The Health Insurance Portability & Accountability Act (HIPAA) was passed in 1996 and helps safeguard protected health information (PHI) by providing standards for ensuring the data privacy and security of medical information.
Learn more about HIPAA, the penalties for noncompliance, and some of the most common HIPAA violations by watching the video or reading the transcript below.
Penalties for HIPAA Noncompliance
Before diving into the different types of HIPAA violations themselves, it’s important you understand just how much you’re gambling with a potential HIPAA violation:
|Violation Type||Minimum Civil Penalty|
|Unknowing Violation||$100 per violation–annual maximum of $25,000 for repeat violations|
|Violation from reasonable cause||$1,000 per violation–annual maximum of $100,000 for repeat violations|
|Violation due to willful neglect—corrected within required time period||$10,000 per violation–annual maximum of $250,000 for repeat violations|
|Violation due to willful neglect–uncorrected||$50,000 per violation–annual maximum of $1,000,000 for repeat violations|
While each violation type already has steep minimum financial penalties, they also have a maximum civil penalty.
Across all violation types, the maximum civil penalty is $50,000, with an annual maximum of $1,500,000.
Common HIPAA Violations
#1: Insecure PHI Storage
PHI security is the primary focus in HIPAA. Moreover, there need to be appropriate safeguards like access controls and encryption implemented.
Additionally, they’re not just for your own self-assurance—financial penalties for not implementing proper securities have gone as high as:
- $16,000,000 for Anthem Inc. in 2018
- $5,500,000 for Memorial Healthcare System in 2017
- $3,200,000 for Children’s Medical Center of Dallas in 2017
- $1,600,000 for Texas Department of Aging and Disability Services in 2019
#2: Hacking & Data Breaches
Additionally, it’s important to protect PHI from being hacked and stolen by external bad actors.
Besides implementing basic encryption and access controls, other steps to take for limiting the risk of data breach include:
- Keeping antivirus software up to date
- Installing a firewall security system
- Using a virtual desktop infrastructure (VDI)
- Adding tiered access controls for layered security
- Regularly changing device passwords
#3: Employee PHI Misuse and Abuse
It’s critical for employees to safely handle PHI. Additionally, this tends to be one of the most common sources of HIPAA violations.
In addition, there are a range of violations committed by employees that in turn need to be covered in HIPAA training programs, including:
- Removing PHI from the facility
- Downloading PHI onto unauthorized devices
- Emailing/sending PHI to personal accounts
- Accessing PHI from an unsecure device or location
- Losing devices with PHI either by accident or theft
- Leaving electronics and paperwork unattended
- Speaking about and sharing PHI with unauthorized parties or family members
#4: Improper PHI Disclosure
If you have access to PHI, it would be a direct violation of HIPAA if you discuss it with an unauthorized person. Moreover, it’s critical to peptic this information and disclosing information will lead to a direct violation.
Additionally, it may not be the first violation to come to mind when it comes to HIPAA compliance. However, it’s important to ensure PHI is only discussed with people who are directly involved, including:
- Doctors and medical staff
- Individuals billing the procedure
- Pharmacists & other medication providers
- Other general medical service providers
#5: Unsecure Technology to Share & Access PHI
Similar to the violation risk of removing PHI from a facility, accessing PHI from nonsecure places can cause major violations. Additionally, this includes accessing from a home computer or sharing PHI over text. These are both common sources of violations because it’s a potential chance of exposure.
In addition, it’s recommended to implement a central electronic health records (EHR) system for storing information with tools. Also, these tools can include authentication, access controls, and encryption to protect PHI and ensure HIPAA compliance.
#6: Improper PHI Disposal
It’s important to properly dips of PHI when it’s time. Additionally, this means ensuring proper and complete destruction.
Although HIPAA doesn’t specify a method for destroying PHI, shredding services are frequently used because of their cost efficiency. Moreover, it’s because they provide certificates of destruction.
A certificate of destruction is a key tool that can be used to provide proof of HIPAA compliance in case of any legal disputes. Also, this includes information like where and when the shredding was done, who did it, and witness signatures.
#7: Not Performing an Organization-Wide Risk Analysis
It’s important to regularly conducting a risk assessment. Additionally, this helps organizations determine whether any vulnerability to the confidentiality, integrity, and availability of their PHI exists. Also, it’s beneficial for organizations ensuring their securities, and it’s a requirement of HIPAA.
Recent HIPAA settlements for not conducting a risk analysis include:
- $2,700,000 for Oregon Health & Science University
- $2,500,000 for Cardionet
- $850,000 for Lahey Hospital & Medical Center
- $750,000 for Cancer Care Group
#8: Failing to Implement a Risk Management Process
It’s critical to conduct an organization risk assessment. However, the process doesn’t end there.
Although performing a risk analysis will keep you HIPAA compliant, it’s necessary to follow it up by implementing a risk management process to address the identified risks.
Recent organizations who conducted a risk assessment but failed to act on them include:
- $1,700,000 for the Alaska Department of Health and Social Services
- $650,000 for the University of Massachusetts Amherst (UMass)
- $400,000 for the Metro Community Provider Network
- $150,000 for the Anchorage Community Mental Health Services
#9: Releasing PHI to an Unauthorized Party
The listed recipients are the only way to release a patient’s PHI. Additionally, it discloses the information to unauthorized party is a direct violation of HIPAA.
This common violation is typically the result of one of the following errors:
- PHI to unauthorized family members
- The wrong patient’s PHI
- PHI to 3rd parties that aren’t medically involved
#10: Basic Form Violations
The HIPAA Privacy Rule contains the right to revoke clause. Also, this is a statement on authorization forms to tell patients they can legally void their approval for entities to use and disclose their PHI.
Additionally, the use of PHI without the right to revoke statement on authorization forms will result in a HIPAA violation.
Tips for Avoiding HIPAA Violations
There is steep financial penalty from HIPAA violations. Additionally, it’s important you’re taking steps to secure your PHI and keeping employees up to date on the best practices for HIPAA compliance.
Moreover, things to keep in mind include:
- Prioritizing secure PHI sharing & access as well as implementing encryption & access controls in EHRs.
- Conducting regularly employee HIPAA-compliance training & organization risk analyses.
- Creating a plan for securely shredding and disposing paper or digital PHI.
Is Your Medical Records Management HIPAA Compliant?
At Record Nations, we partner with secure medical records storage and destruction services throughout the United States. In addition, Record Nations can help you find the provider that best fits your needs.
Start the process by filling out the form on the right, give us a call at (866) 385-3706, or contact us directly through our live chat. Afterwards, you’ll receive for a free, no-obligation quote from services near you.