There is a lot of conversation around what’s considered a violation of HIPAA rights and what is not. So, before we share the most common violations to be aware of, we feel we should first brief you on what HIPAA is and to whom it applies.
HIPAA stands for Health Insurance Portability and Accountability Act and intends to protect individuals' health information while allowing the flow of health information needed to provide high-quality healthcare. HIPAA consists of three parts: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
- Healthcare Providers, e.g., physicians, pharmacies, labs, etc.
- Health Plans, e.g., Health insurance companies, employer group health plans, Medicare/Medicaid, etc.
- Note: The group health plan is considered a separate legal entity from the employer or other parties that sponsor the group health plan. Neither employers nor other group health plan sponsors are defined as covered entities under HIPAA.
- Healthcare Clearinghouses, e.g., billing services, repricing companies, community health management information systems, etc.
- Business associates, e.g., contractors, subcontractors, etc., of covered entities
Many types of HIPAA violations occur, but we've narrowed them down to the top five most common.
Prying through medical records
It is a violation of the HIPAA Privacy Rule to look through a patient's medical file for reasons other than treatment, payment, or healthcare operations. These violations usually lead to termination of employment and even criminal charges. For example, read this case about a hospital employee who leaked her ex's PHI for personal gain.
Failure to conduct a company-wide risk analysis/Failure to manage security risks
This is one of the most common violations that results in a financial penalty. Read about this Massachusetts provider that was fined $1.5 million for the theft of an unencrypted laptop.
Denying patients copies of health records or failing to provide them within 30 days
This is such a common yet very controllable situation that many companies face. The HIPAA Privacy Rule states that individuals should have access to their health records in a timely manner. Banner Health was penalized with $200,000 for this violation.
Failure to enter HIPAA Compliant Business Associate Agreement
Advanced Care Hospitalists paid a hefty price of $500,000 for not having a proper Business Associate Agreement (BAA) in place.
Exceeding the 60-Day Deadline for Issuing Breach Notifications
Read this case about one of the largest healthcare networks in Illinois that violated the Breach Notification Rule.
It may be months or years before a HIPAA violation is uncovered by the OCR, but the longer it continues, the worse the penalties become. Any breach of unsecured protected health information (PHI) must be reported to the FTC.
If you believe a HIPAA-covered entity has violated your rights or the rights of someone else, you can file a complaint with the Office for Civil Rights (OCR).
AMA. (n.d.). HIPAA violations & enforcement. Retrieved from American Medical Association: https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement
HIPAA Journal. (2021, January 10). The Most Common HIPAA Violations You Should Be Aware Of. Retrieved from HIPAA Journal: https://www.hipaajournal.com/common-hipaa-violations/