Most Common Examples of HIPAA Violations, Breaches and Mistakes

Learn the most common examples of HIPAA violations, breaches & mistakes, as these can result in substantial financial penalties!

About HIPAA Violations

HIPAA violations often result in substantial financial penalties and are due to an organisation's failure to:
  • Perform a firm-wide risk analysis with the goal of identifying security risks related to protected health information (PHI)
  • Execute HIPAA-compliant Business Associate Agreements (BAA)
  • Allow through mistake or oversight unauthorised disclosures of PHI
  • Delay of notifications to patients and others affected of breaches
  • Safeguard PHI
The Department of Health and Human Services' Office for Civil Rights (OCR) imposes significant financial penalties for violations of HIPAA. HIPAA violation cases are pursued by the OCR to spread awareness to the health care community of the HIPAA Rules. HIPAA violation fines imposed can easily exceed tens of thousands or even millions, so it is important to understand examples of HIPAA violations and examples of unintentional HIPAA violations.
HIPAA violations or often not discovered from months or even years. It is therefore important for healthcare organisations to perform regular compliance reviews to make sure that any weaknesses are quickly mitigated, and any HIPAA violations are properly reported. It is better that a healthcare organisation can find its own potential HIPAA violations before they are identified by state or federal regulators. If a regulator is investigating a PHI breach and it determines that there was no HIPAA violation, it is common that they find other violations resulting in a financial penalty. There are several factors used to determine the financial penalty; how long the violation(s) persisted, the number of violations and the financial position of the health care organisation or the business associate.
HIPAA violations are reported typically in the following manner:
  1. The state attorney general may perform investigations into data breaches
  2. Patients or others may complain
  3. HIPAA compliance audits performed by state regulatory bodies

Examples of HIPAA Violations by Employers

Failure to Perform a Risk Analysis

One of the most common HIPAA violations is the failure to perform a risk analysis. Organisations should perform a risk analysis on an ongoing basis to help determine if there are any vulnerabilities in their systems. They should make that PHI confidentiality and integrity are always a top priority.  The existence of risks will leave healthcare organisation vulnerable to hackers and financial penalties.
Some examples:
  • Premera Blue Cross– $6,850,000
  • Excellus Health Plan – $5,100,000
  • Oregon Health & Science University– $2.7 million
  • Cardionet – $2.5 million
  • Cancer Care Group – $750,000
  • Lahey Hospital and Medical Center – $850,000
  • Steven A. Porter, M.D – $100,000

Failure to Take Action on Security Risks

A healthcare organisation may identify security risks and not immediately act.  Security risks must be mitigated in a reasonable period and there should be full documentation of what steps were taken.
Some examples:
  • Alaska Department of health and Social Services – $1.7 million
  • University of Massachusetts Amherst (UMass) – $650,000
  • Metro Community Provider Network – $400,000
  • Anchorage Community Mental Health Services – $150,000

Using Non-Encrypted Lost or Stolen Laptop, Cell Phone or USB Device

Encryption is not actually required by HIPAA regulations.  However, if it is not used then alternative security measures must be taken.  The most common HIPAA violations occur when non-encrypted devices are lost or stolen resulting in a PHI breach. In 2016, an iPhone was lost with PHI and it did not have a password or any encryption enabled. The healthcare organisation was fined $650,000 since over 400 people were involved and it happened at Catholic Health Care Services of Philadelphia.  Many states have passed laws requiring encryption for PHI. If a security breach occurs, but the key to decrypt data is not stolen then the incident is not reportable.
Portable devices should never be left in cars. It is also an excellent security practise to provide employees with dedicated mobile devices for their jobs, so they do not use their personal devices for work.
Some examples:
  • Children's Medical Center of Dallas – $3.2 million
  • Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000
  • Lifespan Health System Affiliated Covered Entity – $1,040,000

Not Executing a HIPAA-Compliant Business Associate Agreement (BAA)

If a healthcare organisation and one of their business associates do not execute a BAA, that is a violation of HIPAA. The reason for a BAA is to make sure that anybody working with PHI is aware of all the requirements of HIPAA. To be HIPAA compliant a BAA a needs to be drafted in accordance with the omnibus final rule.
Some examples:
  • Raleigh Orthopaedic Clinic, P.A. of North Carolina – $750,000
  • North Memorial Health Care of Minnesota – $1.55 million
  • Care New England Health System– $400,000

No or Limited Employee Training

Proper ongoing training is the key to minimising HIPAA breaches. The culture of the healthcare and hospital organisations and their senior leadership teams must be completely focused on and diligent about protecting PHI. HIPAA breaches often result because people forget or get lax about the privacy and security processes and policies already mandated by the organisation.  Technology is also rapidly evolving with new applications and complexity. With new technology and a working from home (WFH) environment are combined it's critical that employees and contractors are enrolled in continuous training to make sure that they understand how to use the new technology and the risks.

Database Breaches

Data breaches cost healthcare firms approximately $9.3 billion in 2019. Unfortunately, they are a fact of life even with a lot of cyber security defenses. Health care organisations are targeted because the data is highly value to criminals. Data breaches always create the negative publicity and will hurt the reputation of any healthcare organisation.  It is very important to keep antivirus and malware software up to date and active on all devices and servers. Specialised hardware-based firewalls and intrusion detection are also helpful to avoid database breaches. Hospitals and health care organisations should also undertake periodic penetration and intrusion detection exercises on their infrastructure.  A well thought out plan should also include hiring an outside 3rd party organisation to try to hack into the systems. This is called "white hat" hacking which is distinguished from "black hat" hacking which is malicious. This type of "good" hacking is done with the knowledge and full consent of the healthcare organisation for their benefit.

Right of Patients to Access Healthcare Information

The rights of patients to access their healthcare information and obtain copies at a reasonable cost are fundamental to HIPAA rules. This is an important right so that patients can share their information with other healthcare providers as well as correcting errors. If an organisation fails to address a patient request for information in less than 30 days this may be a HIPAA violation.
Some examples:
  • Cignet Health of Prince George's County – $4,300,000
  • Banner Health – $200,000
  • Dignity Health, dba St. Joseph's Hospital and Medical Center – $160,000
  • NY Spine – $100,000
  • Beth Israel Lahey Health Behavioral Services – $70,000

Inadequate Control Surrounding Access to PHI

After risk assessments are performed access controls must be put in place and constantly monitored to make sure that PHI is safe. The HIPAA violation has the most severe financial consequences.
Some examples:
  • Anthem Inc. – $16,000,000
  • Memorial Healthcare System – $5,500,000
  • Texas Department of Aging and Disability Services – $1,600,000
  • University of California Los Angeles Health System – $865,500
  • Pagosa Springs Medical Center – $111,400

Not Meeting the Two-Month Deadline for Breach Notifications

If there is a HIPAA breach a covered entity must issue a breach notification in less than 60 days.
Some examples:
  • Presence Health – $475,000
  • CoPilot Provider Support Services Inc. – $130,000

Examples of Unintentional HIPAA violations

Accidentally Sharing PHI with the Public

Conversations between clinical co-workers about patient diagnosis, treatment, and medications should never occur in public spaces so they cannot be overheard.  It may not seem important discussing medicine around non-medical people in a public place like the hospital cafeteria. However, this kind of PHI breach can result in significant financial consequences for hospitals and healthcare organisations.
Healthcare organisations can also inadvertently disclose PHI through circumstances other than a data breach. For example, a healthcare organisation may disclose PHI to a patient's employer, or a patient may be filmed or photographed without their consent.  PHI in the form of paper records can also accidentally be disclosed by taking it offsite and then accidentally getting lost or stolen.  Healthcare organisations should be especially sensitive to this possibility in today's work from home environment (WFH).  Also, emailing PHI information to the wrong person or using personal email accounts that are not encrypted can result in HIPAA compliance breach.
Some examples:
  • Memorial Hermann Health System – $2.4 million
  • New York Presbyterian Hospital – $2,200,000
  • Massachusetts General Hospital– $515,000
  • Luke's-Roosevelt Hospital Center – $387,000
  • Brigham and Women's Hospital– $384,000
  • Boston Medical Center – $100,000

Incorrect Disposition of PHI

Patients can become more vulnerable to their healthcare information being exposed to the public if the disposal of PHI is not properly executed by healthcare workers.  PHI should be carefully disposed of by shredding of records and destroying hard drives by industry accepted practises.
Some examples:
  • Parkview Health – $800,000
  • Cornell Prescription Pharmacy – $125,000
  • FileFax Inc. – $100,000

Unsecured Records

Any documents or files with PHI need to be kept in a secure location. Paper files should always be locked in file cabinets and never left unattended. Electronic PHI needs to be secured with strong passwords and encryption. Also, two factor authentication (2FA) to access the servers and networks are also critical. Only just a username and a strong password are not secure enough to thwart today's sophisticated hackers.  Employees should also be trained to never share login credentials since their coworkers may not have the same access rights. If an employee handling PHI steps away from their desk, then they should lock their workstation.  Specialised screen covers should also be used so that information is only viewable to the person sitting in front of the workstation.
Antivirus and antimalware on devices with PHI should be kept updated via automatic processes to assure that devices are always secure. Specialised hardware-based firewalls will add additional security. There is no substitute for strong passwords that are frequently changed and two-factor authentication (2FA) to thwart hackers.

Employee Dishonesty

HIPAA violations can occur if employees or contractors access PHI that they are not authorised to access. Training should emphasise that accessing PHI just for "curiosity" is still nevertheless a breach, and the intent does not matter as the fine will be the same. "I was just curious" is one of the most common reasons employees give when they violate HIPAA rules. People are curious about their families, friends, coworkers, and celebrities. When these violations are discovered, they may involve criminal charges. One health system in Los Angeles was fined $865,000 for failing to protect access to medical records. An employee, Dr. Huping Zhou, was found out to be accessing unauthorised patient records 323 times and for this violation he was sentenced to four months in federal prison.

Unauthorised Release of PHI

Sometimes members of the media can try to use social hacking such as pretending they are a family member to get information about public figures and celebrities.  Also, this kind of violation can happen when PHI is released to family members who are not authorised. In addition to clinical care and billing professionals, only parents and children, and those with power of attorney or allowed access to a person's PHI.
When it comes to discussing PHI the principal of "need to know" should be used to decide who should be in the communication loop.  Healthcare organisations should implement access privileges with the Minimum Necessary Standards principle.  Typically, the people involved should be only the patient, the doctors and others providing care and handling medical billing.
It is an excellent compliance best practise to make sure that disclosure authorisation forms are signed and maintained in files. The authorisation form should specify what type of information is authorised for release and the expiry date of the authorisation. The authorisation form could also include classes of individuals, the types of PHI, and the reasons for disclosure.  Every authorisation should have an expiration date otherwise it is not considered a HIPAA compliant. Care should also be taken to make sure that new authorisation forms are signed if needed after an expiration date. Health care workers must also verify the identity of any individual or entity to whom they are providing PHI.

Examples of HIPAA Violations by Nurses

As the most trusted clinical professionals, properly trained nurses is an important part of a HIPAA compliance programme. Nurses are responsible for maintaining information security of both paper and electronic PHI.  This is a very challenging role since they are the front-line of patient care and very busy and multitasking. Some of the typical ways that nurses create HIPAA violations are:
  • Disclosing PHI through speaking in public areas like the cafeteria or in the hallway.
  • Viewing PHI for patients not under their care.
  • Disposing of PHI in paper or electronic form without using standard approved practises.
  • Not protecting PHI from the curious eyes of others around them. Nurses should always be sure that others are not able to view their workstation screens and paper documents.
  • Using social media to share work related information.