The Health Insurance Portability and Accountability Act of 1996 was enacted to make the management of healthcare easier, cut wastage, reduce healthcare fraud and see to it that healthcare workers could maintain healthcare coverage when moving between jobs.
There have been a number of major updates to HIPAA legislation over since it was enacted. These were made in order to improve privacy protections for patients and health plan members and also help healthcare data remain safeguarded and the privacy of patients secure. Those amendments were known as the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule.
A HIPAA violation is a failure to adhere with any part of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164.
HIPAA regulations, in total, make up 115 pages and include lots of provisions. There are no end of ways that HIPAA Rules can be violated, although the most common HIPAA violations include:
- Impermissible sharing protected health information (PHI)
- Unauthorized viewing of PHI
- Improper destruction of PHI
- Risk analysis not being conducted
- Not managing the possible danger to the confidentiality, integrity, and availability of PHI
- Failure to have in place safeguards to ensure the confidentiality, integrity, and availability of PHI
- Maintenance and monitoring of PHI access logs not being performed properly
- No HIPAA-compliant business associate agreement with vendors in place before allowing access to PHI
- Copies of PHI not being given to patients on request
- Not limiting who can view PHI using proper controls
- Not disabling access rights to PHI when no longer required
- The disclosure more PHI than is required for a particular task to be finished
- Failure to provide adequate HIPAA training and security awareness training
- Allowing patient records to be stolen
- Unauthorized access of PHI given to individuals not authorized to receive the data
- Sharing of PHI online or via social media without proper authorization
- Mishandling and mismanagement of PHI
- Texting PHI in any way
- Not encrypting PHI or use an different, similar measure to prevent unauthorized access/sharing
- Not notify for an individual impacted regarding (or the Office for Civil Rights) of a security incident involving PHI within 60 days of the discovery of a breach
- Recording of compliance efforts does not take place.
How are HIPAA Violations Uncovered?
Many HIPAA violations are first noticed by HIPAA-covered outfits during through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by colleagues.
The HHS’ Office for Civil Rights is the main policer of HIPAA Rules and investigates complaints of HIPAA violations made known by healthcare workers, patients, and health subscribers. OCR also reviews all covered entities who report breaches with more than 500 records and conducts investigations into a number of smaller breaches. OCR also conducts audits of HIPAA covered outfits and business associates from time to time.
State Attorneys General may also initiate investigations into breaches and investigations are often conducted due to complaints about possible HIPAA violations and when reports of breaches of patient records are submitted.
What are the Official Penalties for Violations of HIPAA Legislation?
The penalties for violations of HIPAA Legislation can be high. State Attorneys General can sanction fines as high as $25,000 per violation category, per calendar year. OCR can also sanction financial penalties as high as $1.5 million per violation category, per year. Multi-million-dollar fines can be sanctioned from time to time.
Sanctions for for individuals who breach HIPAA Rules and criminal penalties may also be applied. A prison sentence for violating HIPAA is a possibility, with some violations carrying a penalty of up to 10 years.