As a secure email service that provides end-to-end encrypted communications technology, we receive many inquiries from organizations that are required to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA). To help answer some of the key issues related to HIPAA compliance(new window), we’ve launched a new series dealing with various aspects of the US health privacy law and how Proton Mail can assist with your company’s HIPAA compliance strategy.
See our HIPAA compliance checklist(new window)
A HIPAA violation is any failure by an organization that must be HIPAA compliant to protect patients’ private health information. HIPAA is enforced by the Office for Civil Rights(new window) (OCR), which audits companies in order to detect HIPAA violations. We explain how these audits work later in this article.
Minor HIPAA violations discovered during an audit will result in the organization being notified and required to take remedial measures. When major HIPAA violations are discovered during an audit, or if a data breach occurs at any time, then steep fines can be levied against the entity (plus possible criminal prosecution).
What is considered a violation of HIPAA?
Any failure to abide by any of the rules laid out by HIPAA(new window) is a HIPAA violation. HIPAA, however, comprises a large body of very complex rules, with the result that most HIPAA violations are unintentional.
Needless to say, the OCR is much more lenient when it comes to assessing penalties for unintentional violations than if the violation is deliberate. Unintentional HIPAA violations may result in fines, but they are much less severe than if the violation is intentional. Deliberate violation of HIPAA rules is also a criminal act and can result in prison sentences.
A good example of an unintentional HIPAA violation is disclosing more than the minimal protected health information (PHI) of a patient than is necessary for the purpose at hand. One of the most common examples of intentional HIPAA violations is deliberately not reporting data breaches within the 60 days required by the HIPAA Breach Notification Rule(new window).
Types of HIPAA violations
The Department of Health and Human Services (HSS), whose task it is to enforce HIPAA, lists the most common HIPAA violations(new window) (in order of how often each complaint is made) as:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information (EPHI); and
- Use or disclosure of more than the minimum necessary protected health information.
Some of the most common HIPAA violations that can result in heavy fines, however, are:
1. Database breaches
Allowing hackers to compromise electronic PHI (often resulting in it being made widely available on the internet) is one of the most serious HIPAA violations possible, and can result in severe financial penalties. In cases where data breaches are intentionally not reported in accordance with the HIPAA Breach Notification Rule, punitive financial penalties are usually even higher.
2. Employees gossiping and sharing PHI
It is all too easy for employees to disclose PHI in casual conversations. Not only can these be overheard by unauthorized individuals, but there is no need to discuss PHI, even with co-workers, outside of strictly professional contexts.
3. Mishandling of records
This includes violations such as not properly securing physical PHI in locked environments with strict access rules, or leaving charts where another patient might see them.
4. Lost or stolen devices
In 2016, the OCR fined the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) $650,000(new window) after an iPhone containing a large amount of EPHI belonging to nursing home residents and family members was stolen.
When sensitive patient data is stored anywhere except on a secure, centralized database, there is a danger that the device it is stored on might be lost or stolen. You can mitigate this risk by encrypting all devices on which EPHI is stored, a factor that will be taken into account by the OCR when assessing penalties.
5. Lack of training
Proactive HIPAA training for employees, which must be attested to by all participants, is a legal requirement of HIPAA. Proper staff training in HIPAA law and the practices and procedures that are required to keep PHI safe ensure that violations are unlikely to occur.
6. Failure to encrypt EPHI
Storing EPHI unencrypted, failing to use strong passwords, and having inadequate systems in place to prevent unauthorized access to PHI can lead to a database breach. Simply failing to have the necessary protection in place to protect EPHI violates the HIPAA Security Rule, however, and can result in large fines.
Note that HIPAA itself does not explicitly mandate the encryption of PHI (although failure to do so may still be considered as part of a more general failure to comply with the Security Rule), but many state HIPAA laws require EPHI to be encrypted.
7. Lack of proper risk analysis
HIPAA requires covered entities and business associates to make thorough and organization-wide risk analysis reports. Remedial measures for all risks identified in this way must be implemented, and proper contingency plans formulated should things go wrong.
Risk analysis is a core aspect of HIPAA compliance examined by the OCR during the remote “desk audits” introduced in Phase 2 of its audit program (discussed below).
8. Employee mistakes
Doctors often access patient records out of office hours on their personal laptops, perhaps leaving them open where others can see what is on the screen. Health professions sometimes share photos of patients on social media, wrongly believing that because they are not named, no violation has occurred.
It is also quite common for doctors to share PHI with their colleagues using insecure channels such as SMS messaging and insecure email services. This issue can be remedied by using secure communication channels, such as encrypted HIPAA-compliant email services.
9. Improper disposal of PHI
This includes failing to shred physical records before placing them in a waste bin, improperly wiping and destroying hard drives, or failing to factory reset old phones that hold PHI.
HIPAA violation reporting
With the exception of data breaches, covered entities and business associates are expected to remedy any self-discovered HIPAA violations internally and are not required to report them to the OCR.
Patients and other external entities who believe that a covered entity or business associate has violated HIPAA rules can file an anonymous complaint(new window) with the OCR.
According to the HIPAA Breach Notification Rule, if a data breach occurs, covered entities and business associates must report it to the OCR within 60 days. If the breach affects over 500 individuals, then they must also contact local law enforcement agencies and issue a press release alerting potential victims about the situation.
HIPAA violation penalties
Most HIPAA violations are dealt with by a simple warning or technical advice, sometimes accompanied by a requirement that the entity produce evidence that the issue has been adequately remedied.
The OCR punishes more serious HIPAA violations according to the penalties set out in the Health Information Technology for Economic and Clinical Health (HITECH) Act(new window). These penalties are adjusted annually to take inflation into account.
HIPAA civil penalties
Civil penalties are applied for unintentional HIPAA violations. These may be the result of carelessness or neglect, but deliberate harm was not intended.
- Tier 1: If an entity acted in good faith and was simply unaware that it was committing a HIPAA violation, then a penalty of $100 – $50,000 per violation can be assessed against them (maximum $25,000 per violation).
- Tier 2: If an entity knew, or should have known, that it was committing a violation, but had good reasons for doing so, then a penalty of $1000 – $50,0000 per violation can be assessed against them (maximum $25,000 per violation).
- Tier 3: If an entity knowingly broke HIPAA regulations without good reason, but remedied the situation within 30 days, then a penalty of $10,000 – $50,0000 per violation can be assessed against them (maximum $25,0000 per violation).
- Tier 4: If an entity knowingly broke HIPAA regulations without good reason and made no effort to remedy the situation within 30 days, they must pay a fine of $50,000 (maximum $1.5 million per violation).
In 2020, the maximum amount of fines levied against a single entity was $6.85 million(new window) for a data breach that affected over 10.4 million people. Overall, the OCR assessed a total of $13,316,500(new window) in fines for HIPAA violations in 2020.
HIPAA criminal penalties
The above civil penalties may be supplemented with criminal charges where malicious intent is suspected. These are prosecuted by the Department of Justice (DoJ) and can result in individuals receiving prison sentences.
- Tier 1: If an individual had a reasonable excuse for allowing the violation to occur or was unaware of the violation, they can be sentenced to 1 year in prison.
- Tier 2: If an individual lied to obtain PHI, they can be sentenced to up to 5 years in prison.
- Tier 3: If an individual obtained PHI for personal gain or with intention to harm someone, they can be sentenced to up to 10 years in prison.
The high value of PHI on the black market, and therefore the temptation this creates for some individuals, has resulted in the DoJ becoming increasingly keen on making an example of those caught stealing PHI.
The OCR enforces HIPAA through its Privacy, Security, and Breach Notification Audit Program(new window). There are two kinds of audit:
These are remote audits which examine all documentation that demonstrates an organization’s HIPAA compliance. In order to comply with a desk audit, a covered entity or business associate must submit this documentation via a secure portal on the OCR website.
The OCR can visit an entity’s facilities or offices in order to perform a physical investigation. This is known as an on-site audit. This kind of audit can be triggered by concerns over documentation provided for a desk audit or in response to complaints the HSS has received about an entity. Random on-site audits, however, where no prior cause for concern exists, are increasingly common.
In addition to documentation, on-site audits examine physical and electronic security measures used to protect PHI, and interview staff members about systems, procedures, and any reports received about possible HIPAA violations.
Covered entities and business associates selected for an on-site audit will receive a letter explaining how the audit works, followed by a pre-audit questionnaire which must be completed within 10 working days. The audit will then be scheduled and may last anywhere between three and 10 days.
HIPAA violation FAQ
Any failure to comply with any of the rules laid out in the lengthy and complex body of legislation that comprises HIPAA is considered a HIPAA violation. If good faith measures are taken to remedy HIPAA violations, then enforcement by the OCR is usually very light-touch. It is becoming increasingly severe, however, in tackling more serious violations.
The HSS lists impermissible uses and disclosures of protected health information as the most common HIPAA violation, although data breaches are the most serious.
Please see our Complete guide to selecting a HIPAA compliant email service(new window) for a detailed discussion on this topic.
A HIPAA violation in the workplace is, of course, any HIPAA violation that occurs at a hospital, care home, clearinghouse, or other places of work where PHI is handled. Common examples include carelessly leaving patient records lying around, staff communicating PHI through gossip, and improper disposal of PHI records.
HIPAA-related complaints can be filed in writing by mail, fax, email, or anonymously via the OCR Complaint Portal. You can make a complaint within 180 days of when you learned the violation occurred. The OCR can extend this period up to another 180 days if you can demonstrate “good cause.”
Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).