According to the Department of Health and Human Services, there were 713 major health data breaches in 2021. These breaches affected over 45.7 million individuals, a staggering number that will likely increase. In a previous post, we discussed what HIPAA compliance is and why it’s essential for protecting patients’ sensitive health information. This article will discuss everything you need to know about common Health Insurance Portability and Accountability Act (HIPAA) violations and how to remain HIPAA compliant.
What Is a HIPAA Violation?
A HIPAA violation occurs when an individual or group acquires, accesses, uses, or shares any protected health information (PHI) in a way that causes substantial personal risk or harm to the patient. The following examples include covered entities and business associates that work with PHI.
Covered Entities include:
- Assisted living
- Company health plans
- Community health departments
- Government-issued health care plans
- Health plans
- Health care clearinghouses
- Nursing homes
Business Associates include:
- Billing companies
- Cloud storage providers
- EHR platforms
- Email hosting providers
- Faxing companies
- Hosting providers
- IT providers
- Physical storage providers
- Practice management firms
- Shredding companies
- Third-party consultants
Common HIPAA Violations
1. Lack of Data Protection and Security
One of the most common HIPAA violations is a lack of proper data protection and data security. Since it’s not always clear what is required, organizations may assume that tokenization or encryption is optional rather than mandatory. Whether a data breach is due to internal or human errors or cyberattacks, organizations must implement a layered security approach to protect and secure PHI. If your organization implements a tokenization solution, this involves replacing PHI data with randomly generated tokens. These tokens act as placeholders for the original, valuable data that will be stored outside of the organization’s internal environment. Even if a data breach occurs, the organization’s PHI data will not be at risk because the tokens do not represent any real value to anyone. Indeed, hackers will be left with nothing and move on to the next victim.
To illustrate how serious data breaches are, IBM Security reported that the average cost of healthcare data breaches was $9.23 million in 2021. The report indicated that 44% of breaches targeted PHI, a major HIPAA violation. It’s not hard to see the devastating impacts a lack of proper data security and protection measures can have on organizations and their clients. Indeed, healthcare breaches can lead to a loss of clients, revenue, reputation, and goodwill for organizations. At the same time, patients can suffer identity theft, fraud, and lack of proper care without access to their healthcare information.
2. Getting Hacked
Hacking is a serious issue in today’s digital world. In July 2021, the HIPAA Journal indicated there were 52 reports of hacking involving protected health information. These cyber-attacks affected 5.3 million individuals who had their PHI possibly compromised. In general, hackers seek PHI for two reasons. The first reason is to sell the data to third-party companies that desire PHI. The other reason is to implement ransomware, take over an organization’s data, and demand money in exchange for returning the data and not deleting it from their internal systems.
Unfortunately, hacking is a scary reality that healthcare organizations face regularly. For example, a LA hospital had to pay a $17,000 ransom to regain access to their internal systems after being hacked in 2016. What can these businesses do to prevent hacking and violating HIPAA regulations? Companies that store or handle PHI should follow best security practices and implement a layered security approach to prevent hacking.
- Keep anti-virus software updated
- Use tokenization
- Update passwords regularly
- Limit access to devices and accounts to only those who need it to fulfill their job
3. Unauthorized Access
Whether an employee is curious or wants to cause harm, gaining unauthorized access to PHI is a common HIPAA violation. Even if the intent is not malicious, employees will still face the consequences, such as fines, termination, and even prison. Organizations can prevent this violation by establishing an authorization system that prevents staff from accessing data that is not necessary for their specific job role. Additionally, businesses should provide regular staff training to outline who can access what, the process for requesting access to data, and the consequences of violating HIPAA regulations. Indeed, employee HIPAA training is a requirement under the HIPAA law, which can help arm staff members with the knowledge and procedures to prevent violations.
4. Device Theft
When considering common violations, device theft may not be considered. However, lost or stolen devices are a typical example of how individuals or organizations fall victim to HIPAA violations. The Office of Civil Rights (OCR) indicates that since 2009, up to half of U.S. citizens have had their PHI compromised, a large part due to lost or stolen mobile devices. Indeed, these devices are neither protected nor secured, making them prime targets for hackers.
For example, a Lifespan employee’s work laptop was stolen in 2017. This one device led to 20,000 patients’ personal information being exposed due to a lack of password protection or encryption. Lifespan tried their best to address the issue, but the organization still violated HIPAA and, more importantly, compromised their patients’ PHI and damaged their reputation as a reputable healthcare center. To help prevent data leaks, organizations can implement data security measures like tokenization. If a cybercriminal gains access to a device, they will not access sensitive patient information.
5. Sharing PHI
Since PHI is confidential information, organizations should follow a need-to-know basis regarding what type of information employees have access to. When not careful, employees authorized to access certain information may share these details with unauthorized employees. Thus, this can result in information leaks, violations, and even lawsuits. Another example of how PHI is shared is when hackers use social engineering to trick employees into providing relevant information. Hackers that successfully trick unsuspecting employees can gain entry to computer systems and sensitive health data. As you can imagine, this has significant consequences, such as PHI being compromised and a healthcare organization not providing proper care to patients without access to patients’ electronic data. To prevent unauthorized use and access to PHI, organizations should ensure that staff clearly understand HIPAA, HIPAA violations, and the consequences of sharing sensitive information with unauthorized individuals or third parties.
6. Lack of Proper Disposal of PHI
Any employee that is tasked with disposing of PHI records must follow specific HIPAA regulations. These rules are designed to prevent unauthorized use, access, and sharing of sensitive data. PHI records can include diagnoses, medical procedures, and Social Security numbers, which should be appropriately disposed of by destroying or shredding paper copies or wiping digital documents from a device’s hard drive. If left unattended, a person could retrieve records from a trash can, on a desk, or view them on a device that is not password protected. Hackers are clever and can easily find recent files sitting in a computer’s recycling bin folder. Indeed, these scenarios illustrated HIPAA violations that can create severe issues for organizations and patients. Businesses can address this by providing regular staff training to reinforce the proper procedures and knowledge regarding disposing of PHI. In many cases, it’s a good idea to have a compliance expert that can answer questions and offer tips to maintain compliance.
How Much Is a HIPAA Fine?
As for fines, there are two categories of HIPAA violations, civil and criminal. Each type follows a different fine structure, as discussed below.
Civil HIPAA Violations
Civil fines are issued to individuals that committed a violation without any harm intended. For example, the person did not realize or remember the HIPAA regulations. The penalties are as follows:
- If the person did not realize that they were violating HIPAA rules, they are fined $100 per violation.
- If the person had an understandable cause for their actions and did not intentionally forget, they receive a minimum $1,000 fine.
- If the person intentionally forgot or ignored regulations but then fixed the issue, they receive a minimum of $10,000 per violation.
- If the person intentionally forgot or ignored rules and didn’t fix the issue, they receive a minimum of $50,000 per violation.
Criminal HIPAA Violations
Criminal fines are issued to individuals that committed a violation with harmful intent, which leads to much harsher fines. These penalties are as follows:
- If the person knowingly acquires and shares PHI, they can receive up to $50,000 in fines and do up to a year of jail time.
- If the person violates HIPAA under false pretenses, they can receive up to $100,000 in fines and do up to 5 years in jail.
- If the person commits a HIPAA violation for personal gain (e.g., selling PHI online or using it to harm or impersonate a patient), they can receive up to $250,000 in fines and do up to 10 years of jail time.
Is a Data Breach a HIPAA Violation?
Yes, a data breach is considered a HIPAA violation when protected health information has been compromised.
Protect Your Sensitive PHI Today
As you can see, these are just a few of the common HIPAA violations that occur in the healthcare industry. To protect your sensitive data, it’s imperative that businesses that handle PHI educate their employees about HIPAA. This training is typically done in three phases – when someone is hired, when regulations are updated, and periodically to keep HIPAA regulations top of mind. Furthermore, companies must also implement a layered security solution that makes it difficult for thieves to hijack PHI. While there are various choices, tokenization is an ideal solution designed to replace sensitive data with randomly generated, unique tokens that do not represent any real value. In turn, if an organization suffers from a data breach, hackers will not have access to the original data stored safely outside of their internal systems. If you would like to learn more, we encourage you to contact TokenEx today, a leading cloud tokenization provider based in Oklahoma.
Ready to take the next steps?