What is a HIPAA violation? How does it happen? What are some HIPAA violations examples?

If these questions are running through your head, then you’ve come to the right place!

HIPAA stands for the Health Insurance Portability and Accountability Act. The federal government created this law to protect something called Protected Health Information, or PHI. 

PHI is any health information or personal information that if leaked, could cause the patient some problems.

Examples of PHI include…

• Having an infection

• Getting a cancer diagnosis

• How many cavities do you have

• Which bone you broke or fractured

• A surgery operation

Under the HIPAA umbrella are several laws like the Privacy Rule and Security Rule. These laws dictate how healthcare entities go about handling, protecting, disclosing, using, and securing PHI. In other words, healthcare workers aren’t allowed to talk about you or your medical situation without your consent.

A HIPAA violation occurs when the acquisition, access, use, or disclosure of PHI happens in a way that creates a significant personal risk to the patient. What this actually means varies from patient to patient, so HIPAA creates blanket policies to protect everyone. 

These regulations apply to anyone and everyone working with PHI.

This includes…

• Health plans

• Healthcare clearinghouses

• Healthcare providers who transmit electronic claims

• Medicare prescription drug card sponsors

• Business associates

• These are individuals or entities that perform any function that involves PHI

Now that you have a general understanding of HIPAA and PHI, it's important to understand the consequences of a HIPAA violation. Then, we can discuss HIPAA violation examples and how they happen in the real world.

• Consequences of a Violation

  • Civil Penalties

  • Criminal Penalties

• Real World Examples

  • Hacked/Phished

  • Unauthorized Sharing of Information

  • Unauthorized Access

  • Loss/Theft of Devices

  • Improper Disposal of PHI

  • Lack of Encryption

  • Accessing PHI from an Unsecured Location

  • Lack of Proper Training

• Conclusion

The consequences of a HIPAA violation fall under two categories: civil and criminal. Yes, people have gone to prison for a HIPAA breach. 

Each type of violation has a different fine structure. Let me explain…

Civil HIPAA penalties involve fines without prison sentences. These happen if the person committing the violation did so without any malicious intent. In other words, the person responsible was either neglectful or unaware of their actions.

The penalties are as follows…

• If someone wasn’t aware that they were committing a HIPAA violation, they face a $100 fine per violation.

• If someone had “reasonable cause” for their actions and did not act with “willful neglect”, they face a $1,000 fine at the minimum.

• If someone was willfully neglectful but then fixed the issue, they face $10,000 per fine at the minimum.

• If someone was willfully neglectful and did not fix the problem, they face a minimum fine of $50,000 per violation.

This is where things get dicey. Criminal HIPAA Penalties can involve fines, imprisonment, or both as a result of actions taken with malicious intent. Because someone was maliciously breaking the law, the punishments are harsher.

The penalties are as follows…

• If someone knowingly obtained and disclosed PHI, they can face a fine of up to $50,000 and/or jail time for up to 1 year.

• If someone committed the violation under false pretenses, they can face a fine of up to $100,000 and/or jail time for up to 5 years.

• If someone committed the violations for personal gain, they can face a fine of up to $250,000 and/or jail time of up to 10 years.

No matter what industry you work in, no one wants to fall for a phishing attempt. Especially if the phishing turns into a ransomware incident.

We hear about hacking all of the time. Although we never think it will happen to us, it’s a legitimate threat.

A study found that from July to October 2022, threats from phishing and malicious emails increased by 60%! The proportion of phishing attacks rose by 1.3 times, accounting for 76% of all attacks.

Scary right?

Many of these incidents relate to HIPAA breaches because the stolen information came from healthcare entities.

Let’s look at a real-world example…

Aveanna Health is a pediatric home care provider that suffered from a phishing attack in August 2019. On August 24, staff first discovered a few compromised employee email accounts. Based on their observations, Aveanna Health brought in a third-party forensics team.

They found several hacked accounts between July 9 and August 24. They couldn’t determine if the hackers accessed the data or exfiltrated it.

It took the team until December 19 of the same year to finish reviewing the compromised information.

The company revealed that the compromised data included…

• Social security numbers

• State IDs

• Medical data

• Health insurance details

• Drivers licenses

• And financial/bank data

As you can see from the compromised data, this phishing attack led to a major HIPAA violation. The company disclosed in a press release that the hack affected about 5,000 people.

These types of incidents violate both the Privacy and Security rules. Something about your computer systems wasn’t secure enough and a hacker got into your data. Not only that but it exposed people's medical charts and files, stuff that falls under the Minimum Necessary Standard. 

The best way to make sure this doesn’t happen to you is to keep your antivirus software up-to-date. Use encryption software as I mentioned above. It also helps if employees regularly change passwords on all important devices and implement two-factor authentication. Limiting access to devices and data based on employee status is also a good idea.

Sharing information pertains to the Minimum Necessary Standard of the HIPAA Privacy Rule. This part of the law states that an individual can only access or use PHI for appropriate business purposes. The law then stipulates that someone has to do this to the least amount necessary.

This means that if someone accesses or uses PHI for any reason other than their job, they violate the HIPAA Privacy rule. Depending on the intentions of the culprit, this could land them in the realm of HIPAA criminal penalties.

In the real world, something like this happened to Elite Dental Associates in Dallas, Texas. But the breach didn’t happen because an employee stole records and shared them with the media.

This was a breach of negligence.

You see, Elite Dental paid the Office for Civil Rights a $10,000 fine for violating the HIPAA Privacy Rule. A patient had filed a complaint with the OCR stating that the dental office responded to their social media review by disclosing the patient’s last name and details of their medical condition.

Upon investigation, the OCR determined that Elite impermissibly disclosed the PHI of multiple patents in response to reviews left on Yelp.

To make matters worse, Elite Dental didn’t have any policies or procedures put in place regarding PHI disclosures to ensure that their social media interactions were HIPAA compliant. They also didn’t have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.

Needless to say, arguing with a patient about their experience with your practice online for everyone to see isn’t a good idea. Especially if your argument involves the patient’s medical condition.

To make sure this doesn’t happen to you, make sure that all important information sharing happens behind closed doors and only with authorized personnel. After all, even casually sharing patient information with a family member when talking about your day can result in a HIPAA violation.

I don’t know about you, but when I think about a HIPAA violation, I immediately think about snooping. Unauthorized access to medical data is a very common type of HIPAA violation.

It doesn't matter if the snooping happens because of innocent curiosity or if someone wants to leak celebrity health information for their personal gain. Any form of snooping involving PHI is illegal and is a violation.

How does it happen in real life?

Well, the California Pacific Medical Center in San Francisco had one such incident. A pharmacist employee had been inappropriately snooping on over 840 patients' medical data for an entire year. 

At first, it seemed like the employee only did this to 14 people. But after an “expanded investigation”, the hospital discovered that the number was much larger.

Due to this unauthorized access, the hospital terminated the employee for snooping on patient demographics, clinical diagnoses, prescription data, and clinical notes.

This breach violated both the HIPAA Privacy Rule and Security Rule. In terms of the privacy rule, the employee did not have permission to look at the records. Pretty straightforward.

When it comes to the security rule, several things might need to happen. The hospital might need to have two-factor authentication so that an employee can’t sign in as someone else. Physical safeguards such as locking computers when not in use are also good practices. Having technical safeguards like granting permissions or granting access to files is also a good idea.

Believe it or not, there’ve been a lot of documented instances of unauthorized access to PHI with celebrities. As bonus content, we’ve documented these instances in a separate blog post.

When a company loses a device that has access to PHI, it’s bad news. Who knows how many sensitive files are on the missing laptop?!

The problem with stolen technology in the healthcare space is it’s hard to tell what someone is going to do with the information stored on the device.

The loss or theft of devices falls under the HIPAA Security Rule. When it comes to the Security Rule’s physical safeguards section, several apply.

For example, facility access controls help to limit physical access to a healthcare entity’s information systems. This is typically done by limiting access to the physical facility itself through the use of locked doors and key cards.

Workstation security also applies because all workstations that access PHI should have restricted access to authorized users. After all, a stolen computer is of no use if the thief cannot access the device.

How does a company lose a computer? Especially a healthcare company that stores really important sensitive information?

Well, a company called Lifespan, one of Rhode Island’s largest hospital groups, had such an experience. Someone broke into an employee's car and stole several items. Included in the stolen possessions was a MacBook the employee used for work.

The employee immediately notified the company and the police of the theft since the computer stored PHI. As a precaution, lifespan immediately changed the employee’s login credentials. 

Later, the company discovered that the laptop wasn’t encrypted or password protected. It had emails that potentially contained…

• Patients’ names

• Medical record numbers

• Partial addresses

• Prescribed medications 

Luckily there were no medical records stored on the laptop. Despite this, Lifespan had to notify 20,000 patients about the breach.

As much as I would hate for this to happen to you, it's impossible to prevent the theft of your devices with 100% certainty. The best thing you can do to avoid PHI leakage is to encrypt the device as a means to safeguard data. This way, even if the device gets stolen, the thieves can’t access the PHI.

Do you know what to do when disposing of unneeded PHI? Do you know how to stay HIPAA compliant?

The disposal of PHI falls under the umbrella of the HIPAA Security Rule. It covers the disposal of both physical and digital documents that contain sensitive information. If someone forgets a document on a table somewhere, you have a HIPAA violation. If someone else leaves patient information open on their desktop, that’s another HIPAA violation. 

To tie this into a real-world scenario, we can look at a former Kokomo dentist named Joseph Beck. Beck received a fine of $12,000 from the Indiana Attorney General’s Office for illegally disposing of files containing PHI.

What did he do that was so bad?

Beck hired a data company to securely destroy the paper records of his former clients. However, someone found 63 of his boxes containing 7,000 files with PHI in a nearby church’s recycling dumpster. An investigator believed the files were there for at least a week.

The discarded records contained information like…

• Names

• Addresses

• Phone numbers

• Medical diagnoses

• X-rays

• Dental information

• Social Security numbers

• Credit card numbers

The patients affected had previously visited the Comfort Dental offices where Beck worked between 2002 and 2007. Luckily, it doesn’t seem like the negligence led to any identity theft.

It’s a good practice to either store the information in a secure location or delete/shred it if the document no longer has any use. Make sure you use a secure facility to dispose of all records, or else you could be the next Joseph Beck. 

Data encryption falls under the scope of the HIPAA Security Rule. More specifically, it’s one of the technical safeguard standards. Encryption is also key to transmission security under the Security rule. 

With this said, a lack of encryption would breach the HIPAA Security Rule. You need to encrypt all sensitive information to ensure PHI doesn’t fall into the wrong hands. Think of it as adding a layer of cybersecurity on top of all the other practices your organization has.

Why is this so important?

West Georgia Ambulance, Inc. learned its lesson the hard way. The company notified the OCR about the loss of an unencrypted laptop computer. This computer contained the PHI of over 500 patients, creating a dangerous situation.

According to the report, the computer fell out of the back of the ambulance and was not recovered. The fact that the computer was not encrypted and that West Georgia Ambulance didn’t have any security training led to a $65,000 fine.

Needless to say, you need to encrypt your devices. This adds a layer of security to your digital PHI.

You should also use encrypted messaging applications. Sending a text message from one department to another in the hospital may be the easiest way to communicate, but it's not the safest. Instead, use an encrypted app for work-related messages. Don’t let cybercriminals intercept these messages and use them to their advantage. 

If you’re a clinician, you probably work after hours regularly or use your personal computer to access work files containing PHI.

This might seem like no big deal, but it is. These actions can have disastrous consequences. 

There are many ways this could go wrong. For example, a clinician could leave a document with PHI on the dining room table at home. If a family member reads the document, that's a violation.

Or maybe you brought your work laptop home and a family member accidentally downloads malware onto it. Hackers stealing PHI off of the laptop is also a HIPAA violation.

This second scenario happened to Anchorage Community Mental Health Services (ACMHS). They suffered a security breach where malware exposed the data of 2,700 people.

If ACMHS had software patches installed on their computers, the malware wouldn’t have infected the devices.

Because the company didn’t do enough to protect its patients, the OCR fined the organization $150,000 for all of the HIPAA violations.

The security of a location is part of the Security rule. It doesn’t specifically cover software updates, applying patches, or other modifications to a healthcare computer system. However, failure to install a firewall or security updates is a violation in the eyes of the federal government.

I don’t want to come off rude, but I need to tell you something. You are your organization’s biggest risk. You have some company, though, because so am I.

Almost 85% of companies admit to experiencing a serious breach due to human error.

So, how do we stop being such a risk to our organizations?

It starts with training.

Unfortunately, Tri Rivers Musculoskeletal (TRM) experienced the consequences associated with not training its employees.

Between 2016 to 2017, one of TRM’s employees, Sue Kalina, accessed PHI records of her friends, former classmates and even people she didn’t like. One of the most serious incidents of this activity happened when Ms. Kalina accessed the records of an individual who replaced her at her former employer. After digging through the individual’s records Ms. Kalina then contacted her former employer and disclosed gynecological information about the individual.

Upon receiving the email and voicemail messages, Ms. Kalina’s former employer left a complaint with TRM. TRM then terminated Ms. Kalina after conducting an internal investigation.

But it didn’t stop there.

Soon after, the US Attorney’s Office filed charges against her which led to a one-year jail sentence conviction.

How is this different from the employee snooping HIPAA violation example from earlier?

After her sentence, Ms. Kalina attested that she didn’t know it was a crime to access the records she went through. The prosecution reminded her of the certifications of completion for TRM’s mandated HIPAA training.

At the end of the day, the real cause of HIPAA violations is a lack of employee training. They need both HIPAA training and cybersecurity training.

Employees need to know how the laws work and how to stay compliant. When employees stay informed, they are less likely to make the mistakes discussed in the HIPAA violation examples discussed above.

Training isn’t just me giving you a recommendation. All workforce members need to learn about HIPAA compliance requirements. This includes…

• When an employee is first hired

• Whenever there are changes to the regulations

• “Periodically” just to make sure everyone keeps it fresh in their minds