When you were a kid, if you broke a rule at home, you likely were sent to Time Out. At school, you got detention.
HIPAA violations are much more serious than either of those—the consequences for falling out of compliance can be quite severe, with ramifications on your reputation among other things.
It’s in your best interest to avoid them, but how to do that?
What would likely help, to start, would be an understanding of what exactly a HIPAA violation is. As providers of HIPAA compliance services, we’ve completed over 100 of these attestations for clients in just the last 12 months. Given that experience, we know what’s on the line for organizations and how to achieve the best-case scenario.
Now, we’re going to help you understand as well. In this article, we’ll define a HIPAA violation and the penalties for such. We’ll also provide a brief list of the most common violations and how you can avoid falling victim.
While there are many particulars that you should eventually grasp, this information will provide a solid overview of what you need to know regarding HIPAA violations.
What is a HIPAA Violation?
We promised a definition, so that’s where we’ll start: A HIPAA violation is a failure to comply with any of the HIPAA rules and standards.
Why do those rules and standards matter? Because failings can lead to non-compliant disclosures or breaches of protected health information (PHI) that compromise the privacy and security of health information.
HIPAA violations are specific—you may suffer a data breach, but that’s not a violation in and of itself (though the infringement may reveal them). The attack must directly affect PHI to qualify.
Furthermore, there are two types of HIPAA violations: civil and criminal. Both types break down into graded tiers to determine the penalties for violations, and we wrote in detail about the differences here.
What are the Penalties for a HIPAA Violation?
The enforcers of HIPAA—the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)—hand down specific consequences for violating HIPAA. Those will depend on the aforementioned type and graded severity. But you should also know this:
In 2009, the HITECH Act gave state Attorneys General the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules. Through these officials, residents can obtain damages when their PHI is exposed in a data breach.
Attorneys General can also issue fines for HIPAA violations of up to $25,000—that’s in addition to those civil actions against the covered entity or business associate and HIPAA violation penalties imposed by the OCR.
Who Can be Fined?
HIPAA, and any violations of the HIPAA Rules, apply to covered entities and business associates:
- Covered entities: Health plans, healthcare clearing houses, and healthcare providers who electronically transmit PHI.
- Business associates: Organizations with whom a covered entity shares PHI to help carry out its healthcare activities and functions.
Since the publication of the Final Omnibus Rule in 2013, business associates of HIPAA-covered entities have had the same requirements as covered entities to comply with HIPAA and can be directly fined for violations of HIPAA Rules.
And that’s just the fines—the Department of Justice (DOJ) concluded that criminal penalties for violating HIPAA are also directly applicable to covered entities and business associates. Directors, officers, and employees may be deemed to be criminally liable for violations of HIPAA Rules under the principle of corporate criminal liability, and if not directly liable, could be charged with aiding and abetting or conspiracy.
Most Common HIPAA Violations
Obviously, the government takes the protection of this type of data very seriously, and if your organization handles it, you should as well. Here’s a list of common violations that can lead to those severe penalties:
- Failure to perform an organization-wide risk analysis
- Failure to enter into a HIPAA-compliant business associate agreement
- Wrongful disclosures of PHI
- Delayed breach notifications
- Failure to safeguard PHI
- Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level.
- Insufficient access controls
- Failure to implement encryption
How to Avoid HIPAA Compliance Violations
To avoid these and other HIPAA violations within your organization, you must know how to obey the HIPAA rules. Organizations that handle PHI are required to comply with HIPAA, but again, how to do that effectively?
You need a strategy in place to maintain compliance—let’s dive into five specificities of what that should look like.
1. Conduct Self-Audits, Identify Gaps, and Remediate.
To ensure that administrative, technical, and physical safeguards adequately protect PHI, HIPAA requires organizations to conduct annual self-audits. Undergoing these will help you identify risks and vulnerabilities to PHI while also exposing gaps in current safeguards.
To address these gaps, you are required to create remediation plans that bring your defenses up to HIPAA standards.
2. Document Policies and Procedures.
It’s also important to have specific policies and procedures documented demonstrating how your business operates and corresponds to HIPAA regulatory standards. These policies and procedures should do the following:
- Dictate the proper use and disclosure of PHI;
- Detail how your organization safeguards PHI; and
- Explain what to do in the event of a PHI breach.
Documentation is a critical part of maintaining compliance, given HIPAA’s strict requirements here. You must document all efforts taken to become compliant and retain all such documentation, including policies and procedures, for six years. More than that, careful documentation will be essential in the event of an OCR investigation.
3. Train Your Personnel.
A substantial portion of breaches stem from human error, be it someone clicking on a phishing email, accessing PHI without cause, or sharing PHI with an unauthorized party.
That’s why one of your best defenses against violations is employee training, which should include:
- Cybersecurity best practices;
- Instructions on the basics of HIPAA; and
- An overview of your organization’s policies and procedures.
4. Sign Business Associate Agreements (BAAs)
BAAs are another key component of HIPAA compliance—they can also function to protect your organization against third-party breaches in general. All business associates and covered entities must record all vendors that they share PHI with, but it’s not enough just to record.
A BAA is a legal contract between a healthcare organization and its business associate vendor. They require each signing party to be HIPAA compliant and to be responsible for maintaining their compliance.
- Have signed BAAs in place? Your liability is limited in the event of a third-party breach, as only the negligent party would be held responsible.
- No signed BAA? Not only are you at risk of fines due to non-compliance, but you will also be held liable for the breach itself.
5. Maintain Incident Detection and Response Procedures.
Part of being HIPAA compliant is monitoring PHI access to ensure that it is only being accessed by authorized parties and with cause. If you have security measures for that in place, you should also ensure that your personnel understands how to identify and quickly respond to breaches.
By being able to quickly react to an attack, you drastically reduce the scope, costs, and time it takes to recover from the incident.
Next Steps in Maintaining Your HIPAA Compliance
Now that you understand how severe and broadly affecting the penalties for violating HIPAA are, it follows that healthcare organizations that comply with the rules are inherently more secure. Many components of HIPAA compliance involve assessing your security measures, ensuring that you implement effective safeguards to secure data, and providing employees with guidelines to keep PHI safe.
Do that, and you should successfully avoid the fallout of a violation—we’ve just given you 5 areas that will get you started on bolstering your security.
For more information on HIPAA and its related compliance attestation, check out our other content on the subject so that you’re as informed as possible when moving forward:
About Kellie Worley
Kellie Worley is a Senior Associate with Schellman. Prior to joining the firm, she was a HIPAA Compliance Consultant at Clearwater and served as AVP of Compliance and Privacy Officer for a hospital company with facilities across the U.S.. Having previously operated as Privacy Officer in other healthcare organizations, she has 20+ years experience in healthcare compliance .