HIPAA violations carry heavy civil and criminal penalties. Read on to learn what is a HIPAA violation and how to avoid one here.
Nearly 35 million people in the U.S. experienced a breach of their Protected Health Information (PHI). PHI includes things like a patient’s Social Security number, medical diagnosis, treatment protocol, and payment information.
That information is protected by the Health Insurance Portability and Accountability Act or HIPAA. The law is designed to safeguard personal health information and prevent it from being publically disclosed or used.
If a company or individual fails to protect that information, they can be found guilty of a HIPAA violation. HIPAA violation penalties are serious, carrying both civil and criminal consequences.
We’ll take a closer look at the law and how you can avoid a HIPAA violation.
Health Insurance Portability and Accountability Act (HIPAA)
The law was signed in 1996 to protect health information and reduce healthcare fraud. HIPAA also provides a way for people to take their health information with them if and when they change jobs, insurance companies, or providers. That’s the “portability” part of the law.
HIPAA actually contains several provisions that govern specific areas of health information protection. It’s important to understand the basic information in each, so you can ensure that you and your staff are in compliance. The people and companies required to follow HIPAA are referred to as “covered entities”.
HIPAA Privacy Rule
The privacy rule included in HIPAA creates a national set of standards for how companies are supposed to protect confidential medical records. Medical clinics, doctors’ offices, insurance companies, and anyone else who handles this information are all required to follow the same set of rules.
The privacy rule also gives patients the right to request and access their own medical records. They’re also allowed to ask for corrections to the records when they spot an error.
HIPAA Security Rule
The security rule deals specifically with electronic health records (EHRs). It’s necessary because so many healthcare providers have moved away from paper forms and records into the digital space.
The security rule requires anyone who develops or uses an EHR to ensure the records are protected. That includes the technical requirements of the EHR system, along with rules for companies and individuals that govern how they can access that date.
All covered entities must conduct a risk assessment of their own procedures and policies to make sure they’re HIPAA-complaint. Once that assessment is complete, they are then required to come up with a plan to address any issues that the assessment revealed.
HIPAA Omnibus Rule
The omnibus rule gives extra weight to patient protections and provides them with additional rights to their information. For example, it gives patients the right to request their records in electronic form, instead of paper.
It also limits how their data can be used for marketing and fundraising. It also prevents anyone from selling their information.
HIPAA Breach Notification Rule
This provision spells out exactly what covered entities have to do if their records were hacked or accessed by someone not authorized to do so. If their records containing PHI were illegally or improperly accessed, they have up to 60 days to notify everyone affected by the breach.
Examples of a HIPAA Violation
There are hundreds of ways someone’s PHI can be illegally accessed. They don’t have to be anything as dramatic as a hacker breaking into the system. Someone can violate HIPAA simply by looking at a medical record without permission.
Here’s one example: a celebrity checks into the hospital and word gets around that he’s scheduled for a medical procedure. A nurse logs onto the system and pulls up his medical records to find out why he’s there. If the nurse has no connection to the celebrity’s treatment, that’s a HIPAA violation. While the nurse may have credentials to access the hospital’s records, she has no legitimate reason to view that patient’s file.
Here’s another one: an employee of a company that develops EHRs takes his work laptop home but leaves it in his car. Someone breaks into his car and steals the laptop. That could be a HIPAA violation because the employee failed to secure the PHI information on the laptop.
The Department of Health and Human Services has identified some other common HIPAA violations. Among them:
- Improper disposal of PHI (throwing records in the garbage can rather than shredding them)
- Failure to provide patients with copies of their medical records when requested
- Failure to provide HIPAA training
- Failure to notify everyone affected by a data breach
Texting confidential information can also be a HIPAA violation if the information isn’t protected. Data can be compromised if it’s transmitted over public WiFi, for example. Learn more here about options for secure texting channels.
Categories of HIPAA Violations
There are four tiers of violations. You’ll see that “intent” is significant here. In assessing the severity of the violation, regulators will want to know if the breach was an accident or deliberate.
The tiers are:
- Tier 1: A violation the covered entity was not aware of and couldn’t have avoided.
- Tier 2: A violation the covered entity should have known about but would not have been able to avoid.
- Tier 3: A violation caused by deliberate neglect of the HIPAA rules
- Tier 4: A violation caused by deliberate neglect of the rules and the covered entity made no attempt to correct the problem.
Regulators will also look at how long the breach went on before the covered entity discovered and corrected it. For example, if a company discovered their system had been hacked and took immediate steps to correct the issue, the penalty may not be as severe.
Penalties for HIPAA Violations
As you might imagine, the penalties mirror the four categories above. Again, intent plays a significant role. The penalties are:
- Tier 1: A fine between $100 and $50,000
- Tier 2: A fine between $1,000 and $50,000
- Tier 3: A fine between $10,000 and $50,000
- Tier 4: A minimum fine of $50,000
Criminal charges are also possible for HIPAA violations in some cases. For example, the theft of patient information for financial gain could result in criminal charges.
We hope you’ve found this article helpful in understanding HIPAA and how to avoid a HIPAA violation. Please check our blog for more health-related information.