In this post, we will be focusing on the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We will look at what HIPAA violations are, talk about HIPAA law, and which employers HIPAA regulations apply to.
Also, we will also focus on what constitutes a HIPAA violation, what the consequences of a violation are. What’s more important, we will cover information on what HIPAA compliance solutions covered entities can implement to prevent a breach.
TABLE OF CONTENTS
- HIPAA Explained
- What Employers Need to Know
- What is a HIPAA Violation?
- Filing a HIPAA Requirement Complaint
- Compliance with HIPAA
- HIPAA Violations FAQ
- ✅ Document Management software
HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996.
The federal law protects the privacy rights of individuals in the US. They establish a set of standards to protect against the unauthorized disclosure of sensitive and individually identifiable Protected Health Information (PHI).
Aside from protecting privacy rights, the act has also helped to modernize the flow of PHI in the U.S. and reduce national healthcare fraud and abuse.
One can find HIPAA guidelines (as well as explore them) in the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR).
Any company or individual that comes into contact with PHI must implement appropriate policies and procedures. They should safeguard to protect data and ensure compliance with HIPAA law.
HIPAA provides federal protection for the following information:
- Diagnosis and treatment information included in medical records by doctors, nurses, and other medical professionals
- Medical test results and other patient information
- Records held by health insurance providers
- Billing information relating to medical treatment
- Prescription information
- Any other individually identifiable health information
Individuals have the right to view all data held by a covered entity and receive notice when personal information is used and shared.
As we mentioned above, only those companies deemed a “covered entity” must comply with HIPAA regulations.
HIPAA covered entities include:
- Healthcare providers that transmit health information, including doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health insurance companies and HMOs
- Government healthcare programs
- Healthcare clearinghouses
- Business associates of covered entities that require access to health insurance data, such as contractors, billing companies, lawyers, accountants, IT specialists, and companies that destroy medical records.
Aside from the HIPAA privacy rule, covered entities are also governed by The Privacy Rule. They set standards for protecting PHI, and The Security Rule, which specifies safeguards for protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).
Any breach of personal health data must be notified to the U.S. Department of Health & Human Services (HHS).
Most employers are considered “non-covered” entities and they are therefore not subject to HIPAA rules and regulations.
Even if an employer provides healthcare coverage to its staff, it is the responsibility of the insurance company to ensure data security and HIPAA compliance.
Examples of organizations that do not have to comply with the HIPAA privacy act include:
- Life insurers
- Most employers, except those requesting access to medical records for workers’ compensation claims, etc.
- Workers compensation carriers
- Most schools and school districts
- Many state agencies like child protective service agencies
- Most law enforcement agencies
- Many municipal offices
Although HIPAA doesn’t apply to non-covered entities, these companies still have a legal obligation to protect the confidentiality of employee health information in their possession under the US Privacy Act of 1974 and the Americans with Disabilities Act (ADA) as well as state-level regulations relating to data protection.
The California Consumer Privacy Act, for example, provides individuals with the right to view, access, and opt-out of the processing of their personal data by businesses at any time.
And in Massachusetts, the PATCH Act enforces additional measures to protect access to confidential healthcare information.
HIPAA can be a confusing regulation for employers. It’s important to establish whether or not your company is a covered entity so that you can implement the necessary measures to protect your data.
Most employers that offer health insurance benefits for medical and/or dental care, for example, fall into the “Health Plans” category. And that not counting that the requirements depend on how PHI is maintained, transmitted, and received.
Although the exchange of employee medical information with a company covered by HIPAA (such as an insurer) doesn’t necessarily mean that the regulation must be enforced.
Simply because the law does apply to any company that receives, processes, handles, or stores employee medical records for the purpose of employee compensation claims or relating to sick leave or health insurance. This is especially relevant during public health emergencies such as the current COVID-19 pandemic.
Human resources managers must, therefore, be familiar with the restrictions and controls implemented by the HIPAA to ensure the necessary policies and procedures are put in place to safeguard employee data.
HIPAA does not:
- Stop an employer from requesting a doctor’s note for an absence
- Prohibit an employer from requesting information relating to benefit programs, disability compensation, wellness programs, or healthcare coverage
- Prevent an employer from maintaining employment records, providing healthcare service providers and insurers are HIPAA compliant.
Although HIPAA may not apply to your company, it is still important to safeguard employee records. The responsible person should hold periodic training sessions to create a culture of privacy and data security in your organization.
What is a HIPAA Violation?
A HIPAA infringement is a failure to comply with any aspect of the standards and provisions of the HIPAA security rule. This can include the unauthorized use and disclosure of an individual’s PHI.
The failure to implement administrative, technical, and physical safeguards to ensure the confidentiality of electronic PHI.
Also, it can cause delayed breach notifications; and failure to conduct regular risk analyses.
Also, it can include a failure to provide individuals with access to their PHI or to ensure HIPAA-compliant agreements are made with business associates.
HIPAA infringements are usually discovered in one of three ways:
- Investigations into a data breach conducted by the Office for Civil Rights (OCR) or by the state attorney general.
- Investigations into complaints about covered entities and business associates
- An external HIPAA compliance audit
It is important for covered entities to conduct a regular internal HIPAA audit?
Because it’s crucially important to detect and correct any potential violations according to the regulators and before any penalties occur. The longer an issue exists, the higher the penalty.
List of HIPAA Violation Examples
In healthcare, maintaining patient confidentiality is extremely important. Failure to adhere to the guidelines set by the Health Insurance Portability and Accountability Act can lead to serious consequences for healthcare organizations. Here are some of the most common HIPAA violations.
Employees Divulging Patient Information
Patient confidentiality is a cornerstone of healthcare ethics, and any breach of this trust is a serious violation. Employees must refrain from sharing patient information with unauthorized individuals, including coworkers, friends, and family members. Private discussions about patient information should be limited to medical personnel and conducted in secure, private spaces.
Medical Records Falling into the Wrong Hands
Mishandling patient records, especially in environments still reliant on paper records, is a prevalent HIPAA violation. Proper storage of patient records in secure, locked spaces is imperative to prevent accidental exposure.
The loss or theft of electronic devices containing Protected Health Information (PHI) is a significant violation, inviting hefty fines. Implementing password protection and promptly locking devices with PHI are crucial measures to safeguard against such incidents.
Lack of Proper Training
Properly trained employees are the first line of defense against HIPAA violations. Regular training sessions should be conducted to keep employees informed about policies and security controls, reducing the likelihood of inadvertent mistakes.
Texting Private Information
Texting patient information, although convenient, poses a risk of exploitation by hackers. Encryption of information and utilizing secure Electronic Medical Record (EMR) software can enable efficient communication without compromising patient confidentiality.
Passing Patient Information Through Skype or Zoom
Using platforms like Skype or Zoom for discussing patient information is another potential vulnerability. Employing Electronic Health Record (EHR) software can mitigate this risk and ensure secure communication channels.
Discussing Information Over the Phone
While discussing patient information over the phone is essential, it should be done in private settings to prevent unintentional breaches. Avoiding public areas during such conversations is critical to compliance.
Posting on Social Media
Employees must refrain from posting or sharing any patient-related information on social media platforms, as even seemingly innocent posts can lead to HIPAA violations. Incorporating this into policy training is essential to avoid hefty fines.
Employees Accessing Files Without Authorization
Unauthorized access to patient files is a common violation that can occur out of curiosity or a desire to assist others. Strict adherence to authorization protocols is vital to prevent such breaches.
Using PHI for Personal Gain
Using or selling PHI for personal gain is illegal and can result in severe penalties, including fines and imprisonment. Regular training sessions should emphasize the consequences of such actions.
Before disclosing PHI for purposes other than treatment, healthcare operations, or payment, obtaining written consent from the patient is mandatory. This precaution ensures compliance with HIPAA regulations.
While using personal computers for work purposes is common, healthcare professionals must take precautions to protect patient information from unintended exposure at home. Powering down and password protecting devices when not in use is crucial.
Inquiries in Social Settings
Social situations often lead to inquiries about patients, but healthcare professionals must refrain from revealing PHI. Having planned responses that avoid disclosing personal information is key in such scenarios.
Poor Reporting Timing
Swift response to HIPAA violations is crucial. Healthcare providers must ensure timely reporting of any data breaches to the Department of Health and Human Services (HHS), providing comprehensive documentation.
Releasing Records After Authorization Date
Respecting patient authorizations is vital. Releasing confidential patient records after the authorized date is a clear violation and must be avoided through meticulous attention to detail.
Staying vigilant and informed about HIPAA regulations is crucial for healthcare organizations and their employees. Through training, policy implementation, and technology solutions, organizations can foster a culture of compliance, ensuring the confidentiality and security of patient information and avoiding these common HIPAA violations.
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) are the ones who enforce the HIPAA regulations.
At the same time, covered entities are the ones that detect many violations during routine internal audits or reported internally by employees. Note that the OCR investigates any external complaints reported by healthcare workers, patients, and health plan members.
By law, the OCR can only act if:
- The action took place after the HIPAA date of enactment (April 14, 2003)
- The complaint has been filed against an entity according to the law to comply with HIPAA regulations (a covered entity)
- It specifically violates HIPAA regulations
- The complaint has been filed within 180 days of the violation being detected
Investigations include conducting compliance reviews and performing education and outreach programs.
In the event a non-compliance issue ocurrs, the OCR will attempt to obtain voluntary compliance, corrective actions, and/or a resolution agreement.
Also, remember that violations can also result in civil and criminal penalties if the complaint is referred to the Department of Justice.
Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. They split the fines and charges into two categories: reasonable cause and willful neglect.
- Fines for “reasonable cause” violations range from $100 to $50,000.
- Penalties for “willful neglect” violations can range from $10,000 to $50,000 and can result in criminal charges.
- Charges for offenses involving fraud can result in a $100,000 fine, with up to 5 years in prison.
- Offenses that include the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm can result in fines of $250,000 and up to 10 years in prison.
- The maximum penalty for a willful violation that’s not corrected within the required time period is set at $1.5 million per year.
In the event you personally witness (or it somehow affects you) a HIPAA violation breach, you should report to the Office for Civil Rights. One can file complaints against covered entities and their business associates.
Above all, anyone can report a health information security breach with the OCR.
In addition, one should file the complaints in writing by mail, fax, or via e-mail. They can also file a complaint via the OCR Complaint Portal within 180 days of a violation being observed and must specify the non-compliant action.
If a breach appears during the investigation, the covered entity or business associate must voluntarily comply with HIPAA rules. They should immediately take corrective action, and/or agree to a settlement.
However, if the breach problem doesn’t disappear the OCR may impose fines and penalties.
If you are a covered entity or the business associate of a covered entity you must be aware and comply with HIPAA standards.
On the other hand, you should also introduce a series of best practices to ensure a corporate culture of security privacy and protection is at the proper level in your organization. It’s a good idea to include a HIPAA compliance checklist in your policies and procedures.
Here are a few examples of common do’s and don’ts:
- Provide regular training to employees so that they are aware of regulations on PHI use and disclosure and general workplace confidentiality procedures.
- Create a clear set of HIPAA policies and procedures and ensure they are available to all employees
- Establish a Privacy Officer in your human resources department to process complaints and provide information on data privacy procedures.
- Conduct a regular HIPAA security risk assessment to detect potential violations
- Conduct regular training sessions to ensure employees are aware of updated HIPAA policies and requirements
- Disclose passwords or share login credentials
- Leave portable devices or documents unattended
- Access patient records out of curiosity
- Access your own medical records
- Dispose of PHI in general waste by shredding or pulverizing
- Share ePHI on social media
To end this post, we have put together a few additional Frequently Asked Questions.
If you have any other questions that we haven’t included, please feel free to leave them in the comments section below and we’ll get back to you.
What are Common Examples of HIPAA Infractions?
Examples of common HIPAA violations include the following:
- Failure to perform a risk analysis
- Failure to promptly release information to patients
- Unauthorized access to medical records (insider snooping)
- Missing patient signatures
- Releasing information to an undesignated party
- Distributing unauthorized health information
- Releasing the wrong patient’s information
- Use of unsecured devices for storing private health information.
Famous cases of violations that you may have heard of:
- The University of California Los Angeles Health System was fined $865,000 when the OCR discovered that a physician had accessed the medical records of celebrities and other patients without authorization. The doctor became the first healthcare employee sent to jail for a HIPAA violation. The judge sentenced him to four months in federal prison.
- Multiple breach reports were filed against the University of Rochester Medical Center after portable devices containing ePHI were confirmed as lost/stolen. The case was worth $3 million.
- The OCR imposed a $1.6 million penalty on the Texas Health and Human Services Commission (TX HHSC) for multiple violations including a risk analysis failure, an access control failure, and information system activity monitoring failure, and an impermissible disclosure of patient ePHI.
Can you Sue for a HIPAA Violation?
There is no private cause of action in HIPAA, so it is not possible for an individual to sue under the terms of the act.
However, you may have a right to sue based on state law if harm has been caused as a direct result of negligence or a violation (although this can be expensive and there is no guarantee of success).
Is Talking About a Patient a HIPAA Breach?
Healthcare providers are permitted to discuss patients with other members of the care team but talking about specific patients and disclosing their health information to family, friends & colleagues would be classified as a HIPAA violation.
All above, providers must also “reasonably protect” PHI to limit disclosure, such as not discussing a patient’s case in a public area.
Written by Cat Symonds