According to Verizon’s Data Breach Investigations Report, employees caused 39% of healthcare breaches in 2021. This is in comparison to the 18% in other industries. The Health Insurance Portability and Accountability Act (HIPAA) is a topic we go over quite regularly in this blog.

This standardized set of rules and regulations has been going on for more than 25 years now. You might think that the United States Department of Health and Human Services (HHS) doesn’t see too many violations anymore. Well, you would be wrong.

It’s all too common knowledge that HIPAA violations are still a problem, and these problems continue to build every year! In this blog, we will be going over some of the most common HIPAA violations as it relates to Protected Health Information (PHI).

• What is HIPAA?

• What are the most common HIPAA violations?

  • #1 Healthcare Record Snooping

  • #2 Failure to Perform Risk Analysis

  • #3 Failure to Apply a Risk Management Process

  • #4 Inappropriate Disclosures of PHI

  • #5 Denying Patients Access to Health Records

  • #6 Releasing PHI to Unauthorized Individual(s)

  • #7 Inappropriate Disclosures of PHI

  • #8 Exceeding Expiration Date for Providing Access

  • #9 Failure to Enter a Business Associate Agreement

  • #10 Failure to Use Encryption to Safeguard PHI

  • #11 Exceeding Deadline for Issuing Breach Notifications

  • #12 Improper Disposal of Protected Health Information

  • #13 Leaving Portable Electronic Devices and Paperwork Unattended

• How to Become HIPAA Compliant

• Conclusion

HIPAA sets the standard for both streamlining and protecting private health information across the United States. That means that whenever you go to the doctor, you know that your medical records and data are secure and known only to you and your provider. That is unless you authorize someone else to access them, but we will get into that here in a bit.

HIPAA aims to:

• Protect patients by providing access to their health information, as well as control inappropriate use of it.

• Improve overall healthcare standards for consumers, organizations, and professionals.

• Improve healthcare delivery while protecting health information by creating a national template. These templates build on state laws, independent health systems, organizations and individuals.

• Keep confidentiality, availability, and integrity of all electronic protected health information (ePHI) secure.

• Detects and protects against data breaches.

• Certify compliance through workforces. Protect against inappropriate uses and disclosures of sensitive health information.

Every healthcare worker, covered entity, and business associate must protect this information. Failing to do so can result in a HIPAA violation which may include the termination of an employee, a hefty fine, or even jail time. 

We compiled 13 of the most common HIPAA violations so you don’t have to find out about them the hard way!

Unfortunately, many of these violations are the result of simple misunderstandings. Regardless, when misunderstandings go unchecked, significant harm may affect patients and employers alike. That is why you should include these violations in your yearly HIPAA compliance training.

Let’s go over them now.

This first violation gives the impression of someone in spy gear hanging from a ceiling and rummaging through files… or is that just me? Anyway, snooping through protected health information doesn’t actually take that much effort and is more common than many of us would like to believe.

“Snooping” consists of accessing patient health records for purposes other than those accepted by the HIPAA Privacy Rule.

This includes looking through records of:

• Family

• Friends 

• Neighbors

• Coworkers

• Celebrities

A HIPAA violation that regularly results in a financial penalty is the failure to perform risk analysis. The importance of performing this regularly is due to the fact that potential threats are always evolving.

If this is not done regularly, organizations will have a difficult time determining whether there are any vulnerabilities to the integrity and confidentiality of PHI that exist. They may overlook threats that leave the door wide open for potential data breaches that are otherwise preventable.

Performing a risk analysis is one thing, but what if you do this just to check a box for your compliance team and nothing more? Surely you’ve done your job and are doing everything in your power to avoid a violation, right? Hate to break it to you, but you’re still at risk.

Any risks identified must run through a risk management process. Not only this, but organizations must apply this process in a reasonable time frame to avoid HIPAA violations. Ignoring this important step means possible penalization.

This might seem obvious but any disclosure of PHI which is not permitted under the HIPAA Privacy Rule is a direct violation. These slip-ups, whether intentional or not, often attract financial penalties.

This includes:

• Any disclosures to a patient’s employer for a purpose not intended by the Privacy Rule.

• Disclosures following theft or loss of data.

• Careless handling of protected health information/disclosing information unnecessarily.

• Leaving data unattended on a desk or open laptop.

Patients have the right to access their medical records, such as diagnoses and test results, as well as obtain copies on request. Thanks to the HIPAA Privacy Rule, this is a well-known fact… but can be easily overlooked.

Employees may have the best intentions to send a patient’s information after receiving a request, but they may forget to do so on a particularly hectic day at the office.

Failing to provide records, overcharging for copies of records, or flat-out denying patients access to records will likely land you in very hot water. The HIPAA Privacy Rule requires the response time to be no more than 15 days from the date of the request.

When disclosing PHI to a third party, an authorization form must be present before sending. A patient must fill out this form to authorize the sharing of any information that is not permitted under the HIPAA Privacy Rule.

Examples of permitted information include:

• For necessary treatment.

• Payment for healthcare services.

• Necessary healthcare operations.

Healthcare employees must make sure that PHI is not disclosed to any individual that is not included in the authorization paperwork. Note that these forms are valid only if signed from the patient or a nominated representative.

Similarly, employees must be cautious of the types of information released to third parties. This is true even when an authorization form is present. Any information shared that isn’t specifically outlined in the authorization form is a HIPAA violation. 

When disclosing PHI/records, if not collected in person by the patient, any third party involved must receive authorization by the patient. Employees must verify the identity of whoever is collecting these records and ensure the authorized records release only to this authorized individual.

So you have the authorization form with every intention of sending the PHI to the approved individual or organization. Great! Just make sure to fulfill the request on time to avoid a HIPAA violation. As I mentioned earlier, too many times employees are simply bogged down by their day-to-day responsibilities that an authorization request may go unnoticed. This is how unauthorized access to PHI happens after its expiration date.

If a request is past the expiration date, an employee must complete a new authorization form. 

These forms must include:

• Names or classes of individuals authorized to receive Protected Health Information.

• Types of Protected Health Information disclosed.

• Reasons for disclosures.

• The expiration date for the authorization.

Failing to enter into a HIPAA-compliant Business Associate Agreement (BAA) with vendors that have access to PHI is another big HIPAA violation to look out for. Even when BAAs hold for all of your vendors, they might not necessarily be viable. Make sure that these agreements follow the Omnibus Final Rule.

Side note here, the HIPAA Omnibus Rule requires healthcare providers to:

• Update their BAAs.

• Attain assurances from business associates that they comply with the HIPAA Security Rule.

• They update their Notice of Privacy Practices.

Here is an easy way to avoid a data breach, and consequently a large fine: encrypt your PHI. Unless the key to decrypt data is readily available, a breach of PHI is not a reportable security incident.

While encryptions are not mandatory under HIPAA, you should not overlook them. If encryption is not an option, organizations must look into equivalent security measures to avoid leaked data.

Just like there is a time frame that employees must follow in regard to providing patient’s their records, there is a timeline for issuing breach notifications.

The HIPAA Breach Notification Rule requires covered entities to alert the appropriate individuals and organizations following the discovery of a data breach. Organizations must do this no later than 60 days after uncovering the breach.

Both physical PHI and electronic PHI (ePHI) are risks if left unattended. When these forms of data are no longer required, disposing of them properly and permanently is your number one priority.

For paper records, this might look like shredding. For ePHI you can securely wipe devices, degauss hard drives, or destroy electronic devices.

Last, but certainly not least, we have the risk of a lost or stolen device that holds sensitive health information. That’s right, misplacing your work computer can get you in deep trouble and earn you a HIPAA violation.

The risk doesn’t end with computers.

The device in question might be a tablet, phone, etc. No matter the device, if it holds patient information and has the possibility of landing in the wrong hands, it’s a problem.

Obviously, we all want to be HIPAA compliant. Imagine being the employee that costs your employer millions of dollars in (avoidable) fines.

Here are some fundamental elements that you can apply to your HIPAA compliance training program:

• Develop policies and incorporate procedures so that the more tedious daily tasks comply with the Privacy Rule.

• Invest in a compliance team.

• Mandate annual training programs for your employees. Ideally, training sessions are interactive for better retention.

• Ensure communication channels are open to report any violations or breaches.

• Fairly enforce sanctions policies.

• Respond quickly to violations and breaches by utilizing your risk management process.

Common HIPAA violations have the potential to harm the reputation and workflow of any organization. Not to mention damaging to the privacy of the patient affected.

Healthcare employees should never let their guard down, as even the smallest mistakes can result in a fine or termination… or even jail time.

Making sure your staff consistently meets HIPAA compliance is a great way to be proactive in avoiding violations.