Common HIPAA Violations and How to Avoid Them

Even though the vast majority of healthcare organizations take great care to comply with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules, the Department of Health and Human Services' Office for Civil Rights' breach portal - often referred to as its "Wall of Shame" - is growing at an alarming rate. Healthcare data breaches are commonplace, and in many cases, they occur as a result of HIPAA failures.

OCR also investigates thousands of complaints filed by healthcare employees and patients over alleged HIPAA violations. Figures released by OCR indicate as of April 2018, 180,192 Privacy Rule complaints have been received since April 2003. 173,133 have been resolved and 7,059 remain open.

Many complaints are about relatively minor violations of HIPAA Rules, which were voluntarily corrected by the covered entity without any further action required. However, betwee April 2003 and April 2018, 37,332 complaints were investigated and 25,879 of those complaints required corrective action be taken.

OCR issues technical guidance to assist covered entities to help them comply with specific aspects of HIPAA Rules. Only the most serious violations result in financial penalties, although those penalties can be severe.

Betwee 2009 and 2018, there have bee 54 civil monetary penalties and settlements between covered entities, business associates of covered entities, and OCR. $78,773,200 in financial penalties have been paid to resolve HIPAA violations.

In most cases, HIPAA Rules were followed by the covered entities, although there were oversights and serious mistakes by healthcare employees that should have been avoided.

The most commo HIPAA violations identified during investigations into data breaches and complaints are detailed below:

Common HIPAA Violations

OCR settlements highlight specific aspects of HIPAA Rules that have been violated. These fines show covered entities and their business associates areas of HIPAA compliance that are frequently overlooked. Take a look at the OCR resolution agreements and complaints and you will see that the same types of violations are discovered time and time again. These are:

• The failure to conduct a comprehensive, organization-wide risk analysis
• The failure to address risks to the confidentiality, integrity, and availability of PHI through a HIPAA-compliant risk management process
• The failure to enter into HIPAA-compliant business associate agreements with all vendors who are provided with PHI to perform tasks on behalf of the covered entity
• The failure to use encryption, or equivalent safeguards on portable electronic devices
• The impermissible disclosure of ePHI - Communicating PHI to individuals not authorized to receive the information or not limiting that information to the minimum necessary amount
• Failure to implement appropriate administrative safeguards
• Failure to physically secure PHI and devices that contain ePHI
• Denying patients access to their medical records or failing to provide copies of health information withi 30 days
• Improper disposal of ePHI and PHI that could potentially allow patients to be identified and their health information to be viewed
• The failure to train staff on HIPAA Rules and provide security awareness training
• The failure to issue breach notifications without unnecessary delay and no later tha 60 days from the discovery of a breach
• Healthcare employees viewing the PHI of patients without authorization
• Posting PHI on social media channels without first obtaining consent from patients

Internal audits of HIPAA compliance will highlight gaps and identify areas where improvements need to be made to policies and procedures. By conducting internal assessments, HIPAA-covered entities can identify issues and take corrective action before they lead to a data breach or the filing of a complaint. By voluntarily assessing compliance and correcting problem areas, covered entities will be able to avoid a fine for noncompliance.