Table of Contents
According to the United States Department of Health and Human Services, 3,054 healthcare data breaches occurred between 2009 and 2019, exposing 230,954,151 medical records in the U.S. How alarming, isn’t it?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides security provisions and data privacy to keep patients’ medical information safe. In our previous blog, we discussed extensively on HIPAA. Without touching on the breach of HIPAA and the ill effects, I am sure your understanding of the HIPAA rule would be broken. Violation of HIPAA is the other side of the fence, which we will catch on in this blog.
What is a Breach of HIPAA?
Failure to fulfill any aspect of HIPAA standards and provisions stated in 45 CFR Parts 160, 162, and 164 establishes a breach of HIPAA or HIPAA violation. Acquiring, accessing, using, or disclosing Protected Health Information (PHI) in a way that undermines the security or privacy of the information comes under breach of HIPAA.
Preventing HIPAA breaches involves more than standard risk assessments in a complicated healthcare environment. From 1996 until the present, the HIPAA Privacy Rule has undergone numerous revisions and amendments to safeguard the public’s health information. A breach under HIPAA can happen in various ways, by individuals or businesses, whether or not they are aware they are breaking the law.
In April 2022, SuperCare Health, a respiratory care provider with facilities around the country, was hit with a slew of lawsuits following a data breach that exposed the personal information of over 300,000 people. According to the lawsuit, from July 23, 2021, to July 27, 2021, an unknown party accessed certain systems in SuperCare Health’s network.
What is Considered a Breach of HIPAA?
The following are some of the common examples of HIPAA violation cases.
- Disclosure and unauthorized access of Protected Health Information (PHI)
- Texting, e-mailing, or sharing of PHI on any social media platforms
- Failure to maintain the confidentiality of the PHI
- Failure to carry out a risk assessment
- Risks to the integrity and availability of PHI
- Failure to keep track of PHI access logs
- Failure to get into a HIPAA-compliant business associate agreement before transferring any PHI
- Failure to give copies of PHI to patients upon request
- Failure to implement access controls in premises handling PHI
- Failure to provide training on HIPAA and awareness of data security
- Theft or tampering with patient records
- Obtaining PHI under false pretenses
- Obtaining PHI with malicious intent
- Release of PHI to unauthorized individuals
- Failure to encrypt PHI or utilize an alternate, comparable safeguard to prevent unauthorized access or disclosure
- Failure to notify a person or the Office for Civil Rights of a security issue affecting PHI within 60 days of finding a breach.
- Failure to keep track of HIPAA audits and compliance efforts.
Accidental vs. Incidental Breach of HIPAA
Breach of PHI under HIPAA can be classified into two HIPAA violation types that depend upon the circumstances of the violation. Let us look at some examples and understand how the two vary.
Accidental Breach of HIPAA
If a healthcare employee accidentally sees a patient’s data, an e-mail or fax containing the PHI of a person is sent to another person, or any other incident involving the accidental exposure of PHI occurs, it is considered an accidental HIPAA violation.
Incidental Breach of HIPAA
A practitioner may direct an administrative staff member to bill a patient for a specific medical procedure. The instructions given may be overheard by one or more people. Such an inadvertent disclosure would be regarded as an incidental disclosure of PHI if the provider made reasonable attempts to avoid being overheard and reasonably limited the information getting disclosed.
Identifying a Breach in HIPAA
HIPAA compliance is to be maintained by all the covered entities and their business associates involved in handling an individual’s medical records. Whenever an organization suspects a breach of HIPAA guidelines, an immediate internal investigation and risk assessment needs to be performed by the privacy officer. This would provide insight into how the breach had occurred and the severity of the offense.
Once the breach is identified, the immediate action should be HIPAA violations reported to the U.S. Department of Health & Human Services (HHS) and the concerned individuals. In addition to notifying the affected persons, covered entities that experience a breach impacting more than 500 citizens of a State or jurisdiction are required to notify major media outlets serving the State or jurisdiction.
Immediate reporting of a breach of HIPAA may help the organization reduce the penalties and the legal aftermath. The period to notify a breach of HIPAA varies according to the number of individuals affected by the violation. Cases involving more than 500 individuals should be notified immediately, whereas if there are less than 500 individuals involved, notification should be done within 60 days of the breach.
The Department of Health and Human Services (HHS) demands that the organization should document the breach within ten days with at least 15 items relevant to the covered entity’s internal investigation listed. This should include the physical safeguards, policies and procedures, risk assessment, and breach notification. The HIPAA Breach Notification Rule mandates that the details of the HIPAA breach notification letter, as well as documentation that they were sent, be recorded by the business associates.
The notification should contain the organization’s contact information, how the breach had happened, details of the PHI, and the steps the covered entity/ business associate had taken to deal with the breach. The report should be submitted to the OCR Breach reporting web portal.
Breach of HIPAA is further investigated by any of the following ways listed below.
- An investigation conducted by the Office of Civil Rights (OCR)
- Complaints regarding covered entities and business relationships are investigated.
- Audits for HIPAA compliance
The HIPAA Breach Notification Rule
Breach of HIPAA is covered under the HIPAA Breach Notification Rule 45 CFR §§ 164.400-414, which is a part of the Omnibus Rule. As per the rule, following a breach of unsecured protected health information, HIPAA-covered businesses and their business affiliates must notify patients. As per the rule, the following factors are to be considered to determine HIPAA privacy breach cases.
- The nature and scope of the protected health information in question, as well as the types of identifiers used and the likelihood of re-identification.
- The unauthorized user to whom the protected health information was disclosed.
- Whether or not the protected health information was obtained or viewed.
- The risk of protected health information being compromised has been decreased to some extent.
Penalties for HIPAA Violation
Penalties for breach of HIPAA rule are enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Violating HIPAA can result in civil or criminal penalties, depending on the severity of the breach committed and HIPAA violation consequences. Civil penalties for HIPAA violations result in fines, and criminal penalties end up in jail terms. It is to be noted that the consequences of breaking HIPAA under certain circumstances may result in both civil penalties and criminal charges.
Civil penalties for HIPAA violations with a reasonable cause may range from $100 to $50,000 per breach. Willful neglect cases may result in penalties from $10,000 to $50,000. Reports suggest that the total OCR Financial Penalties for HIPAA Violations during 2008-2018 was $100,120,200, with 59 settlements and Civil Monetary Penalties.
Let’s dive into the details of the civil penalties and HIPAA fines per violation, which are given below.
- Individuals did not know (and would not have known if he/she had exercised reasonable effort) that he/she had violated HIPAA – A minimum penalty of $100 per violation, with a maximum of $25,000 per year for repeated violations. A maximum of $50,000 per violation, with a yearly maximum of $1.5 million.
- Breach of HIPAA involving a reasonable cause and not due to willful neglect- A minimum fine of $1,000 per violation, with a maximum of $100,000 per year for repeated violations. A maximum of $50,000 per violation, with an annual maximum of $1.5 million.
- HIPAA violation involving willful neglect which is not corrected – A minimum confiscation of $50,000 per violation, with a yearly maximum of $1.5 million. A maximum fine for a HIPAA violation of $50,000 per violation, with a yearly maximum of $1.5 million.
Can you go to jail for HIPAA violations? Definitely, you will face jail terms depending upon the severity of the breach.
- Reasonable cause or no knowledge of violation- Jail term up to one year
- Obtaining PHI under false pretenses – A maximum of five years of jail
- Obtaining PHI for personal gain or malicious intent – Jail term of ten years or more
After we’ve gone over the broad penalties for HIPAA violations, we’ll look at some HIPAA breach examples to show you how serious a HIPAA violation may be.
- Cancer Care Group, an Indiana-based radiation oncology private physician practice, settled $750,000 for failing to conduct an enterprise-wide risk analysis.
- In 2012, Anchorage Community Mental Health Services (ACMHS), a non-profit organization running five mental health facilities in Alaska, was charged a penalty of $150,000 for the failure to manage the risk of ePHI. A security breach due to a malware infection resulted in the exposure of the data of 2,700 individuals.
- University of Cincinnati Medical Center was charged a penalty of $65,000 for failing to respond promptly to patient’s requests for copies of their medical records.
- Anthem Inc, America’s second-largest health insurer, was charged a $16,000,000 penalty for access control letdowns and other severe HIPAA violations.
Exceptions to Violation of HIPAA
What happens if you accidentally violate HIPAA? It is not necessary to jump to conclusions when a possible violation of the guidelines is discovered. To begin with, gather all relevant information. It is vital to understand that a breach of HIPAA can be excused under the following three circumstances.
- Unintentional acquisition, access, or use of a PHI by a workforce member or person operating on behalf of a covered entity or business associate if the acquisition, access, or use was made in good faith and not with a criminal intention. For instance, while doing his approved tasks, a technician may accidentally open the wrong patient chart. Such breaches of HIPAA cases are considered HIPAA breach exceptions.
- Unintended disclosure to an authorized individual occurs when a person with access to PHI accidentally shares the data with another authorized person of the same organization where PHI is not further exposed in a violating manner. For instance, a legal nurse consultant e-mailing the wrong medical record review report for the internal quality audit within the organization.
- If the covered entity or business associate is sure that the data contained in the PHI would not have been retained by the unauthorized person to whom the improper disclosure was made. For instance, a physician accidentally gives an X-ray image of a patient to someone who isn’t permitted to see it but discovers his error and retrieves the information before any data breach has occurred.
Guidelines to Avoid HIPAA Violation
How to prevent HIPAA violations?
The below-listed are the general guidelines that can be followed to avoid potential consequences of HIPAA violations.
- Organizations like medical billing agencies, medical chart review outsourcing companies, attorneys, revenue cycle management firms, etc., can organize individual HIPAA training programs for employee training.
- Changes in HIPAA policies should be periodically updated to avoid incompliance issues and breaches of HIPAA.
- New personnel in a HIPAA-covered entity or business associate firm should be instructed on the HITECH Act, HIPAA compliance, breach of HIPAA laws, etc.
- Whether it’s the e-mail provider, web host, or cloud backup service, organizations handling medical records need to be able to adopt and maintain HIPAA security regulations.
- HIPAA compliance is all about lowering the risk to a safe and manageable level. Just because a company has a data breach doesn’t necessarily indicate a breach of HIPAA. Every business associate who deals with medical records should be aware of the importance of data privacy and the consequences of any modification or disclosure.
- The OCR has designed six programs to educate the employees about the security and privacy rules regarding medical record handling and storage. Although there is no formal certification program like ISO for HIPAA compliance, numerous training businesses offer certifications demonstrating knowledge of the act’s rules and restrictions.
- Any instances of breach of HIPAA must be reported to the covered entity and the concerned individual involved right away. It should be highlighted that if the violation is discovered to be ongoing for an extended period of time, the HIPAA breach penalties and the breach of HIPAA consequences could be severe.
- Periodic data privacy and security audits could protect businesses against breaches of HIPAA and the accompanying fines.
As per the HIPAA rule, failure to conduct a risk analysis and internal audit itself is a breach of HIPAA. If you are a covered entity or a business associate handling medical-related information of the public, it’s your responsibility to adhere to the norms of the HIPAA law. Under the circumstances like personal injury lawsuits, where the medical records are handed over to a third party like a medical record review outsourcing company, make sure that they are HIPAA compliant.
Human errors happen all the time, and not all violate PHI privacy. Healthcare would be paralyzed if every improper disclosure was viewed as a breach. Keeping every covered entity and the business associate in line with HIPAA’s rules would be the best way to avoid HIPAA breach penalties. They should be aware of all the potential sources and consequences of failed HIPAA compliance and the maximum criminal penalty for HIPAA violations. The third parties should know how to prevent them through clear, well-enforced procedures.