A HIPAA violation is any failure to comply with any of the HIPAA rules and standards and the consequences for violating this law can be quite serious, with ramifications on your reputation among other things.
It’s in your best interest to avoid them, but how to do that?
What would likely help, to start, would be an understanding of what exactly a HIPAA violation is. As providers of HIPAA compliance services, we’ve completed over 100 of these attestations for clients in just the last 12 months.
Given that experience, we know what’s on the line for organizations and how to achieve the best-case scenario. In this article, we’ll define a HIPAA violation and the penalties for such. We’ll also provide a brief list of the most common violations and how you can avoid falling victim.
While there are many particulars that you should eventually grasp, this information will provide a solid overview of what you need to know regarding HIPAA violations.
What is a HIPAA Violation?
So, again—a HIPAA violation is any failure to comply with HIPAA, but why do those rules and standards matter? Because failings can lead to non-compliant disclosures or breaches of protected health information (PHI) that compromise the privacy and security of health and medical information.
HIPAA violations are specific—you may suffer a data breach, but that’s not a violation in and of itself (though the infringement may reveal them). The attack must directly affect PHI to qualify.
What are the 3 Types of HIPAA Violations?
Though violations can range through a variety of specifics, they can be broadly categorized into three separate categories.
|Administrative||The least serious of the three categories, administrative violations are typically unintentional and not malicious and usually occur due to a lack of proper policies and procedures, or training of personnel. Examples include:
|Civil||More serious than administrative violations, civil violations may be intentional or unintentional, but they do involve some degree of negligence or recklessness and can result in fines ranging from $100 to $50,000 per violation.
An example includes knowingly disclosing PHI without authorization.
|Criminal||The most severe violations, criminal violations are intentional, involve a willful disregard for HIPAA regulations, and can result in fines and imprisonment. For example, using PHI to commit identity theft or fraud.|
Who Enforces HIPAA?
These different categories of HIPAA violations also have different governing bodies:
- If a potential administrative violation is suspected, the Centers for Medicare and Medicaid Services (CMS) investigates.
- If a potential civil HIPAA violation is suspected, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigates.
- And if the Office for Civil Rights investigates a case that may also have criminal motives, they'll refer it to the Department of Justice to pursue.
What are the Penalties for a HIPAA Violation?
Though any consequences suffered for violating HIPAA will be dependent on the aforementioned type of violation and the graded severity, the penalties range from significant fines to criminal charges and imprisonment.
In 2009, the HITECH Act gave state Attorneys General the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules. Through these officials, residents can obtain damages when their PHI is exposed in a data breach.
Attorneys General can also issue fines for HIPAA violations of up to $25,000—that’s in addition to those civil actions against the covered entity or business associate and HIPAA violation penalties imposed by the OCR.
Who Can be Fined?
HIPAA, and any violations of the HIPAA Rules, apply to covered entities and business associates:
- Covered entities: Health plans, healthcare clearing houses, and healthcare providers who electronically transmit PHI.
- Business associates: Organizations with whom a covered entity shares PHI to help carry out its healthcare activities and functions.
Since the publication of the Final Omnibus Rule in 2013, business associates of HIPAA-covered entities have had the same requirements as covered entities to comply with HIPAA and can be directly fined for violations of HIPAA Rules.
And that’s just the fines—the Department of Justice (DOJ) concluded that criminal penalties for violating HIPAA are also directly applicable to covered entities and business associates. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.
Examples of Common HIPAA Violations
Obviously, the government takes the protection of this type of data very seriously, and if your organization handles it, you should as well. Here’s a list of common violations that can lead to those severe penalties:
- Failure to perform an organization-wide risk analysis
- Failure to enter into a HIPAA-compliant business associate agreement
- Wrongful disclosures of PHI
- Delayed breach notifications
- Failure to safeguard PHI
- Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level.
- Insufficient access controls
- Failure to implement encryption
How to Avoid HIPAA Compliance Violations
To avoid these and other HIPAA law violations within your organization, you must know how to obey the HIPAA rules. Organizations that handle PHI are required to comply with HIPAA, but again, how to do that effectively?
You need a strategy in place to maintain compliance—let’s dive into five specificities of what that should look like.
1. Conduct Self-Audits, Identify Gaps, and Remediate.
To ensure that administrative, technical, and physical safeguards adequately protect PHI, HIPAA requires organizations to conduct annual self-audits. Undergoing these will help you identify risks and vulnerabilities to PHI while also exposing gaps in current safeguards.
To address these gaps, you are required to create remediation plans that bring your defenses up to HIPAA standards.
2. Document Policies and Procedures.
It’s also important to have specific policies and procedures documented demonstrating how your business operates and corresponds to HIPAA regulatory standards. These policies and procedures should do the following:
- Dictate the proper use and disclosure of PHI;
- Detail how your organization safeguards PHI; and
- Explain what to do in the event of a PHI breach.
Documentation is a critical part of maintaining compliance, given HIPAA’s strict requirements here. You must document all efforts taken to become compliant and retain all such documentation, including policies and procedures, for six years. More than that, careful documentation will be essential in the event of an OCR investigation.
3. Train Your Personnel.
A substantial portion of breaches stem from human error, be it someone clicking on a phishing email, accessing PHI without cause, or sharing PHI with an unauthorized party.
That’s why one of your best defenses against violations is employee training, which should include:
- Cybersecurity best practices;
- Instructions on the basics of HIPAA; and
- An overview of your organization’s policies and procedures.
4. Sign Business Associate Agreements (BAAs)
BAAs are another key component of HIPAA compliance—they can also function to protect your organization against third-party breaches in general. All business associates and covered entities must record all vendors that they share PHI with, but it’s not enough just to record.
A BAA is a legal contract between a healthcare organization and its business associate vendor. They require each signing party to be HIPAA compliant and to be responsible for maintaining their compliance.
- Have signed BAAs in place? Your liability is limited in the event of a third-party breach, as only the negligent party would be held responsible.
- No signed BAA? Not only are you at risk of fines due to non-compliance, but you will also be held liable for the breach itself.
5. Maintain Incident Detection and Response Procedures.
Part of being HIPAA compliant is monitoring PHI access to ensure that it is only being accessed by authorized parties and with cause. If you have security measures for that in place, you should also ensure that your personnel understands how to identify and quickly respond to breaches.
By being able to quickly react to an attack, you drastically reduce the scope, costs, and time it takes to recover from the incident.
HIPAA Violations FAQs
Can a healthcare provider be held liable for a HIPAA violation committed by an employee?
Healthcare providers can be held liable for HIPAA violations committed by their employees, especially if the organization fails to provide proper training or implement appropriate safeguards.
Are there any exceptions to the HIPAA Privacy Rule?
Yes, there are some exceptions to the HIPAA Privacy Rule, such as:
- When PHI is used for treatment, payment, or healthcare operations; or
- When PHI is disclosed for public health purposes.
Can a patient sue a healthcare provider for a HIPAA violation?
Yes, patients can sue healthcare providers for HIPAA violations that result in harm or damages—and these lawsuits would be separate from any penalties laid down by the HIPAA governing bodies.
Can business associates be held liable for HIPAA violations?
Yes, business associates can be held liable for HIPAA violations if they fail to comply with HIPAA regulations or breach their business associate agreement, though covered entities are also responsible for ensuring their third parties comply.
Next Steps in Maintaining Your HIPAA Compliance
Now that you understand how severe and broadly affecting the penalties for violating HIPAA are, it follows that healthcare organizations that comply with the rules are inherently more secure. Many components of HIPAA compliance involve assessing your security measures, ensuring that you implement effective safeguards to secure patient records, and providing employees with guidelines to keep PHI safe.
Do that, and you should successfully avoid the fallout of a violation—we’ve just given you 5 areas that will get you started on bolstering your security.
For more information on HIPAA and its related compliance attestation, check out our other content on the subject so that you’re as informed as possible when moving forward:
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.