The Health Insurance Portability and Accountability Act, widely referred to as HIPAA, became part of the United States’ legal system in 1996 and the rate of HIPAA violation lawsuits have accelerated over time. Since then, HIPAA has been updated, revised, and strengthened through the introduction of different amendments and related Acts. Violating HIPAA can lead to serious consequences, including hefty fines and civil lawsuits. Below, we will examine some common HIPAA violations, the potential penalties organizations or individuals could face, and some lawsuits that have been brought against parties that have violated HIPAA.
Why Do We Need HIPAA?
HIPAA is an important piece of legislation and serves a number of purposes: it regulated for continuation of health insurance coverage for individuals who may be between jobs, as well as for their families; it introduced mandatory security and privacy requirements to protect patients’ data; it helped create standardized codes and identification numbers to streamline administration between healthcare entities; and it increased transparency by allowing patients to request copies of their own protected health information (PHI).
Any one of these reasons should be a good enough argument for why we need HIPAA. The fact that HIPAA and its related laws provide so many benefits for both patients and healthcare organizations as a complete package just increases its importance. Violating HIPAA can lead to medical errors, administrative confusion, time-wasting, and loss of trust.
Common HIPAA Violations
In no particular order, we will discuss the most common HIPAA violations that occur in healthcare organizations throughout the country.
The loss or theft or electronic devices containing or allowing access to PHI is a very common cause of HIPAA violations. If the device had unencrytped PHI stored on it or there were insufficient access controls to prevent unauthorized individuals from accessing the data, this could be very serious. Due to the nature of electronic data and online storage services, one device being lost or stolen could potentially compromise the PHI of thousand or even hundreds of thousands of people.
Disposing of or deleting PHI can be challenging. Physical copies of PHI cannot be disposed of with regular waste, as this risks them being accessible to the public or unauthorized individuals. Physical PHI must be securely disposed of by shredding or burning so that any information is rendered indecipherable. Electronic PHI can be more difficult. Deleting a single file from a disk, hard drive, or other storage device may still leave cached or other residual copies of the file. The recommended way is to wipe the entire disk magnetically or destroy it by incineration.
Unauthorized network access or hacking can be hard to stop if a determined group or individual decides to attack servers or IT infrastructure. On a more casual basis, the use of unsecured Wi-Fi networks or other wireless signals with weak protections, such as telephone SMS networks, means that any data being transmitted could be easily intercepted and stored by passive devices or the servers of the telephone networks themselves, breaching HIPAA Rules.
Despite training, policies, and respect for patients’ privacy, a common cause of HIPAA violations is staff accessing records they do not have legitimate reasons to view. While some of these may be accidental, it has been observed that many employees access the PHI of family members or friends simply out of curiosity. This should be heavily discouraged and sanctioned by employers.
In a similar vein, gossip by healthcare employees which includes sharing details of PHI with unauthorized individuals is a serious issue. PHI should not be a source of gossip and any sharing of PHI should be done in compliance with the Minimum Necessary Rule – where only the minimum amount of information needed to complete the task should be shared.
HIPAA Violation Penalties
While the benefits of HIPAA should be reason enough to ensure compliance, robust penalties are in place to act as the proverbial stick, should the carrot fail. HIPAA is enforced by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The OCR investigates HIPAA violations and may impose penalties. State attorneys general may also investigate and punish organizations or individuals following HIPAA violations. Serious violations may even be handled by the Department of Justice.
If the OCR confirms a civil violation has occurred, they have a range of options. They can: get the violating entity to voluntarily comply with HIPAA’s Rules; instigate corrective action; or reach a resolution agreement. If the issue is not taken care of in a timely manner, generally 30 days, then the OCR can impose sanctions based on a scale of seriousness and degree of perceived neglect on the part of the offender.
|Level of Neglect||Minimum Fine||Maximum Fine|
|Unknown||$100/violation, maximum $25,000/year for repeat violations||$50,000/violation, maximum $1,500,000/year|
|Reasonable Cause to Support Neglect||$1000/violation, maximum $100,000/year for repeat violations||$50,000/violation, maximum $1,500,000/year|
|Willful Neglect but Issue Resolved Within Delay||$10,000/violation, maximum $250,000/year for repeat violations||$50,000/violation, maximum $1,500,000/year|
|Willful Neglect and Issue Not Resolved Within Delay||$50,000/violation, maximum $1,500,000/year for repeat violations||$50,000/violation, maximum $1,500,000/year|
As noted, serious and criminal violations are dealt with by the Department of Justice, who can levy fines a well as custodial sentences against offenders. The penalties are defined on a similar scale of volition and severity.
|Type of Infringement||Maximum Fine||Maximum Sentence|
|Knowingly obtaining or sharing PHI in violation of HIPAA||$50,000||1 year|
|Offenses Committed Under False Pretenses||$100,000||5 years|
|Offenses to use PHI for Commercial Advantage||$250,000||10 years|
Organizations should be aware that they may be liable for penalties under state law in certain cases. This should be researched and monitored, with staff trained accordingly.
In February 2018, Fresensius Medical Care North America settled to pay the OCR a sum of $3,500,000 related to violating HIPAA’s Privacy and Security Rules. More specifically, they did not meet HIPAA’s risk analysis and risk management requirements.
Another multi-million dollar settlement was paid by 21st Century Oncology in December 2017. For failing to adequately protect over a million patients’ PHI, they will have to pay $2,300,000.
Both companies also have to implement corrective action plans to ensure the violations do not occur again.