Insights - 6 min read
Jan 6, 2020

HIPAA Violation Examples

HIPAA violations can be financially expensive and devastating to a brand. Examine some examples of HIPAA violations, and learn about avoiding them in your own organization.

PubNub Staff@pubnub
HIPAA Violation Examples
IN THIS ARTICLE

    Subscribe to Our Newsletter

    Stay updated with the latest on web, mobile, and IoT, delivered weekly.
    Thanks for subscribing!

    Thanks for subscribing!

    Get ready for some great content.

    In 2017, Memorial Healthcare Systems was fined a then-record $5.5 million for HIPAA violations. This broke the existing HIPAA violation record set by Cignet Health of Maryland, who had been penalized $4.3 million in 2010. Why are these HIPAA violation fines so important, and is there a problem that truly needs to be solved? According to Wikipedia, nearly 174 million people’s information has been improperly accessed, via error or breach, since the original passage of HIPAA.

    The Health Insurance Portability and Accountability Act, known more generally as HIPAA , is a US law that is intended to provide privacy standards to protect patient information from unapproved access. HIPAA was originally created to allow for the modernization of medical record-keeping, while maintaining the security of patient Personally Identifiable Information, PII . While the intentions behind HIPAA were entirely positive, the impact of the regulations that flow out of it have had profound impacts on the healthcare industry - and on the lives of patients, who frequently find themselves signing voluminous HIPAA agreements each time they visit a healthcare provider.

    While the HIPAA violation examples cited above represent the most substantial penalties levied to date, the jeopardy in which healthcare-related organizations find themselves if their processes and procedures are not fully compliant is significant. The law defines two classes of violation, which can be reasonably summarized as those that stem from carelessness, and those that stem from unlawful intent. More specifically, violations can result in either civil or criminal penalties. 

    HIPAA violations that can result in civil charges include:

    1. Individuals who violate the law through ignorance

    2. Violations that occur due to reasonable cause rather than willful neglect

    3. Violations due to willful neglect, but which are corrected within a defined timeframe

    4. Violations that are due to willful neglect

    The implications of even a civil penalty can be substantial, ranging from $100 per violation in the first example (with an annual maximum of $25,000) to $50,000 per violation (with an annual maximum of $1 million) for the last example.

    By contrast, there are three classes of HIPAA violation that can result in criminal jeopardy:

    1. Covered entities and specified individuals who knowingly either obtain or provide HIPAA-covered PII

    2. Obtaining HIPAA-covered PII under false pretenses

    3. Obtaining HIPAA-covered PII with an intent to sell, transfer, or use that information for commercial advantage, personal gain, or malicious harm

    Criminal penalties can be extremely harsh, ranging from fines of $50,000 to $250,000, and jail sentences of one to ten years.

    The ten most common examples of HIPAA violations include

    1. Individuals accessing information to which they do not have access rights. 

    2. Failing to execute organization-wide risk analyses

    3. Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level

    4. Making business associate agreements that are not, themselves, HIPAA compliant

    5. Insufficient access controls to stored data, known as electronically protected health information(ePhi)

    6. Failure to implement encryption, or a valid substitute, to protect ePhi

    7. Failing to provide notification of data breaches within 60 days of its occurrence

    8. Impermissible disclosures of any protected health information

    9. Failure to dispose of protected health information properly

    10. Denying patients access to their own protected health information, including exceeding the HIPAA-defined time limits for doing so

    Each of these circumstances can have and will come to light and result in a civil and criminal action, and hefty penalties. For example, Dr Huping Zhou , then of the UCLA Health System, was found to have improperly accessed the protected health information of celebrities and other patients, resulting in his being the first individual sent to prison for a HIPAA violation (a four-month sentence), and the UCLA Health System sustaining a fine of $865,000.

    Other notable HIPAA violation examples include:

    • Cardionet was fined $2.5 million for failing to design and implement an adequate risk management system, and running an incomplete risk analysis

    • Psychotherapist

      Dr Barry Helfman found himself in breach when he forwarded unpaid bills to a collection agency, unwittingly sharing codes that could reveal patient diagnoses

    • A nurse in a New York clinic faced civil jeopardy when she revealed a patient’s STD diagnosis to the man’s girlfriend - who was also the nurse’s sister-in-law

    • In 2016,  an orthopedic clinic ran afoul of HIPAA by contracting with a service to convert their past X-Rays to digital files so they could harvest the silver from the old physical copies - but failed to obtain a proper Business Associate Agreement

    • The University of Iowa was forced to terminate a student health care employee who inadvertently revealed a patient’s pregnancy while chatting with a colleague

    • And of course, 13 employees at a Los Angeles health provider were fired for sneaking a peek at Britney Spears’ medical records

    While most HIPAA violations are defined in unsurprisingly technical terms, there is a range of easily-understandable ways to avoid them. The top tips for organizations seeking to ensure they do not themselves become a HIPAA violation example are

    1. Keep records secured, applying the principle of least permission, ensuring every user is strictly limited to only the information they must be able to access

    2. Encrypt all data, at all times, including on portable devices such as hard drive and thumb drives

    3. Keep all antivirus software up to date and install the latest updates to all routers and other networking devices to protect against hacking

    4. Ensure all connected devices, such as laptops, iPads and mobile phones have strong passwords to protect against unauthorized accessed when devices are lost or stolen

    5. Implement a comprehensive training program for all employees to avoid violations driven by ignorance

    6. Implement strong HR policies against gossiping to protect against inadvertently protected healthcare information revelations

    7. Provide clear processes around the disciplinary risks employees take when violating HIPAA

    8. Contract, using an approved Business Associate Agreement, with a reputable service to destroy records

    9. Update HR policies to ensure employees who provide information to unauthorized individuals are subject to swift dismissal

    10. Educate all staff members on who would constitute appropriate individuals to whom protected healthcare information can be revealed, including specific instructions on the familial relationships that do or do not confer access right

    Most importantly, ensure that any and all new or updated IT technology, software, and programs are carefully vetted for their adherence to HIPAA regulations. The Texas Health and Human Services Commission (formerly Department of Aging and Disability Services, or DADS) was fined $1.6 million in 2019 for a HIPAA violation when they migrated an internal application from a private secure server to a public one, resulting in a breakdown in access controls and making it possible for anyone to read any of the stored records. To avoid such a scenario, ensure that vendors provide documented evidence of HIPAA compliance.

    The final sticky issue is instant messaging. Based on the complex restrictions of the law, communicating protected healthcare information across normal public SMS or messaging platforms (such as iMessage, or Facebook Messenger) is almost guaranteed to result in a HIPAA violation. The safest approach is to either purchase a pre-built, authorized solution or to build an internally-maintained one that is regularly reviewed for regulatory compliance.

    As time goes by, the volume of HIPAA violation examples continues to grow, as do the sizes of the penalties imposed. To avoid becoming a cautionary tale, organizations managing protected healthcare information must dedicate substantial and regular time and effort to ensuring their total compliance.

    Resources
    Resources

    Building a HIPAA-compliant App

    Everything You Need to Know About Developing and Scaling a HIPAA-compliant App
    Download Now
    Building a HIPAA-compliant App

    Tags:

    More From PubNub