Common HIPAA Violations

#1: Insecure PHI Storage

With PHI security being a primary focus in HIPAA, appropriate safeguards like access controls and encryption must be implemented.

They’re not just for your own self-assurance—financial penalties for not implementing proper securities have gone as high as:

  • $16,000,000 for Anthem Inc. in 2018
  • $5,500,000 for Memorial Healthcare System in 2017
  • $3,200,000 for Children’s Medical Center of Dallas in 2017
  • $1,600,000 for Texas Department of Aging and Disability Services in 2019

#2: Hacking & Data Breaches

Stemming from insecure storage, it’s also important to protect PHI from being hacked and stolen by external bad actors.

Besides implementing basic encryption and access controls, other steps to take for limiting the risk of data breach include:

  • Keeping antivirus software up to date
  • Installing a firewall security system
  • Using a virtual desktop infrastructure (VDI)
  • Adding tiered access controls for layered security
  • Regularly changing device passwords

#3: Employee PHI Misuse and Abuse

Considering their constant handling of PHI, employees are one of the most common sources of HIPAA violations.

Whether knowing or unknowingly, there are a range of violations committed by employees that in turn need to be covered in HIPAA training programs, including:

  • Removing PHI from the facility
  • Downloading PHI onto unauthorized devices
  • Emailing/sending PHI to personal accounts
  • Accessing PHI from an unsecure device or location
  • Losing devices with PHI either by accident or theft
  • Leaving electronics and paperwork unattended
  • Speaking about and sharing PHI with unauthorized parties or family members

#4: Improper PHI Disclosure

If you were to have access to PHI and discussed it with those who aren’t authorized to do so it would be a direct violation of HIPAA.

It may not be the first violation to come to mind when it comes to HIPAA compliance, but it’s nonetheless important to ensure PHI is only discussed with people who are directly involved, including:

  • Patients
  • Doctors and medical staff
  • Individuals billing the procedure
  • Pharmacists & other medication providers
  • Other general medical service providers

#5: Unsecure Technology to Share & Access PHI

Similar to the violation risk of removing PHI from a facility, accessing PHI from unsecure places like a home computer or sharing PHI over text is another common source of HIPAA violations.

Rather than using personal devices to share, store, and access PHI, it’s recommended to instead implement a central electronic health records (EHR) system for storing information with tools like authentication, access controls, and encryption to protect PHI and ensure HIPAA compliance.

#6: Improper PHI Disposal

It’s important that when it’s time for PHI to be disposed, proper steps are taken to ensure it’s safely destroyed.

Although HIPAA doesn’t specify a method for destroying PHI, shredding services are frequently used not only because of their cost efficiency compared to alternatives, but also because they provide certificates of destruction.

A certificate of destruction is a key tool that can be used to provide proof of HIPAA compliance in case of any legal disputes, and includes information like where and when the shredding was done, who did it, and witness signatures.

#7: Not Performing an Organization-Wide Risk Analysis

Regularly conducting a risk assessment helps organizations to determine whether any vulnerability to the confidentiality, integrity, and availability of their PHI exists, and although it’s beneficial for organizations just for shoring up their securities, it’s also required by HIPAA.

Recent HIPAA settlements for not conducting a risk analysis include:

  • $2,700,000 for Oregon Health & Science University
  • $2,500,000 for Cardionet
  • $850,000 for Lahey Hospital & Medical Center
  • $750,000 for Cancer Care Group

#8: Failing to Implement a Risk Management Process

Conducting an organization risk assessment is important, but it doesn’t end there.

Although performing a risk analysis will keep you HIPAA compliant, it’s also necessary to follow it up by implementing a risk management process to address the identified risks.

Recent organizations who conducted a risk assessment but failed to act on them include:

  • $1,700,000 for the Alaska Department of Health and Social Services
  • $650,000 for the University of Massachusetts Amherst (UMass)
  • $400,000 for the Metro Community Provider Network
  • $150,000 for the Anchorage Community Mental Health Services

#9: Releasing PHI to an Unauthorized Party

A patient’s PHI can only be released to its listed recipients and disclosing the information to an unauthorized party is a direct violation of HIPAA.

This common violation is typically the result of one of the following errors:

  • Releasing PHI to unauthorized family members
  • Releasing the wrong patient’s PHI
  • Releasing PHI to 3rd parties that aren’t medically involved

#10: Basic Form Violations

The HIPAA Privacy Rule contains the right to revoke clause, which is a statement used on authorization forms to tell patients that they can legally void their approval for covered entities to use and disclose their PHI.

Without including the right to revoke statement on authorization forms, the use of PHI in any way will be a HIPAA violation.