Being compatible with HIPAA rules is crucial to avoid violations, legal consequences, and financial penalties.
The most common HIPAA violation rules include:
- The failure to perform a risk analysis to identify vulnerabilities for protected health information (PHI)
- Impermissible disclosures of PHI
- Inattentive handling of PHI
- The failure to enter into a HIPAA-compliant business associate agreement
- Delayed breach notifications
The settlements pursued highlight the importance of paying more attention to HIPAA violations and comply with the rules.
This article will briefly discuss the mechanisms that allow for discovering HIPAA violations and the most common ones to keep in mind.
The process of discovering a violation of HIPAA penalties
HIPAA violations may go under the radar for an extended period before getting discovered; however, the violation duration is proportional to the penalty.
In other words, the longer the violation has been in action, the greater the penalty will be.
For this reason, healthcare facilities and providers need to conduct regular HIPAA compliance reviews to ensure the absence of any violations.
In general, we can discover HIPAA violations in three ways:
- Investigations into a data breach by the Office of Civil Rights (OCR)
- Investigations into complaints about business associates
- HIPAA compliance audits
Related – Official 2021 HIPAA Compliance Checklist
Common disruption of HIPAA violation rules
Snooping on healthcare records
Illegal access to the health records of patients is a violation of their privacy. Snooping on patients, family members, and celebrities’ health records is a widespread HIPAA security violation.
The discovery of these violations leads to the culprit employee’s layoff but could also develop into criminal charges.
Failure to perform an organization-wide risk analysis
The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations that leads to financial penalties.
Unfortunately, many facilities ignore the vitality of performing regular risk analyses to detect any vulnerabilities in their systems. As a result, cyber hackers find it unchallenging to breach their data centers.
Examples of HIPAA settlements for the failure to conduct risk assessment include:
Premera Blue Cross – $6,850,000 settlement for risk analysis failure (other violations were present).
Excellus Health Plan – $5,100,000 settlement for risk analysis failure (other violations were present).
Cardionet – $2.5 million settlement for incomplete risk analysis.
Cancer Care Group – $750,000 settlement for the failure to conduct an enterprise-wide risk analysis.
Failure to manage security risks
When you conduct risk analysis and discover some vulnerabilities but do not act on them, it is also a violation of HIPAA penalties.
For this reason, you need to address any potential breaches promptly. Failing to do so is penalized by the Office for Civil Rights.
Examples of HIPAA settlements for the failure to manage identified risk include:
Alaska Department of Health and Social Services – $1.7 million penalty for failing to perform risk analysis management.
University of Massachusetts Amherst (UMass) – $650,000 penalty for failing to perform risk management.
Metro Community Provider Network – $400,000 penalty for failing to perform risk management.
Anchorage Community Mental Health Services – $150,000 penalty for failing to perform risk management.
Failure to enter into a HIPAA-compliant business associate agreement
Another HIPAA security violation is failing to enter into a compliant business associate agreement with the parties with access to PHI.
Note that having business associate agreements for all vendors does not mean it is HIPPA-compliant. This is especially the case when there has not been a revision after the Omnibus Final Rule.
Examples of HIPAA settlements for the failure to enter into a HIPAA-compliant business associate agreement include:
Raleigh Orthopaedic Clinic, P.A. of North Carolina – $750,000.
North Memorial Health Care of Minnesota – $1.55 million.
Care New England Health System– $400,000.
Related – New HIPAA Regulations in 2021
Impermissible disclosures of protected health information
Disclosing protected health information is against the rules of HIPPA. Therefore, it can lead to financial penalties.
Here are the common categories of disclosing PHI:
- Disclosing information to the patient’s employer
- Leaking information following unencrypted computer compromise
- Inattentive processing of PHI
- Unnecessary disclosure of PHI
- Disclosing PHI after the expiration of patient authorizations
Examples of HIPAA settlements for impermissible disclosures of PHI include:
Memorial Hermann Health System – $2.4 million.
New York-Presbyterian Hospital – $2,200,000.
Massachusetts General Hospital– $515,000.
Luke’s-Roosevelt Hospital Center – $387,000.
HIPPA security violations are becoming less common and result in hefty settlements for healthcare institutions and providers. Becoming familiar with the main steps of conducting a risk analysis, managing vulnerabilities, and careful handling of PHI is indispensable to protect yourself and your facility.
We hope that this article served as a reminder of HIPAA violation rules. If you have any questions, you can reach out to us by clicking on this link.