The Top 10 HIPAA Violations to Look Out For

The Health Insurance Portability & Accountability Act (HIPAA) was passed in 1996, and at its most basic is designed to help safeguard protected health information (PHI) by providing standards for ensuring the data privacy and security of medical information.

Learn more about HIPAA itself, including the penalties for noncompliance, as well as some of the most common HIPAA violations by watching the video or reading the transcript below.

Video Transcript

Penalties for HIPAA Noncompliance

Violation Type Minimum Civil Penalty
Unknowing Violation $100 per violation–annual maximum of $25,000 for repeat violations
Violation from reasonable cause $1,000 per violation–annual maximum of $100,000 for repeat violations
Violation due to willful neglect—corrected within required time period $10,000 per violation–annual maximum of $250,000 for repeat violations
Violation due to willful neglect–uncorrected $50,000 per violation–annual maximum of $1,000,000 for repeat violations

While each violation type already has steep minimum financial penalties, they also have a maximum civil penalty.

Across all violation types, the maximum civil penalty is $50,000, with an annual maximum of $1,500,000.

Common HIPAA Violations

#1: Insecure PHI Storage

With PHI security being a primary focus in HIPAA, appropriate safeguards like access controls and encryption must be implemented.

They’re not just for your own self-assurance—financial penalties for not implementing proper securities have gone as high as:

  • $16,000,000 for Anthem Inc. in 2018
  • $5,500,000 for Memorial Healthcare System in 2017
  • $3,200,000 for Children’s Medical Center of Dallas in 2017
  • $1,600,000 for Texas Department of Aging and Disability Services in 2019

#2: Hacking & Data Breaches

Stemming from insecure storage, it’s also important to protect PHI from being hacked and stolen by external bad actors.

change password hipaaBesides implementing basic encryption and access controls, other steps to take for limiting the risk of data breach include:

  • Keeping antivirus software up to date
  • Installing a firewall security system
  • Using a virtual desktop infrastructure (VDI)
  • Adding tiered access controls for layered security
  • Regularly changing device passwords

#3: Employee PHI Misuse and Abuse

Considering their constant handling of PHI, employees are one of the most common sources of HIPAA violations.

Whether knowing or unknowingly, there are a range of violations committed by employees that in turn need to be covered in HIPAA training programs, including:

  • Removing PHI from the facility
  • Downloading PHI onto unauthorized devices
  • Emailing/sending PHI to personal accounts
  • Accessing PHI from an unsecure device or location
  • Losing devices with PHI either by accident or theft
  • Leaving electronics and paperwork unattended
  • Speaking about and sharing PHI with unauthorized parties or family members

#4: Improper PHI Disclosure

If you were to have access to PHI and discussed it with those who aren’t authorized to do so it would be a direct violation of HIPAA.

It may not be the first violation to come to mind when it comes to HIPAA compliance, but it’s nonetheless important to ensure PHI is only discussed with people who are directly involved, including:

  • Patients
  • Doctors and medical staff
  • Individuals billing the procedure
  • Pharmacists & other medication providers
  • Other general medical service providers

#5: Unsecure Technology to Share & Access PHI

unsecure devices hipaaSimilar to the violation risk of removing PHI from a facility, accessing PHI from unsecure places like a home computer or sharing PHI over text is another common source of HIPAA violations.

Rather than using personal devices to share, store, and access PHI, it’s recommended to instead implement a central electronic health records (EHR) system for storing information with tools like authentication, access controls, and encryption to protect PHI and ensure HIPAA compliance.

#6: Improper PHI Disposal

It’s important that when it’s time for PHI to be disposed, proper steps are taken to ensure it’s safely destroyed.

Although HIPAA doesn’t specify a method for destroying PHI, shredding services are frequently used not only because of their cost efficiency compared to alternatives, but also because they provide certificates of destruction.

A certificate of destruction is a key tool that can be used to provide proof of HIPAA compliance in case of any legal disputes, and includes information like where and when the shredding was done, who did it, and witness signatures.

#7: Not Performing an Organization-Wide Risk Analysis

Regularly conducting a risk assessment helps organizations to determine whether any vulnerability to the confidentiality, integrity, and availability of their PHI exists, and although it’s beneficial for organizations just for shoring up their securities, it’s also required by HIPAA.

Recent HIPAA settlements for not conducting a risk analysis include:

  • $2,700,000 for Oregon Health & Science University
  • $2,500,000 for Cardionet
  • $850,000 for Lahey Hospital & Medical Center
  • $750,000 for Cancer Care Group

#8: Failing to Implement a Risk Management Process

common hipaa violationsConducting an organization risk assessment is important, but it doesn’t end there.

Although performing a risk analysis will keep you HIPAA compliant, it’s also necessary to follow it up by implementing a risk management process to address the identified risks.

Recent organizations who conducted a risk assessment but failed to act on them include:

  • $1,700,000 for the Alaska Department of Health and Social Services
  • $650,000 for the University of Massachusetts Amherst (UMass)
  • $400,000 for the Metro Community Provider Network
  • $150,000 for the Anchorage Community Mental Health Services

#9: Releasing PHI to an Unauthorized Party

A patient’s PHI can only be released to its listed recipients, and disclosing the information to an unauthorized party is a direct violation of HIPAA.

This common violation is typically the result of one of the following errors:

  • Releasing PHI to unauthorized family members
  • Releasing the wrong patient’s PHI
  • Releasing PHI to 3rd parties that aren’t medically involved

#10: Basic Form Violations

The HIPAA Privacy Rule contains the right to revoke clause, which is a statement used on authorization forms to tell patients that they can legally void their approval for covered entities to use and disclose their PHI.

Without including the right to revoke statement on authorization forms, the use of PHI in any way will be a HIPAA violation.

Tips for Avoiding HIPAA Violations

Considering the steep financial penalty from HIPAA violations, it’s important you’re taking steps to secure your PHI and keeping employees up to date on the best practices for HIPAA compliance. Things to keep in mind include:

  1. Prioritizing secure PHI sharing & access as well as implementing encryption & access controls in EHRs.
  2. Conducting regularly employee HIPAA-compliance training & organization risk analyses.
  3. Creating a plan for securely shredding and disposing paper or digital PHI.

Is Your Medical Records Management HIPAA Compliant?

Record Nations partners with secure medical records storage and destruction services throughout the United States. No matter the size of your storage or shredding project, Record Nations can help you find the provider that best fits your needs.

To get started, fill out the form on the right, give us a call at (866) 385-3706, or contact us directly through our live chat for a free, no-obligation quote from services near you.