What Is a HIPAA Violation (And How to Avoid One)


HIPAA violations carry heavy civil and criminal penalties. Read on to learn what is a HIPAA violation and how to avoid one here.

Nearly 35 million people in the U.S. experienced a breach of their Protected Health Information (PHI). PHI includes things like a patient’s Social Security number, medical diagnosis, treatment protocol, and payment information.

The Health Insurance Portability and Accountability Act or HIPAA protects that information. The law safeguards personal health information and prevents it from being publicly disclosed or used.

If a company or individual fails to protect that information, they can be found guilty of a HIPAA violation. HIPAA violation penalties are serious, carrying both civil and criminal consequences.

We’ll take a closer look at the law and how you can avoid a HIPAA violation.

Health Insurance Portability and Accountability Act (HIPAA)

The law was signed in 1996 to protect health information and reduce healthcare fraud. HIPAA also provides a way for people to take their health information with them if and when they change jobs, insurance companies, or providers. That’s the “portability” part of the law.

HIPAA actually contains several provisions that govern specific areas of health information protection. It’s important to understand the basic information in each, so you can ensure that you and your staff are in compliance. The people and companies required to follow HIPAA are referred to as “covered entities”.

HIPAA Privacy Rule

The privacy rule included in HIPAA creates a national set of standards for how companies are supposed to protect confidential medical records. Medical clinics, doctors’ offices, insurance companies, and anyone else who handles this information are all required to follow the same set of rules.

See also  Hayden Christensen Talks What It is Like To Play Darth Vader Once more 17 Years Later: 'Surreal'

The privacy rule also gives patients the right to request and access their own medical records. They’re also allowed to ask for corrections to the records when they spot an error.

HIPAA Security Rule

The security rule deals specifically with electronic health records (EHRs). It’s necessary because so many healthcare providers have moved away from paper forms and records into the digital space.

The security rule requires anyone who develops or uses an EHR to ensure the records are protected. That includes the technical requirements of the EHR system, along with rules for companies and individuals that govern how they can access that date.

All covered entities must conduct a risk assessment of their own procedures and policies to make sure they’re HIPAA-complaint. Once that assessment is complete, they are then required to come up with a plan to address any issues that the assessment revealed.

HIPAA Omnibus Rule

The omnibus rule gives extra weight to patient protections and provides them with additional rights to their information. For example, it gives patients the right to request their records in electronic form, instead of paper.

It also limits how their data can be used for marketing and fundraising. It also prevents anyone from selling their information.

HIPAA Breach Notification Rule

This provision spells out exactly what covered entities have to do if their records were hacked or accessed by someone not authorized to do so. If their records containing PHI were illegally or improperly accessed, they have up to 60 days to notify everyone affected by the breach.

See also  And Just Like That Season 2: Release Date, Cast, And More

Examples of a HIPAA Violation

There are hundreds of ways someone’s PHI can be illegally accessed. They don’t have to be anything as dramatic as a hacker breaking into the system. Someone can violate HIPAA simply by looking at a medical record without permission.

Here’s one example: a celebrity checks into the hospital and word gets around that he’s scheduled for a medical procedure. A nurse logs onto the system and pulls up his medical records to find out why he’s there. If the nurse has no connection to the celebrity’s treatment, that’s a HIPAA violation. While the nurse may have credentials to access the hospital’s records, she has no legitimate reason to view that patient’s file.

Here’s another one: an employee of a company that develops EHRs takes his work laptop home but leaves it in his car. Someone breaks into his car and steals the laptop. That could be a HIPAA violation because the employee failed to secure the PHI information on the laptop.

The Department of Health and Human Services has identified some other common HIPAA violations. Among them:

  • Improper disposal of PHI (throwing records in the garbage can rather than shredding them)
  • Failure to provide patients with copies of their medical records when requested
  • Failure to provide HIPAA training
  • Failure to notify everyone affected by a data breach

Texting confidential information can also be a HIPAA violation if the information isn’t protected. Data can be compromised if it’s transmitted over public WiFi, for example. Learn more here about options for secure texting channels.

Categories of HIPAA Violations

There are four tiers of violations. You’ll see that “intent” is significant here. In assessing the severity of the violation, regulators will want to know if the breach was an accident or deliberate.

See also  Horizon Forbidden West's New Replace Apparently Varies Aloy's Conduct, Amongst Different Enhancements

The tiers are:

  • Tier 1: A violation the covered entity was not aware of and couldn’t have avoided.
  • Tier 2: A violation the covered entity should have known about but would not have been able to avoid.
  • Tier 3: A violation caused by deliberate neglect of the HIPAA rules
  • Tier 4: A violation caused by deliberate neglect of the rules and the covered entity made no attempt to correct the problem.

Regulators will also look at how long the breach went on before the covered entity discovered and corrected it. For example, if a company discovered their system had been hacked and took immediate steps to correct the issue, the penalty may not be as severe.

Penalties for HIPAA Violations

As you might imagine, the penalties mirror the four categories above. Again, intent plays a significant role. The penalties are:

  • Tier 1: A fine between $100 and $50,000
  • Tier 2: A fine between $1,000 and $50,000
  • Tier 3: A fine between $10,000 and $50,000
  • Tier 4: A minimum fine of $50,000

Criminal charges are also possible for HIPAA violations in some cases. For example, the theft of patient information for financial gain could result in criminal charges.

We hope you’ve found this article helpful in understanding HIPAA and how to avoid a HIPAA violation. Please check our blog for more health-related information.