Free up to 1MM monthly messages. No credit card required.
In 2017, Memorial Healthcare Systems was fined a then-record $5.5 million for HIPAA violations. This broke the existing HIPAA violation record set by Cignet Health of Maryland, who had been penalized $4.3 million in 2010. Why are these HIPAA violation fines so important, and is there a problem that truly needs to be solved? According to Wikipedia, nearly 174 million people’s information has been improperly accessed, via error or breach, since the original passage of HIPAA.
The Health Insurance Portability and Accountability Act, known more generally as HIPAA, is a US law that is intended to provide privacy standards to protect patient information from unapproved access. HIPAA was originally created to allow for the modernization of medical record-keeping, while maintaining the security of patient Personally Identifiable Information, PII. While the intentions behind HIPAA were entirely positive, the impact of the regulations that flow out of it have had profound impacts on the healthcare industry—and on the lives of patients, who frequently find themselves signing voluminous HIPAA agreements each time they visit a healthcare provider.
While the HIPAA violation examples cited above represent the most substantial penalties levied to date, the jeopardy in which healthcare-related organizations find themselves if their processes and procedures are not fully compliant is significant. The law defines two classes of violation, which can be reasonably summarized as those that stem from carelessness, and those that stem from unlawful intent. More specifically, violations can result in either civil or criminal penalties.
HIPAA violations that can result in civil charges include:
Individuals who violate the law through ignorance
Violations that occur due to reasonable cause rather than willful neglect
Violations due to willful neglect, but which are corrected within a defined timeframe
Violations that are due to willful neglect
The implications of even a civil penalty can be substantial, ranging from $100 per violation in the first example (with an annual maximum of $25,000) to $50,000 per violation (with an annual maximum of $1 million) for the last example.
By contrast, there are three classes of HIPAA violation that can result in criminal jeopardy:
Covered entities and specified individuals who knowingly either obtain or provide HIPAA-covered PII
Obtaining HIPAA-covered PII under false pretenses
Obtaining HIPAA-covered PII with an intent to sell, transfer, or use that information for commercial advantage, personal gain, or malicious harm
Criminal penalties can be extremely harsh, ranging from fines of $50,000 to $250,000, and jail sentences of one to ten years.
The ten most common examples of HIPAA violations include
Individuals accessing information to which they do not have access rights.
Failing to execute organization-wide risk analyses
Failed or non-existent risk management processes, which can result in an actionable failure to manage security risks to a sufficient level
Making business associate agreements that are not, themselves, HIPAA compliant
Insufficient access controls to stored data, known as electronically protected health information(ePhi)
Failure to implement encryption, or a valid substitute, to protect ePhi
Failing to provide notification of data breaches within 60 days of its occurrence
Impermissible disclosures of any protected health information
Failure to dispose of protected health information properly
Denying patients access to their own protected health information, including exceeding the HIPAA-defined time limits for doing so
Each of these circumstances can have and will come to light and result in a civil and criminal action, and hefty penalties. For example, Dr. Huping Zhou, then of the UCLA Health System, was found to have improperly accessed the protected health information of celebrities and other patients, resulting in his being the first individual sent to prison for a HIPAA violation (a four-month sentence), and the UCLA Health System sustaining a fine of $865,000.
Other notable HIPAA violation examples include:
In 2016, an orthopedic clinic ran afoul of HIPAA by contracting with a service to convert their past X-Rays to digital files so they could harvest the silver from the old physical copies—but failed to obtain a proper Business Associate Agreement
The University of Iowa was forced to terminate a student health care employee who inadvertently revealed a patient’s pregnancy while chatting with a colleague
And of course, 13 employees at a Los Angeles health provider were fired for sneaking a peek at Britney Spears’ medical records
While most HIPAA violations are defined in unsurprisingly technical terms, there is a range of easily-understandable ways to avoid them. One way to avoid violations is to carefully review the administrative, physical, and technical safeguards outlined in the HIPAA Security Rule. Our top tips for avoiding HIPAA violations are:
Keep records secured, applying the principle of least permission, ensuring every user is strictly limited to only the information they must be able to access
Encrypt all data, at all times, including on portable devices such as hard drive and thumb drives
Keep all antivirus software up to date and install the latest updates to all routers and other networking devices to protect against hacking
Ensure all connected devices, such as laptops, iPads and mobile phones have strong passwords to protect against unauthorized accessed when devices are lost or stolen
Implement a comprehensive training program for all employees to avoid violations driven by ignorance
Implement strong HR policies against gossiping to protect against inadvertently protected healthcare information revelations
Provide clear processes around the disciplinary risks employees take when violating HIPAA
Contract, using an approved Business Associate Agreement, with a reputable service to destroy records
Update HR policies to ensure employees who provide information to unauthorized individuals are subject to swift dismissal
Educate all staff members on who would constitute appropriate individuals to whom protected healthcare information can be revealed, including specific instructions on the familial relationships that do or do not confer access right
Most importantly, ensure that any and all new or updated IT technology, software, and programs are carefully vetted for their adherence to HIPAA regulations. The Texas Health and Human Services Commission (formerly Department of Aging and Disability Services, or DADS) was fined $1.6 million in 2019 for a HIPAA violation when they migrated an internal application from a private secure server to a public one, resulting in a breakdown in access controls and making it possible for anyone to read any of the stored records. To avoid such a scenario, ensure that vendors provide documented evidence of HIPAA compliance.
The final sticky issue is instant messaging. Based on the complex restrictions of the law, communicating protected healthcare information across normal public SMS or messaging platforms (such as iMessage, or Facebook Messenger) is almost guaranteed to result in a HIPAA violation. The safest approach is to either purchase a pre-built, authorized solution or to build an internally-maintained one that is regularly reviewed for regulatory compliance.
As time goes by, the volume of HIPAA violation examples continues to grow, as do the sizes of the penalties imposed. To avoid becoming a cautionary tale, organizations managing protected healthcare information must dedicate substantial and regular time and effort to ensuring their total compliance.
A roundtable discussion led by PubNub’s COO, Casey Clegg, exploring the topics of what it means to be human in a virtual world.
Dr. Joe Kvedar, Chair of the Board for the American Telemedicine Association, joins our COO, Casey Clegg, to discuss why...
Today, we are glad to announce that we are currently in the process of implementing ISO-27001 security standards.