into data breaches
- Patients or others may complain
- HIPAA compliance audits performed by state regulatory bodies
Examples of HIPAA Violations by Employers
Failure to Perform a Risk Analysis
One of the most common HIPAA violations is the failure to perform a risk analysis. Organizations should perform a risk analysis on an ongoing basis to help determine if there are any vulnerabilities in their systems. They should make that PHI confidentiality and integrity are always a top priority. The existence of risks will leave healthcare organization vulnerable to hackers and financial penalties.
Some examples:
- Premera Blue Cross– $6,850,000
- Excellus Health Plan – $5,100,000
- Oregon Health & Science University– $2.7 million
- Cardionet – $2.5 million
- Cancer Care Group – $750,000
- Lahey Hospital and Medical Center – $850,000
- Steven A. Porter, M.D – $100,000
Failure to Take Action on Security Risks
A healthcare organization may identify security risks and not immediately act. Security risks must be mitigated in a reasonable period and there should be full documentation of what steps were taken.
Some examples:
- Alaska Department of health and Social Services – $1.7 million
- University of Massachusetts Amherst (UMass) – $650,000
- Metro Community Provider Network – $400,000
- Anchorage Community Mental Health Services – $150,000
Using Non-Encrypted Lost or Stolen Laptop, Cell Phone or USB Device
Encryption is not actually required by HIPAA regulations. However, if it is not used then alternative security measures must be taken. The most common HIPAA violations occur when non-encrypted devices are lost or stolen resulting in a PHI breach. In 2016, an iPhone was lost with PHI and it did not have a password or any encryption enabled. The healthcare organization was fined $650,000 since over 400 people were involved and it happened at Catholic Health Care Services of Philadelphia. Many states have passed laws requiring encryption for PHI. If a security breach occurs, but the key to decrypt data is not stolen then the incident is not reportable.
Portable devices should never be left in cars. It is also an excellent security practice to provide employees with dedicated mobile devices for their jobs, so they do not use their personal devices for work.
Some examples:
- Children's Medical Center of Dallas – $3.2 million
- Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000
- Lifespan Health System Affiliated Covered Entity – $1,040,000
Not Executing a HIPAA-Compliant Business Associate Agreement (BAA)
If a healthcare organization and one of their business associates do not execute a BAA, that is a violation of HIPAA. The reason for a BAA is to make sure that anybody working with PHI is aware of all the requirements of HIPAA. To be HIPAA compliant a BAA a needs to be drafted in accordance with the omnibus final rule.
Some examples:
- Raleigh Orthopaedic Clinic, P.A. of North Carolina – $750,000
- North Memorial Health Care of Minnesota – $1.55 million
- Care New England Health System– $400,000
No or Limited Employee Training
Proper ongoing training is the key to minimizing HIPAA breaches. The culture of the healthcare and hospital organizations and their senior leadership teams must be completely focused on and diligent about protecting PHI. HIPAA breaches often result because people forget or get lax about the privacy and security processes and policies already mandated by the organization. Technology is also rapidly evolving with new applications and complexity. With new technology and a working from home (WFH) environment are combined it's critical that employees and contractors are enrolled in continuous training to make sure that they understand how to use the new technology and the risks.
Database Breaches
Data breaches cost healthcare firms approximately $9.3 billion in 2019. Unfortunately, they are a fact of life even with a lot of cyber security defenses. Health care organizations are targeted because the data is highly value to criminals. Data breaches always create the negative publicity and will hurt the reputation of any healthcare organization. It is very important to keep antivirus and malware software up to date and active on all devices and servers. Specialized hardware-based firewalls and intrusion detection are also helpful to avoid database breaches. Hospitals and health care organizations should also undertake periodic penetration and intrusion detection exercises on their infrastructure. A well thought out plan should also include hiring an outside 3rd party organization to try to hack into the systems. This is called "white hat" hacking which is distinguished from "black hat" hacking which is malicious. This type of "good" hacking is done with the knowledge and full consent of the healthcare organization for their benefit.
Right of Patients to Access Healthcare Information
The rights of patients to access their healthcare information and obtain copies at a reasonable cost are fundamental to HIPAA rules. This is an important right so that patients can share their information with other healthcare providers as well as correcting errors. If an organization fails to address a patient request for information in less than 30 days this may be a HIPAA violation.
Some examples:
- Cignet Health of Prince George's County – $4,300,000
- Banner Health – $200,000
- Dignity Health, dba St. Joseph's Hospital and Medical Center – $160,000
- NY Spine – $100,000
- Beth Israel Lahey Health Behavioral Services – $70,000
Inadequate Control Surrounding Access to PHI
After risk assessments are performed access controls must be put in place and constantly monitored to make sure that PHI is safe. The HIPAA violation has the most severe financial consequences.
Some examples:
- Anthem Inc. – $16,000,000
- Memorial Healthcare System – $5,500,000
- Texas Department of Aging and Disability Services – $1,600,000
- University of California Los Angeles Health System – $865,500
- Pagosa Springs Medical Center – $111,400
Not Meeting the Two-Month Deadline for Breach Notifications
If there is a HIPAA breach a covered entity must issue a breach notification in less than 60 days.
Some examples:
- Presence Health – $475,000
- CoPilot Provider Support Services Inc. – $130,000
Examples of Unintentional HIPAA violations
Accidentally Sharing PHI with the Public
Conversations between clinical co-workers about patient diagnosis, treatment, and medications should never occur in public spaces so they cannot be overheard. It may not seem important discussing medicine around non-medical people in a public place like the hospital cafeteria. However, this kind of PHI breach can result in significant financial consequences for hospitals and healthcare organizations.
Healthcare organizations can also inadvertently disclose PHI through circumstances other than a data breach. For example, a healthcare organization may disclose PHI to a patient's employer, or a patient may be filmed or photographed without their consent. PHI in the form of paper records can also accidentally be disclosed by taking it offsite and then accidentally getting lost or stolen. Healthcare organizations should be especially sensitive to this possibility in today's work from home environment (WFH). Also, emailing PHI information to the wrong person or using personal email accounts that are not encrypted can result in HIPAA compliance breach.
Some examples:
- Memorial Hermann Health System – $2.4 million
- New York Presbyterian Hospital – $2,200,000
- Massachusetts General Hospital– $515,000
- Luke's-Roosevelt Hospital Center – $387,000
- Brigham and Women's Hospital– $384,000
- Boston Medical Center – $100,000
Incorrect Disposition of PHI
Patients can become more vulnerable to their healthcare information being exposed to the public if the disposal of PHI is not properly executed by healthcare workers. PHI should be carefully disposed of by shredding of records and destroying hard drives by industry accepted practices.
Some examples:
- Parkview Health – $800,000
- Cornell Prescription Pharmacy – $125,000
- FileFax Inc. – $100,000
Unsecured Records
Any documents or files with PHI need to be kept in a secure location. Paper files should always be locked in file cabinets and never left unattended. Electronic PHI needs to be secured with strong passwords and encryption. Also, two factor authentication (2FA) to access the servers and networks are also critical. Only just a username and a strong password are not secure enough to thwart today's sophisticated hackers. Employees should also be trained to never share login credentials since their coworkers may not have the same access rights. If an employee handling PHI steps away from their desk, then they should lock their workstation. Specialized screen covers should also be used so that information is only viewable to the person sitting in front of the workstation.
Antivirus and antimalware on devices with PHI should be kept updated via automatic processes to assure that devices are always secure. Specialized hardware-based firewalls will add additional security. There is no substitute for strong passwords that are frequently changed and two-factor authentication (2FA) to thwart hackers.
Employee Dishonesty
HIPAA violations can occur if employees or contractors access PHI that they are not authorized to access. Training should emphasize that accessing PHI just for "curiosity" is still nevertheless a breach, and the intent does not matter as the fine will be the same. "I was just curious" is one of the most common reasons employees give when they violate HIPAA rules. People are curious about their families, friends, coworkers, and celebrities. When these violations are discovered, they may involve criminal charges. One health system in Los Angeles was fined $865,000 for failing to protect access to medical records. An employee, Dr. Huping Zhou, was found out to be accessing unauthorized patient records 323 times and for this violation he was sentenced to four months in federal prison.
Unauthorized Release of PHI
Sometimes members of the media can try to use social hacking such as pretending they are a family member to get information about public figures and celebrities. Also, this kind of violation can happen when PHI is released to family members who are not authorized. In addition to clinical care and billing professionals, only parents and children, and those with power of attorney or allowed access to a person's PHI.
When it comes to discussing PHI the principal of "need to know" should be used to decide who should be in the communication loop. Healthcare organizations should implement access privileges with the Minimum Necessary Standards principle. Typically, the people involved should be only the patient, the doctors and others providing care and handling medical billing.
It is an excellent compliance best practice to make sure that disclosure authorization forms are signed and maintained in files. The authorization form should specify what type of information is authorized for release and the expiry date of the authorization. The authorization form could also include classes of individuals, the types of PHI, and the reasons for disclosure. Every authorization should have an expiration date otherwise it is not considered a HIPAA compliant. Care should also be taken to make sure that new authorization forms are signed if needed after an expiration date. Health care workers must also verify the identity of any individual or entity to whom they are providing PHI.
Examples of HIPAA Violations by Nurses
As the most trusted clinical professionals, properly trained nurses is an important part of a HIPAA compliance program. Nurses are responsible for maintaining information security of both paper and electronic PHI. This is a very challenging role since they are the front-line of patient care and very busy and multitasking. Some of the typical ways that nurses create HIPAA violations are:
- Disclosing PHI through speaking in public areas like the cafeteria or in the hallway.
- Viewing PHI for patients not under their care.
- Disposing of PHI in paper or electronic form without using standard approved practices.
- Not protecting PHI from the curious eyes of others around them. Nurses should always be sure that others are not able to view their workstation screens and paper documents.
- Using social media to share work related information.
