HIPAA violations have got more serious over recent years.  Financial costs often reach the millions, and headlines damage reputation to an almost immeasurable degree. And let’s not forget the prison sentences handed out to individuals found culpable of severe breaches of trust.  With the Office of Civil Rights (OCR) again promising to ramp up HIPAA enforcements with a fresh round of audits in 2016, we take you through a deep dive of HIPAA violations.

A History of HIPAA Violations

On February 22nd 2011, the OCR announced Cignet had failed to provide copies of patient records when they were requested by patients, and then opted not to cooperate with the OCR’s investigation. One of the requirements under the HIPAA privacy rule is that covered entities (e.g. doctors’ offices, hospitals, etc.) must provide patients with a copy of their medical records within 60 days of a patient request. It also requires covered entities and business associates to cooperate with federal investigations. Cignet’s total penalty was $4.3 million.

Just two days later, Massachusetts General Hospital was penalized for the loss of 192 billing records for HIV/AIDs patients. Those records included insurance details and sensitive diagnostic information. The loss occurred when an employee accidentally left the records on the subway during the daily commute. The hospital agreed to pay $1 million to settle its violations of the HIPAA Privacy Rule.

In analysis of these enforcements Mondaq discusses increased penalties and enforcement since the HITECH Act passed in 2009:

In February of 2009, Congress passed the HITECH Act to amend HIPAA, dramatically increasing the monetary penalties, which now range from a minimum of $100 to $50,000 per day of violation, with an annual cap of $1.5 million for the same violation in any one year. HITECH also requires HHS to engage in compliance audits and gives states’ Attorneys General the right to enforce HIPAA as well. With these two recent enforcements, the message is clear that failure to comply with HIPAA’s Privacy and Security Rules and failure to cooperate with an OCR investigation can have severe consequences, particularly now that the penalties have been increased.

Since then, HIPAA violations have only increased in number and severity, with the potential fall out dramatically increasing from cybersecurity risks.

HIPAA Violations in the News

There has been no shortage of HIPAA violations and data breaches in the headlines, each one seemingly more serious than the last.

Some of the top news stories include:

Although previously concern about HIPAA compliance was largely limited to people working directly within specific health care departments and government entities, a general increase in public awareness and concern over the privacy and security of their personal information has led to HIPAA violation news stories getting more mainstream media coverage.

In 2015, ProPublica launched a searchable database of HIPAA violations called “HIPAA Helper” designed to let the public research whether their health care provider had ever been found guilty of lax information privacy and security practices.

Staying within the boundaries of HIPAA policy is your company’s legal responsibility, but many of those in violation are unaware of what they’ve done. Could you be in violation without knowing it?

employeeThe sobering news is that you won’t get a free pass for not knowing the rules. They are clearly outlined and presented for all to see.

If your previous strategy was to hope you don’t get caught and play the victim card if you do, it’s time to shift your approach.

Investing time, energy and finances into understanding and preventing HIPAA violations is critical to the future of your organization, not to mention patient privacy and safety.

Are You At Risk?

3 Most Common Examples of HIPAA Violations

In order to abide by the stringent rules of HIPAA, you need to be aware of three of the most common violations. Here they are:

  1. Lack of Encryption

Data encryption and password protection is incredibly important when it comes to protecting your organization from HIPAA violations. While it isn’t technically required by HIPAA, encryption is an awesome form of liability protection. Even if devices or files are stolen, they’re essentially useless and indecipherable when in the wrong hands.

If you want an example of why encryption is important, just consider what happened to Concentra Health Services in April 2014. After a computer was stolen from one of their facilities, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigated the incident and learned that the device was unencrypted.

Subsequently, OCR investigated the organization’s other devices and found insufficient encryption throughout the company. Concentra Health Services was ultimately levied with a $1.7 million fine. In a similar and more recent situation, Lahey Clinic Hospital, Inc. was fined $850,000 for a stolen laptop that was unencrypted and potentially compromised the patient health information of 599 individuals.

  1. Employee Access

Whether it is malicious or innocent, snooping or theft, unauthorized or inappropriate employee access to sensitive information is a major issue. This includes everything from an individual accessing health records that they aren’t allowed to see to selling patient health information for profit.

It’s imperative that organizations have adequate and enforced policies and procedures in place that prevent employees from being able to access information they don’t need.

One of the more famous examples of employee dishonesty involves the 2012 case in which Long Island Medical Supply’s owner was found guilty of repeated HIPAA violations and fraud. She was ultimately sentenced to 12 years in prison and fined $1.3 million. 

  1. Unsecured Records

HIPAA requires organizations to secure both paper and electronic documents and records. This means locking filing cabinets, turning on alarms after hours, requiring passwords for system logins, and more. While there is some subjectivity in what your business considers “secure,” the fact of the matter is that you can be fined for not securing records.

A good example of this occurred in 2014 when Parkview Health Systems, Inc. was fined $800,000 for leaving more than 70 boxes with thousands of patient records on a physician’s porch. The porch was located just feet from a public shopping mall. While most organizations aren’t going to literally leave documents outside, the point is made loud and clear.

5 Ways to Prevent HIPAA Violations

HIPAA compliance requires an effort from every person within an organization. Even a single weak link can lead to a violation and/or breach. As a leader in your organization, it’s imperative that you establish the correct preventative measures and understand best-practices for avoiding costly violations. Keep the following suggestions in mind:

  1. Conduct a Risk Analysis

Conducting a risk analysis is not just good business practice it is mandatory according to HIPAA regulations. This is the only way to identify weaknesses, implement solutions, and truly understand where your organization is in terms of privacy and security. A failure to conduct a formal risk analysis is a HIPAA violation in itself. 

  1. Implement Stringent Policies and Procedures

People will break rules, but it’s less likely that you’ll have problems when regulations and requirements are clearly and visibly laid out for all to see. For example, you may think it’s common knowledge that only a certain people should be allowed in the server room. However, unless you make it a rule that only IT employees are permitted to access the server room, you’ll inevitably encounter a situation where someone else does. Unless you have rules, you can’t reasonably discipline these violations. 

  1. Invest in Ongoing Training

One of the keys to preventing future HIPAA violations is to invest in ongoing training and employee education. While violations do occur due to malicious intent, the truth is that most happen as a result of negligence or a lack of knowledge. By keeping employees informed, there will be fewer carless errors and violations.

Check out our Education Center for a range of resources to help you and your staff better understand HIPAA compliance.
  1. Give Access to the Minimum Personnel

Think twice before granting any employee access to patient health information. Always ask yourself, “Does this individual really need access to this information?” If the answer is no, then don’t allow it. You can always let an employee see information under supervision of an authority figure, but total access should only be granted in necessary situations.

  1. Always Log Off Computers

One of the laziest mistakes people make is not logging off computers and devices after accessing patient health information. This is a serious violation and allows information to be seen and used by others who shouldn’t have access to it. 

While employees should be highly encouraged to log off immediately after using devices, it’s also wise to invest in IT systems that automatically log users off after a predetermined amount of time.

Worried About HIPAA Violations?

At Clearwater Compliance, we understand the importance of remaining HIPAA compliant.

We can supply you with the right resources, strategies, and tools to help you to safeguard sensitive information in accordance with HIPAA regulations. We’ve worked with more than 500 different organizations, saved them $1,000,000s in fines, and completely changed the way information risk management is viewed by small and large organizations alike. For additional information regarding our services and how you can avoid HIPAA violations, please contact us today!

Additional Resources

Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.