A Healthcare (Basel) study titled Healthcare Data Breaches: Insights and Implications notes, “As reported by many practitioners, from 2005 to 2019, the total number of individuals affected by healthcare data breaches was 249.09 million…In the year 2018, the number of data breaches reported was 2216 from 65 countries. Out of these, the healthcare industry faced 536 breaches.”
The Health Insurance Portability and Accountability Act (HIPAA) sets out the rules and regulations surrounding access to and disclosure of protected health information (PHI). HIPAA Violations can result in costly fines and lost business. In this post we’ll cover everything you need to know to navigate HIPAA violations, all the way from what is a violation to managing violations once they occur.
What is a HIPAA violation?
According to Juan Morado, a healthcare regulatory and policy attorney at Benesch, Friedlander, Coplan & Aronoff, LLP, "HIPAA is the tool the government uses to try and protect some of your personal health care information. It's a rule that prevents hospitals, health insurance companies, pharmacies, and health care companies from sharing certain protected health information (PHI) you provide them with anyone else without your permission."
At its simplest, a HIPAA violation is when a covered entity does not maintain appropriate safeguards to prevent the intentional or unintentional use or disclosure of PHI in a way that contradicts the function of HIPAA mentioned above.
HIPAA violations can occur in different ways, regardless of whether or not individuals and companies understand they are making a violation. Because HIPAA safeguards PHI in numerous ways, physically, administratively, and technically, many steps are necessary to maintain compliance and avoid a violation.
Willful neglect is the worst type of violation, but even an accidental HIPAA breach will often result in a fine. With more healthcare providers and their business associates, who are also obligated to uphold HIPAA rules, transmitting and providing access to PHI using electronic technology, avoiding a violation has become more complex in recent years.
To avoid penalties, your company needs to understand what a violation is, how it can occur, and what to do if you find yourself in contravention of HIPAA’s rules.
What are the penalties for HIPAA violations?
The penalties for a HIPAA violation can be severe. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights can enforce both civil and criminal penalties. State Attorneys General can also impose fines of up to $127 per violation, with an annual cap of $25,000 for violations affecting residents of their states. The inflation-adjusted penalties reflect changes mandated by federal law and may continue to increase annually.
Civil penalties
Civil penalties under HIPAA are financial fines that the HHS can impose on healthcare providers and other covered entities when they violate HIPAA rules regarding the privacy and security of PHI. A study published in Innovations in Clinical Neuroscience, “The enactment of the HITECH Act resulted in increased civil penalties for HIPAA violations based on the level of willful neglect and whether the offense was corrected within the allowed 30 d (19). In the past, a covered entity with reasonable lack of knowledge of a violation could claim affirmative defense; however, unawareness is no longer a viable defense under the HITECH Act.”
These penalties vary in amount depending on the level of negligence, ranging from unintentional violations to those resulting from willful neglect and are meant to encourage compliance and protect patient privacy.
The violations include:
1. The individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA:
- Minimum penalty: $127 per violation
- Maximum penalty: $63,973 per violation
- Annual maximum: $1,919,173 for repeat violations
2. HIPAA violation due to reasonable cause and not due to willful neglect:
- Minimum penalty: $1,280 per violation
- Maximum penalty: $63,973 per violation
- Annual maximum: $1,919,173 for repeat violations
3. HIPAA violation due to willful neglect but corrected within the required time period:
- Minimum penalty: $12,794 per violation
- Maximum penalty: $63,973 per violation
- Annual maximum: $1,919,173 for repeat violations
4. HIPAA violation due to willful neglect and not corrected:
- Minimum and maximum penalty: $63,973 per violation
- Annual maximum: $1,919,173 for repeat violations
Criminal penalties
Criminal penalties are legal punishments, including potential jail time and significantly higher fines, imposed when individuals knowingly violate HIPAA, often with malicious intent, such as obtaining PHI under false pretenses or for personal gain; this differs from civil penalties, which are mainly financial fines issued for violations of varying degrees of negligence, irrespective of malicious intent.
Criminal penalties are divided into three tiers:
- Reasonable cause or no knowledge of violation: Up to one year and/or up to $100,000
- Obtaining PHI under false pretenses: Up to five years and /or up to $250,000
- Obtaining PHI for personal gain or malicious intent: Up to ten years and/or up to $500,000
Common HIPAA Violations
Even though there are many ways for HIPAA violations to occur, the most common violations come from:
- Lost or stolen devices
- Unsecured records
- Unauthorized disclosure
Lost or stolen devices
Part of protecting PHI involves employee education. Everyone in your workforce needs to understand when and how data can be accessed. If data needs to remain on-site, make that very clear.
Often, HIPAA violations come about when an employee brings unencrypted patient information home for after-hours work.
But even if a device is stolen, the covered entity may still be held liable for a HIPAA violation, as Beth Israel Deaconess Medical Center found out. In May 2012, Beth Israel Deaconess Medical Center violated HIPAA after an unencrypted personal laptop sitting unattended on a desk in the hospital was stolen. The hospital also failed to notify patients about the breach until August of that year.
In 2014, the hospital was ordered to pay a $100,000 fine. Attorney General Martha Coakley said “The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure.
To prevent breaches like this from happening, hospitals must put in place and enforce reasonable technological and physical security measures.” The Boston hospital could have mitigated its liability if it had encrypted the stolen laptop so data was protected.
In 2021 CardioNet reached a settlement with the OCR for $2.5 million after an employee's laptop containing over 1,300 patients' medical records was stolen from a parked car. The investigation found insufficient risk analysis and risk management processes, as well as a lack of encryption and physical protection policies for mobile devices.
Unsecured records
Recently, Advocate Health Care Network in Illinois agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan after multiple potential violations of HIPAA.
Among the list of violations, one was the failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight. Just the increased risk that the laptop could be stolen and compromise PHI was enough to warrant judgement.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said Office of Civil Rights director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Unauthorized disclosure
Proper employee training also extends beyond securing equipment and data. Staff should be made aware of the potential risk in disclosing PHI improperly. This is especially a danger when the patient is in the public eye and reporters are trying to gain access to information. Social media usage must also be accompanied by clear boundaries.
Recently, at Holy Redeemer Family Medicine, a patient's full medical records, including sensitive reproductive health information, were disclosed to a prospective employer without proper authorization. The patient had only authorized the disclosure of a single test result. The OCR determined this was a violation of the HIPAA Privacy Rule. The case was settled for $35,581.
Train employees to follow the procedures you have set out, and ensure that your business associates are doing the same. Every company you use to store or transfer PHI needs to maintain the same HIPAA compliance as you.
Whether it is your email provider, your web host, or a cloud backup service, they must be in a position to implement and maintain the security rules required by HIPAA. But that doesn’t mean you should refuse to disclose information electronically. Patients are allowed to access their health information.
If a request comes in, you must provide electronic copies of medical records on demand. Be aware of all the ways a breach can occur, and safeguard against violations with clear, enforced policies.
What to do in the event of a HIPAA violation or breach
Even the best security practices can’t prevent violations from occurring 100% of the time.
If a violation or breach does occur, take immediate action, even if you only suspect that you may be in breach of HIPAA. Your organization should immediately conduct a risk assessment to determine what PHI was involved, its nature, and the extent of the privacy breach. Investigate to whom the PHI was disclosed and whether it was acquired or viewed, or at risk of being acquired or viewed.
This assessment will also tell you if and how any risk to the information has already been mitigated. For example, sending information to an unauthorized healthcare provider is far different from having a backup file compromised by a hacker. Depending on the result of your risk assessment, you may be required by law to notify HHS, and all affected individuals. In this case, you would have to inform the patient of:
- the breach and when it occurred
- the details of the PHI involved
- what they can do to protect themselves from harm (safeguarding against identity theft, for instance)
- the steps you’ve taken to deal with the breach
- contact information for the organization
How you inform the HHS is different depending on the extent of the breach. If the violation affects fewer than 500 patients, you can log the incidents and provide notice of all breaches that took place in a calendar year, within 60 days of the year’s end.
When it affects more than 500 people, however, the situation is more complex and HHS must be notified immediately. A mistake that’s often made when a HIPAA violation occurs when the covered entity fails to notify HHS and affected individuals in time.
HHS requires extensive documentation within ten days of a data breach, with at least 15 elements relating to the covered entity’s internal investigation, physical safeguards, policies and procedures, risk assessment, and breach notification.
Conclusion
Clearly, the risks of a HIPAA violation occurring in your organization, and the penalties attached, can’t be ignored. Protect your organization, your staff, and your patients or clients by implementing strong, easily understood policies that keep everyone in line with HIPAA’s rules.
Contact us today to learn how Paubox can reduce the risk of HIPAA violations for your organization by securing your email.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What constitutes "snooping" under HIPAA, and how can healthcare providers prevent it?
Snooping involves accessing patient records without a legitimate medical reason.
How should healthcare providers handle unauthorized disclosures of PHI via email or fax?
Unauthorized disclosures via email or fax are considered HIPAA violations.
What are the consequences for healthcare providers if they fail to terminate access rights for former employees?
Failing to terminate access rights for former employees can lead to unauthorized access to PHI, resulting in HIPAA violations. Healthcare providers must ensure that access rights are promptly terminated upon employee departure to avoid such breaches.
Can patients sue healthcare providers for HIPAA violations?
While patients cannot directly sue under HIPAA, they can file complaints with the OCR.
How do healthcare providers handle data breaches that may not involve HIPAA violations?
Even if a data breach does not involve a HIPAA violation, healthcare providers must still conduct a risk assessment and notify affected individuals if PHI was compromised.