In 2013, the Department of Health & Human Services Civil Division began enforcing the Omnibus rule, which expanded how HIPAA/HITECH regulations are enforced. These acts carry serious fines and penalties for violations, even if they occur by accident or because of an oversight.
Unfortunately, HIPAA compliance is not a given for many healthcare organizations and their business associates, such as answering services and call centers. Violations happen daily because organizations don’t fully understand the security and privacy requirements or the potential ramifications of a breach.
Violation of HIPAA can result in different penalties, including fines and jail time. HIPAA violation examples can be used as cautionary tales for healthcare systems to establish the appropriate controls.
Key Takeaways
1. Any act that puts patient health information at risk of unlawful exposure and exploitation can be considered a HIPAA violation.
2. The best way to prevent HIPAA violations is to understand the law and apply necessary security controls.
3. PatientCalls is a fully HIPAA-compliant medical answering service center that helps healthcare providers expand their operations without incurring any violations.
How Does HIPAA Apply to Healthcare Organizations?
HIPAA, or the Health Insurance Portability and Accountability Act, is a special legislation in the U.S. that specifically applies to healthcare institutions. It is a law that regulates healthcare institutions handling and transmitting patient information using any method.
Every healthcare entity must ensure that their internal communications and external transmission of PHI and ePHI (which includes written and digital information related to patient treatment and billing, e-mail addresses, IP addresses, and other web contact information, as well as photographs and picture IDs) to and from third-party service providers is HIPAA compliant.
The law requires the following safeguards:
- Secure emails and SMS texts,
- Business Associate Agreements in place,
- Documented HIPAA Compliance Officer,
- HIPAA Breach Notification Procedure,
- Safe storage of all Personal Health Information.
The HIPAA law was established to protect privacy and the security of patient health records. It also aims to help organizations control data breach risks and ensure continuous operations.
What Is a HIPAA Violation?
Any act that does not conform to the U.S. Federal legislation outlined in the HIPAA is considered a violation. Most common HIPAA violations involve unauthorized access or disclosure of patient information.
Violations do not only include breaches of patient information. It is also a violation not to have proper security controls and administrative safeguards for electronic patient health information. In addition, the lack of training and orientation of the law for the employees is also considered a major violation.
The enforcement of the HIPAA is overseen by the Department of Health and Human Services (HHS) in the United States. Specifically, the Office for Civil Rights (OCR) within the HHS enforces the HIPAA Privacy, Security, and Breach Notification Rules.
What Is Considered a HIPAA Violation in the Workplace?
The HIPAA uses the following definition to define a breach.
A breach is “the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted which compromises the security or privacy of the protected health information.”
10 Common HIPAA Violations in the Workplace
The HIPAA comprehensively covers the minimum and advanced requirements for protecting patient information. Violations of this law are commonly categorized based on the severity of their potential damages.
We’ve listed down the most common examples of HIPAA breaches. To maintain HIPAA compliance, here’s what your medical answering service should not be doing.
- Texting Patient Information
Doctors and other healthcare professionals don’t go anywhere without their phones. However, standard mobile devices and cellular service providers don’t provide the safeguards needed to send/receive texts containing protected health information securely.
If unlocked, it would enable anyone with access to the mobile phone to access the PHI stored or transmitted. Further, information that should be protected would become vulnerable if the device was stolen or hacked.
SMS, text messages through an app, or any communications, for that matter, need to use encryption and strong password protection to be considered compliant with HIPAA Privacy & Security Rules. To work within the regulations, texts can be sent with encryption or as notifications without including PHI.
- Sending Unsecured E-mails
Some answering services send emails not encrypted or password-protected to medical offices or staff members.
Yet, the HIPAA Security Rule requires these measures for any transmission of ePHI.
- Paging Patient Information to Medical Staff
Some answering services send PHI, such as patient names or telephone numbers. Alpha paging transmissions are not encrypted. Therefore, they violate HIPAA regulations.
In addition, pagers are not considered HIPAA-compliant storage devices.
- Lack of an Official HIPAA Compliance Officer (HCO)
HIPAA requires covered entities and third-party business associates to assign a person to the role of HIPAA compliance officer. The appointed HCO can be an employee of the organization or someone external. Either way, the role of the compliance officer is to supervise the implementation of the privacy policy and the security measures for PHI.
Because this role is crucial, special training is required. To operate as the HIPAA Privacy Officer or HIPAA Security Officer or to work under the officer, one must complete the expert training and certification program.
Some answering services do not have a defined HCO or the person appointed as the compliance officer lacks the proper credentials and training. Both issues are considered HIPAA violations.
- Business Associate Agreement Violations
The HIPAA Privacy Rule requires all covered entities to have a signed Business Associate Agreement (BAA) on file for each Business Associate (BA) they work with who may have contact with PHI. Further, the Omnibus Rule made covered entities and Business Associate Subcontractors (BAS) liable for potential violations.
Since the later rule change, IT and service providers must sign a BAA and meet the requirements for safeguarding ePHI, even if their staff doesn’t usually access, store, or process it.
Some answering services do not have signed Sub-Contractor Business Associate Agreements on file with all software vendors, and this is cause for heavy fines.
- Improper Storage of Messages
Some answering services are not properly securing, storing, and destroying PHI as required by HIPAA guidelines.
This may include leaving voice messages that contain patient information or storing PHI on mobile devices that are not secured according to HIPAA standards.
- Skipping Agent Training
Not just anyone can work as a call center agent for healthcare organizations. Agents should be trained in HIPAA compliance and fully understand how their role impacts privacy and security.
- Inadequate Cybersecurity Controls
Some answering services are not properly deploying firewalls or necessary means to track and warn of cyber threats.
To ensure compliance with HIPAA regulations, third parties must implement policies and procedures designed to protect sensitive data. Failure to develop and enforce these control measures makes that vendor’s system vulnerable to cyberattacks and potentially more at risk for a data breach.
- Failure to Maintain Audit Records
Some answering services do not properly log all events of accessing PHI regarding employee logins or customer access, both verbally and electronically.
Detailed documentation, including access logs, must be kept for HIPAA auditing purposes. Further, covered entities and BAs must retain HIPAA audit logs going back at least six years.
- Giving out Medical Advice
Medical answering agents are indeed trained, but they are not medical professionals. It is a huge liability for medical answering services to provide any medical advice to patients; they should be referred to a licensed physician or emergency healthcare services.
Examples of HIPAA Violations by Employers
The HIPAA is mainly focused on protecting patient records. Despite this, employers can still commit HIPAA violations while handling data.
Employers are mainly responsible for setting up security controls and providing training programs for employees.
Here are some examples of HIPAA violations that employers can commit:
- Unauthorized access to health records.
- Sharing of employee health information.
- Using health information for employment decisions.
- Retaliation against employees for exercising HIPAA rights.
- Failure to provide privacy notes and consent forms.
- Inadequate training on HIPAA policies.
- Using health information for discriminatory practices.
Employers are expected to understand the HIPAA laws fully. They are also expected to enforce the rules in the workplace and practice cautiousness when handling employee health information.
Examples of HIPAA Violations by Nurses
Nurses and other healthcare providers have direct access to patient’s health information. As such, they are prone to intentional or unknowable violations.
Here is a list of common examples of HIPAA violations that nurses and healthcare providers can commit:
- Unauthorized access to patient records for personal use.
- Unauthorized disclosure and discussion of patient information.
- Improper disposal of PHI.
- Photographing, recording, or printing of patient records without consent.
- Sharing of information on social media.
- Using personal and unauthorized devices to access controls.
- Failure to report breaches.
- Unlawful denial of access to patient records.
- Sharing login credentials.
- Failure to maintain records of individuals accessing patient information.
Nurses and healthcare professionals must always practice diligence and security when handling sensitive information. Simple violations such as accessing information for personal use can lead to very serious fines for the healthcare organization.
HIPAA Violation Real Life Examples
The Office of Civil Rights keeps a detailed list of the significant HIPAA violations occurring in the country. The HIPAA journal records 2015 as having the highest number of HIPAA violations, with more than 112 million records exposed.
Below are three real-life examples of HIPAA violation cases with significant repercussions in the healthcare industry:
Anthem was recognized as one of the largest coverage providers for Americans through affiliated health plans. In 2015, the company was the subject of one of the biggest HIPAA violations in history.
A wide-ranging data breach occurred and affected almost 79 million individuals’ electronic protected health information. Hackers gained access to the sensitive information from late 2014 until 2015. The hackers gained access to sensitive patient information, including social security numbers, names, medical identification numbers, addresses, and others.
The company settled the HIPAA violation fines in 2016 and paid approximately $16 million to the Department of Health and Human Services. The following charges were identified:
- Failed to conduct enterprise-wide risk analysis
- Insufficient controls for regular review of system activity
- Failed to identify and respond to potential security breach
- Failed to implement minimum security controls
2. Advocate Health Care Network in 2016
In 2016, the company Advocate Health Care Network settled its multiple HIPAA violation penalties amounting to $5.5 million. This settlement is one of the largest recorded by the OCR and one of the largest data breaches in history.
The breach started when four company desktops were stolen from the company’s administrative building in 2013. Three months into the incident, two more subsequent breaches were reported, affecting a total of approximately 4,300 individuals.
The investigation revealed several other violations by the company, including the following:
- Failure to conduct a risk assessment
- Failure to implement security policies and control physical access
- Failure to obtain assurance from business associates
- Failed to encrypt laptop computers, which were stolen
3. Memorial Healthcare System in 2017
The Florida-based company Memorial Healthcare System settled a $5.5 million fine with the OCR for HIPAA violations. The violation involves two employees who were found to have illegally accessed and sold medical records.
The investigation of this breach also revealed other HIPAA violations. The company found out that 12 other individuals employed by the healthcare facility also illegally accessed patient health information, affecting 115,143 individuals.
What Are the Consequences of Violating HIPAA Rules?
The penalties for violating HIPAA rules depend on the severity of the violation and your HIPAA status. In general, a corresponding fine for criminal penalties ranging from $50,000 to $250,000 must be paid.
In addition, jail terms may be sanctioned for severe criminal violations. The HIPAA rules state the potential jail time depending on the tier of the violation.
- Criminal violations as a result of negligence – up to 1 year in jail
- Obtaining protected health information under false pretenses – up to 5 years in jail
- Knowingly disclosing information with malicious intent – up to 10 years in jail
- Mandatory two-year jail term for aggravated identity theft
Other sanctions may also be involved depending on the employment contract. Employers could potentially terminate working contracts and face criminal charges and other sanctions from professional boards.
The OCR and the affected healthcare system will conduct comprehensive investigations when breaches occur. The appropriate fines will depend on the results of the investigation.
How Much Are HIPAA Violation Fines?
The Department of Health & Human Services enforces HIPAA/HITECH by law, with heavy fines for single violations and maximum penalties for extensive breaches. Each instance of non-compliance can be penalized with fines of $100 per violation up to an annual maximum of $1.5 million.
HIPAA violation fines depend on a predetermined tier list by the DOHH and the OCR. The HIPAA rules use the following categories to discern between violations:
- Tier 1. A violation that occurred with the entity being unaware and could not have been avoided, with a reasonable amount of control to follow the rules.
- Tier 2. A violation that occurred, which the entity should have been aware of but could not be avoided even with controls, but short of willful neglect.
- Tier 3. A violation that resulted from willful neglect of rules, with an attempt to correct the violation.
- Tier 4. A violation that resulted from willful neglect without any attempt to correct the violation.
Below is the updated 2024 HIPAA Penalty Structure
Cause for HIPAA Violation | Minimum Penalty | Maximum Penalty |
---|---|---|
Individual didn’t know (and by exercising reasonable diligence, would not have known) that HIPAA was violated. | $137 per violation | $68,928 per violation, with an annual maximum of $2,067,813 million per year. |
HIPAA violation due to reasonable cause and not due to willful neglect. | $1,379 per violation | $68,928 per violation, with an annual maximum of $2,067,813 million per year. |
HIPAA violation due to willful neglect but violation is corrected within the required time period. | $13,785 per violation | $68,928 per violation, with an annual maximum of $2,067,813 million per year. |
HIPAA violation due to willful neglect and is not corrected within the required time period. | $68,928 per violation | $2,067,813 million |
What Can You Do to Prevent HIPAA Violations?
The best way to prevent HIPAA violations is to know and practice the law by establishing safety controls. This law binds all healthcare systems handling patient information and must protect the interests of patients.
Follow these best practices to prevent minor and major HIPAA violations:
- Understand the law. The first step to compliance is understanding the law. All employees must be knowledgeable of the objectives of the HIPAA rules.
- Perform training programs. Conduct training programs to ensure that all employees receive thorough education about the regulations, not just HIPAA. This includes orienting them with the company’s security controls and how they can contribute to compliance.
- Implement policies. Develop comprehensive security policies that outline how all patient information should be handled. Create the policies in a way that will encourage employees to adapt them subconsciously into everyday operations. Promote accountability among the team.
- Establish access controls and physical security. Implement effective access controls to limit access to sensitive information. Ensure that only authorized individuals have access to the information and maintain clear monitoring records of everyone accessing any information. This step includes establishing other control measures, such as encrypting information and installing safe passwords and authentication methods.
- Ensure business associate agreements. In addition to only transacting with credible business associates, ensure to secure clear agreements with third-party vendors. Ensure that BAAs include provisions requiring vendors to comply with HIPAA regulations and safeguard PHI appropriately.
- Conduct regular audits and risk assessments. Conduct regular audits and risk assessments to identify vulnerabilities in your organization’s handling of PHI and mitigate risks accordingly. Address any gaps or deficiencies in compliance through corrective action plans.
- Establish a breach response plan. Develop a comprehensive response plan in case breaches occur. This step shows your commitment to protecting patient information and that you are equipped to address problems as they occur.
Preventing HIPAA violations and continuous compliance can be achieved through proactive planning. HIPAA violations affect patients. They put patients at risk, which can lead to more than just a lawsuit.
Healthcare organizations must also be knowledgeable about any amendments that may occur concerning the law.
Protect Your Organization from HIPAA Violations by Partnering with PatientCalls
Your company can avoid these compliance violations and related fines and penalties by trusting a HIPAA-compliant answering service.
PatientCalls has taken the proper steps to ensure compliance with all HIPAA regulations and security protocols.
Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceed all HIPAA, HITECH, and Omnibus laws and regulations. For more information, call us directly at 866-330-5481.