To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what constitutes a violation; for although most people believe they know what a HIPAA compliance violation is, evidence suggests otherwise.
The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action.
According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary.
However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity did not violate HIPAA rules. Additionally, in nearly 14,000 cases in which reviews were carried out, no violation of HIPAA was found.
While these statistics imply more than two-thirds of people do not understand what is a HIPAA violation, it is important to put the statistics into context as they only relate to complaints received by the HHS and do reflect nationwide levels of compliance. Nonetheless, it may be important for some to review their interpretation of what constitutes a violation.
What is HIPAA and Who Does It Apply To?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure employees could maintain healthcare coverage between jobs. Since its passage, Standards have been introduced to improve patients´ rights and safeguard Protected Health Information (PHI).
The failure to comply with these Standards is considered a violation of HIPAA – even if no harm has resulted. For example, one of the most common types of complaint relates to the failure to provide patients with copies of their PHI on request. Examples of other types of HIPAA violations are provided below along with the penalties that may be applied when a violation of HIPAA occurs.
The Standards apply to Covered Entities and Business Associates. Covered Entities are defined as health plans, health care clearing houses, and health care providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards. Most health care providers qualify as a Covered Entity, but it is important to be aware that some are exempted.
Business Associates are businesses with whom a Covered Entity shares PHI to help carry out its health care activities and functions. Since the publication of the Final Omnibus Rule in 2013, Business Associates have had the same requirements as Covered Entities to comply with the Privacy, Security, and Breach Notification Rules as found in 45 CFR Parts 160, 162, and 164.
What is a PHI Violation?
Violations of HIPAA involving the unauthorized disclosure of PHI beyond the permitted uses and disclosures are the most common type of HIPAA violation. PHI violations can range from providing more information than the minimum necessary to achieve the purpose of an allowable disclosure to the hacking of an unencrypted database that exposes the PHI of thousands of patients.
To avoid a PHI violation, Covered Entities and Business Associates not only need to implement the safeguards stipulated by the Privacy and Security Rules, but also ensure appropriate policies and procedures are in place to minimize the risk of a PHI violation. Members of each entity´s workforce also need to be trained on the policies and procedures and the sanctions for non-compliance.
Other Types of HIPAA Law Violation
One frequent misunderstanding about HIPAA is that a violation is only a violation when it involves authorized uses and disclosures of PHI. However, there are many other ways in which a Covered Entity or Business Associate can violate HIPAA. For example, failing to train members of the workforce on policies and procedures or failing to document the training.
It is also a HIPAA law violation to withhold the details of a breach from the individuals affected by the breach, the HHS´ Office for Civil Rights, and – in certain circumstances – from the media. In recent years, several fines have been issued for HIPAA law violations attributable to non-compliance with the Breach Notification Rule or for failing to comply with the Rule in the time allowed.
Further HIPAA Violation Examples
In addition to the examples previously mentioned, there are many more ways in which Covered Entities and Business Associates can violate HIPAA. Below we list a selection of further HIPAA violation examples:
- Impermissible disclosures of PHI
- Improper disposal of PHI
- Failure to conduct a risk analysis
- Failure to manage risks to the confidentiality, integrity, and availability of PHI
- Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant Business Associate Agreement with prior to sharing PHI
- Failure to provide patients with an accounting of disclosures on request
- Failure to implement access controls to limit who can view PHI
- Failure to terminate access rights to PHI when no longer required
- Failure to provide security awareness training
- Unauthorized release of PHI to individuals not authorized to receive the information
- Sharing of PHI online or via social media without permission
- Mishandling and mis-mailing PHI
- Texting unencrypted PHI
- Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure
It is important that anybody with access to PHI in an organization is provided with HIPAA training that explains what is a HIPAA violation and that all members of a Covered Entity´s or Business Associate´s workforce are provided with security awareness training regardless of their role.
How are HIPAA Violations Uncovered?
Many HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.
The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all Covered Entities that report breaches of more than 500 records and conducts investigations into certain smaller breaches. OCR also conducts periodic audits of HIPAA-covered entities and business associates.
State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.
What are the Penalties for Violations of HIPAA Rules?
The penalties for violations of HIPAA rules are dependent on the nature of the violation, the level of culpability, how much harm was caused by the violation, and the efforts made by the Covered Entity or Business Associate to mitigate the breach or its impact. In most cases, the penalties consist of a Corrective Action Plan, but the OCR has the power to impose substantial financial penalties.
State attorneys general also have the power to investigate breaches and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received. These are in addition to any penalties for violations of HIPAA rules that are issued by individual states when data breaches violate state privacy and security rules.
HIPAA Violation Categories
There are four HIPAA violation categories. Each has a minimum and maximum “limit” within which OCR can impose financial penalties depending on the level of culpability. Two of the HIPAA violation categories are designated for Covered Entities and Business Associates that can demonstrate reasonable due diligence, whereas the other two are for entities guilty of willful neglect.
Category 1 – Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules had been violated.
Category 2 – Reasonable cause that the Covered Entity/Business Associate knew about – or should have known about – the violation by exercising reasonable due diligence.
Category 3 – Willful neglect of the HIPAA Rules with the violation corrected and the consequences mitigated within thirty days of discovery.
Category 4 – Willful neglect of the HIPAA Rules and no effort made to correct the violation or mitigate the consequences within thirty days of discovery.
HIPAA Violation Penalties
Originally, the financial HIPAA violation penalties were modest and did not act as an appropriate deterrent to prevent HIPAA-covered entities from violating the HIPAA Rules. They were significantly increased in the HITECH Act of 2009; and, since 2015, they have been adjusted for inflation annually. The table below shows the HIPAA violation penalties for 2022 and includes the maximum an entity can be fined for multiple instances of the same violation. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. The table below will be updated when the new penalty amounts for 2023 are finalized by the HHS.
| Penalty Tier | Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Reasonable Efforts | $127 | $63,973 | $1,919,173 |
| Tier 2 | Lack of Oversight | $1,280 | $63,973 | $1,919,173 |
| Tier 3 | Neglect – Rectified within 30 days | $12,794 | $63,973 | $1,919,173 |
| Tier 4 | Neglect – Not Rectified within 30 days | $63,973 | $1,919,173 | $1,919,173 |
OCR Reinterprets HITECH Act Penalty Increases
As the above table shows, the maximum penalty per year is the same in all four penalty tiers, which may seem odd. In 2019, the HHS reexamined the text of the HITECH Act and determined that the language had been misinterpreted with respect to the penalty amounts, and OCR determined that the maximum penalty per year should be reduced in three of the four penalty tiers, and set the annual cap at $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1,500,000 for tier 4.
These new maximum penalties have not been made official, as that requires further rulemaking. While that does appear to be the intention of the HHS, this has currently been addressed through a notice of enforcement discretion, which applies indefinitely until the change to the penalty structure is made official. There is still a discrepancy between the maximum penalty per violation in tier 1, which is double that of the annual cap, which will no doubt be clarified in further rulemaking. Adjusted for inflation, the new penalty amounts for 2022, for cases assessed on or after March 17, 2022, are detailed in the table below.
| Annual Penalty Limit | Annual Penalty Limit | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $127 | $63,973 | $30,487 |
| Tier 2 | Reasonable Cause | $1,280 | $63,973 | $121,946 |
| Tier 3 | Willful Neglect | $12,794 | $63,973 | $304,865 |
| Tier 4 | Willful neglect (not corrected within 30 days | $63,973 | $1,919,173 | $1,919,173 |
Recognized Security Practices Safe Harbor
In 2021, the HITECH Act was amended to include a ‘safe harbor’ for HIPAA-regulated entities that have implemented ‘recognized security practices’ for not fewer than 12 months prior to a data security incident occurring. If those security practices have been adopted, they will be considered by OCR when deciding on financial penalties and other actions in response to data incidents and could result in financial penalties being avoided altogether. A request for information has been issued on aspects of “recognized security practices”, such as what they consist of and how HIPAA-regulated entities can demonstrate they have been adopted. The comment period has now closed and OCR is assessing the feedback and will make an announcement and will issue further guidance at some point in 2022.
FAQs
How can you tell if an organization is in violation of HIPAA?
Covered entities and business associates are required by HIPAA to conduct risk analyses on a regular basis. The risk analyses should identify any areas of non-compliance which indicate the organization is in violation of HIPAA. The failure to conduct and document a risk analysis is a violation of HIPAA itself, as is failing to address issues identified by a risk analysis.,
What is the difference between a risk assessment and a risk analysis?
While most entities would consider a risk assessment to be an investigation of possible threats, and a risk analysis a calculation of how likely those threats are to occur, there is a lack of clarity in HIPAA. For example, under the risk analysis section of the Security Rule Administrative Safeguards (45 CFR § 164.308(a)) covered entity or business associate must: “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”,
Who can violate HIPAA?
Anyone who is covered by the HIPAA regulations can violate HIPAA. However, there has been some confusion – especially during the COVID-19 pandemic – about who exactly is covered by HIPAA. Entities required to comply with HIPAA are health plans, healthcare clearinghouse, and healthcare organizations that engage in qualifying electronic transactions (most now do). Business Associates and contractors providing a service to Covered Entities can also violate HIPAA.
The requirement to comply with HIPAA regulations also applies to all workforces of a Covered Entity, Business Associate, or contractor. HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.
When potential risks and vulnerabilities are identified, what happens next?
Also under 45 CFR § 164.308(a), covered entities and businesses associates are required to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In order to determine what constitutes a “reasonable and appropriate level”, organizations should take into account (per 45 CFR § 164.306(b)):
- The size, complexity, and capabilities of the organization
- The organization´s technical infrastructure, hardware, and software security capabilities
- The cost of reasonable and appropriate security measures
- The probability and criticality of potential risks to the integrity of ePHI”
What does the “criticality of potential risks” mean?
The term criticality of potential risks refers to the scale of injury that might be caused by a HIPAA violation. For example, a cloud storage volume – containing the payment details and Social Security numbers of thousands of patients – left open to the public Internet has the potential to cause more injury than two nurses discussing the treatment options for patient A within earshot of patient B.
What is the HIPAA Law?
The term HIPAA Law refers to all five Titles of the Healthcare Insurance Portability and Accountability Act. The relevant Title for organizations in the healthcare industry is Title II – “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform” – as this is the section which led to the HIPAA Privacy, Security, and Breach Notification Rules.
What is considered a HIPAA violation?
A HIPAA violation is considered to be non-compliance with any “required” standard or any “addressable” standard for which an equally-effective substitute has not been implemented, or a documented reason exists for the standard not to be implemented. An example of non-compliance with a required standard is failing to provide security awareness training to all members of the workforce regardless of their role.
Can a non-medical person violate HIPAA?
Absolutely. HIPAA applies to Covered Entities and Business Associates, and their workforces. Therefore, if a non-medical member of the workforce (such as a member of the IT team) disclosed PHI without authorization, they would be in violation of HIPAA – although it would be their employer who would have to notify the affected individual and report the disclosure to HHS.
What are HIPAA violations?
HIPAA violations (in the plural) are a series of violations often attributable to the failure of a Covered Entity to monitor compliance with policies and procedures. There have been cases in which non-compliant short-cuts have been taken by employees “to get the job done”, and when these go unchecked, the short-cuts can develop into a cultural norm of non-compliance.
Who can violate HIPAA laws?
There are many exceptions to HIPAA which, although not violations, mean that Covered Entities and Business Associates do not have to comply with HIPAA in every circumstance. For example, under the Military Command Exception, healthcare professionals in the military are allowed to disclose PHI without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.
What constitutes a HIPAA violation?
Although strictly speaking any violation of the Privacy, Security, or Breach Notification Rules constitutes a HIPAA violation, some – such as “incidental uses and disclosures” – are permitted subject to other safeguards being in place. Members of the workforce who violate HIPAA in permitted ways should not be sanctioned.
What are the 3 types of HIPAA violations?
The three types of HIPAA violations are administrative, civil, and criminal. Most administrative HIPAA violations are investigated by the Centers for Medicare and Medicaid Services (CMS), while civil HIPAA violations are investigated by HHS´ Office for Civil Rights (OCR). If the Office for Civil Rights investigates a case with possible criminal motives, the case is referred to the Department of Justice for investigation.
What violates HIPAA according to CMS?
CMS investigates violations of the Administrative Requirements (Part 162 of the Administrative Simplification Regulations). The Administrative Requirements cover the code sets and identifiers Covered Entities or Business Associates acting on their behalf must use when conducting transactions for which HHS has published standards. Although CMS has the authority to issue fines for non-compliance, to date administrative HIPAA violations have been resolved by corrective action.
What counts as a HIPAA violation according to the FTC?
One agency not often associated with HIPAA enforcement is the Federal Trade Commission (FTC). However, under Section 5 of the Federal Trade Commission Act, the FTC has the authority to pursue violations of the Breach Notification Rule by organizations not covered by HIPAA and last year took enforcement action against a personal health vendor who had impermissibly shared users´ data after promising such information would be kept private.
What is not a HIPAA violation?
Of the reasons for many HIPAA complaints being rejected is that, under certain circumstances, Covered Entities can deny an individual´s access rights with no opportunity for a review. These circumstances can range from the individual being an inmate in a correctional institution to the information being requested being covered by the Privacy Rule and, under these circumstances, the denial of patient access is not a HIPAA violation.
Can HIPAA violations be criminal?
When an individual knowingly and wrongfully uses or discloses PHI, this is considered a criminal violation of HIPAA under §1320d-6 of the Social Security Act. Violations of this nature are most often referred by HHS´ Office for Civil Rights to the Department of Justice who has the authority to impose fines of up to $250,000 and pursue custodial sentences of up to ten years.
The post What is a HIPAA Violation? appeared first on HIPAA Journal.