Next DLP Blog

8 common HIPAA violations (with examples)

Written by Angela Stringfellow | Apr 16, 2024 4:20:02 PM

Organizations operating in the U.S. healthcare sector must maintain HIPAA compliance to protect the privacy and security of protected health information (PHI) and electronic protected health information (ePHI).

Companies that violate HIPAA guidelines can be subject to considerable financial penalties and reputation damage. Violations are typically discovered following a data breach involving ePHI or through complaints made against an organization by its patients.

The safeguards defined by the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule must all be implemented to maintain compliance. Neglecting to enforce the administrative, technical, and physical safeguards outlined in the rules is typically the underlying cause of these violations.

This article reviews eight of the most common HIPAA violations companies need to avoid. We will use ePHI in our examples, concentrating on the measures companies need to take to protect sensitive information in their IT environments.

In this article: 

La‎ck of an organizational risk assessment

 

Failing to perform regular risk assessments throughout the organization is one of the most common HIPAA violations that result in monetary fines. The purpose of these focused risk assessments is to identify any vulnerabilities that may impact the security, confidentiality, and availability of ePHI. 

The lack of risk assessments allows these vulnerabilities to persist and potentially lead to a data breach.

Organizations should conduct an annual risk assessment that addresses these HIPAA requirements:

  • Identifying the systems that store, transmit, or process ePHI
  • Identifying any vulnerabilities that may lead to data breaches affecting ePHI
  • Assessing and documenting all identified threats and any measures put in place to mitigate them
  • Assigning risk levels to all vulnerabilities discovered during the assessment

Large financial penalties have been imposed on healthcare companies that fail to perform risk assessments. For example, in 2016, Advocate Healthcare, an Illinois healthcare network, was fined $5.6 million for failing to conduct a risk assessment that accounted for physical and administrative safeguards.

Companies must be prepared to address and manage the vulnerabilities identified during risk assessments and take demonstrable and documented actions to correct threats to ePHI. The failure to promptly address known vulnerabilities raises the stakes for violators and can result in some of the highest financial penalties levied for HIPAA violations.

Mi‎ssing HIPAA-compliant business associate agreements

Companies working with third-party IT vendors need to enter into a HIPAA-compliant business associate agreement (BAA). Failing to secure a BAA is a common HIPAA violation, and organizations should therefore work with certified vendors who will sign a BAA that defines:

  • The type of ePHI the vendor can process
  • The methods used to ensure the data is protected according to HIPAA guidelines
  • How the vendor will address a data breach affecting ePHI

Companies should not engage vendors unwilling to sign a BAA, as the consequences can be costly. In 2013, Raleigh Orthopaedic in North Carolina was fined $750,000 as a result of sharing the confidential information of over 17,000 patients with a potential business partner without first establishing a business associate agreement.

Im‎proper disposal of medical records and PHI

 

‎Improper disposal of medical records and PHI is a common HIPAA violation that can lead to unauthorized access and disclosure of sensitive patient information. Covered entities and business associates are required to securely and permanently destroy physical and electronic PHI when it is no longer needed and retention periods have expired.

In 2020, Wakefern Food Corp and two associated ShopRite supermarkets reached a settlement with the New Jersey Division of Consumer Affairs and NJ Attorney General to resolve violations of HIPAA and the NJ Consumer Fraud Act for improper records disposal.

The two associated ShopRite locations had "failed to properly dispose of electronic devices used to collect signatures and purchase information of more than 9,700 pharmacy customers," according to a report by Health IT Security. The settlement included $209,856.50 plus $25,143.50 for attorneys' fees and investigative costs.

Healthcare organizations should have proper policies and procedures in place to ensure the secure disposal of medical records and PHI. For physical records, such as paper documents, shredding is one option to make them unrecognizable when disposed of.

For digital records, companies can use methods like disintegration, pulverization, melting, or incinerating to ensure that there is no possibility of a copy existing.

No‎t providing patient access to health information

Healthcare organizations are required to provide patients with timely access to medical records, and failure to furnish access to patient records or overcharging for copies is a violation that can incur financial penalties.

Additionally, access to patient data and any copies are required to be made available within 30 days of the request. Wait too long, and you could be on the receiving end of a fine. In early 2023, Life Hope Labs was fined $16,500 after a deceased patient’s family waited six months for their loved one’s medical records.

Companies must have procedures in place to address patient requests. The procedures must be secure and ensure that only the designated patient or other authorized persons can access the information.

In‎sufficient ePHI access controls

 

‎The HIPAA Security Rule mandates that organizations take the necessary measures to protect ePHI from unauthorized access. Violations discovered after a data breach often involve insufficient access controls that put health information at risk. 

Failure to prevent unauthorized access to ePHI is a common HIPAA violation, and companies must take multiple steps to avoid this type of violation.

  • Requests for access to ePHI must be verified and authenticated.
  • Access to ePHI must be restricted to authorized users.
  • Organizations must implement secure communication techniques to protect data transmission.
  • Data must be encrypted at rest and in transit to ensure its security.

The key takeaway here is that a patient’s medical records should never be accessed by or provided to anyone who lacks the proper authorization. For example, there have been a number of instances where the medical records of celebrities have been accessed and then made public by personnel at medical facilities. 

In one such case, the UCLA Health System in California was fined $865,000 after staff inappropriately accessed the medical records of a number of celebrities and public figures, including Britney Spears and Maria Shriver, who was the state’s First Lady at the time. 

Fa‎‎iling to meet the 60-day breach notification deadline

Security breaches must be reported within a 60-day deadline. Notification must be made to any covered entities, including individuals whose data was affected and the U.S. Department of Health and Human Services (HHS). Failure to meet this deadline results in a violation of the Breach Notification Rule with associated financial penalties.

This is a common violation that can be avoided by making timely notification when a data breach occurs. Delaying the process will result in greater fines due to the additional violation.

Presence Health of Illinois was fined $475,000 in 2017 for failing to report one such breach within 60 days. In this case, the organization became aware of the loss of documents detailing the confidential medical records of 836 patients on October 22nd 2013, but failed to report it until January 31st 2014 — a delay of more than 3 months.

In‎adequate safeguards to protect ePHI

 

‎The HIPAA Security Rule is designed to protect ePHI in an IT environment, and failing to implement adequate safeguards to secure ePHI is a common violation of HIPAA guidelines. 

The following are some examples of inadequate safeguards that can lead to violations:

  • Failure to encrypt ePHI at rest and in transit throughout the environment
  • The disposal of media containing ePHI without taking the measures to securely destroy the data
  • Insufficient physical security measures to protect sensitive data from theft

Of course, it goes without saying that data loss protection plays a critical role in any organization, but this is especially true within the health industry, with potentially crippling fines being enforced in response to violations. 

In 2013, Banner Health of Arizona found itself with a $1.25 million settlement and a two year corrective action plan. This was in response to a hacking incident seven years earlier that resulted in the health information of nearly three million people being exposed.

The theft or loss of devices (work or personal devices) containing patient health information also poses a significant risk for exposing ePHI. Mobile devices, such as smartphones and tablets, are particularly vulnerable to theft and misplacement due to their smaller size and portability.

Device theft is often the result of poor physical security and a lack of device policies within healthcare institutions. To mitigate this risk, institutions should provide employee training on proper device handling and storage policies, ensure physical device security, implement device encryption, and use device tracking software.

La‎ck of HIPAA-certified employee training

 

‎Employee training on HIPAA regulations and compliance is not just a recommendation, but a requirement under HIPAA. All staff members who come in contact with PHI must be thoroughly trained on HIPAA requirements, as well as on the specific policies and procedures set forth by the organization.

For instance, Athens Orthopedic Clinic PA in Georgia experienced a hacking incident in 2016. The actors successfully exfiltrated data and attempted to extort the organization. When Athens Orthopedic failed to comply with the monetary request, the actors leaked the ePHI of 208,557 patients online.

Among other violations, such as a failure to conduct a risk analysis and implement effective risk management procedures, the OCR found that employees had not been provided with adequate training on the HIPAA Privacy Rule. Athens Orthopedic settled with OCR for $1,500,000.

By providing comprehensive training, organizations can ensure that employees understand their responsibilities in safeguarding PHI and are aware of the potential consequences of HIPAA violations.

Training should cover topics such as the importance of patient privacy, the proper handling and disposal of PHI, and the use of secure communication channels. Regular refresher training sessions should also be conducted to keep employees up to date with any changes in HIPAA regulations.

Solutions like the Reveal Platform by Next can help to keep employees informed about their role in protecting ePHI by providing incident-based training. When an employee attempts an action that could put ePHI at risk, Reveal automatically reminds the user of the relevant policy and recommends safe alternatives for handling the data.

Ho‎w data loss prevention helps with HIPAA compliance

 

Data loss prevention (DLP) software can be instrumental in promoting HIPAA compliance and avoiding expensive violations. A DLP platform specifically addresses violations stemming from insufficient access controls or protective safeguards.

Enforcing a data handling policy that protects HIPAA-regulated data ensures sensitive patient information is not misused or accessed by unauthorized individuals.

The Reveal Platform by Next leverages next-gen agents that employ machine learning at the point of risk to enforce the data handling policy and keep sensitive data secure. Attempts to use data in unauthorized or risky ways are restricted, and the user is presented with an informative message describing their mistake. 

Reveal helps your organization maintain HIPAA compliance and protect ePHI.

Schedule a demo with the DLP experts at Next to discover the benefits Reveal provides for HIPAA compliance.

Fr‎equently asked questions

What kinds of physical safeguards are necessary to protect ePHI?

The types of physical safeguards required to protect ePHI include:

  • Restricting unauthorized physical access to servers containing ePHI
  • Requiring keycard access to locations containing ePHI
  • Installing security cameras to monitor systems processing ePHI
  • Removing all ePHI from hardware before it is destroyed or reused
  • Enforcing strong password standards on all devices containing ePHI

Who performs a HIPAA risk assessment?

Companies can perform HIPAA risk assessments using in-house teams or qualified and certified third-party assessors. Large organizations often have internal audit and assessment teams that can fulfill this role, while smaller organizations may benefit from engaging outside help to ensure compliance. 

In both cases, it is critical to document any vulnerabilities identified and the measures taken to address them.

Why do the results of HIPAA risk assessments need to be addressed promptly?

The results of HIPAA risk assessments need to be addressed promptly to protect patient data and avoid additional fines for violations. Ignoring the results of an assessment is considered “willful neglect” and typically results in larger financial penalties than if the issues are mitigated. Companies are expected to fix any vulnerabilities related to ePHI as soon as they are identified.