Real-life examples of unintentional HIPAA violations that cost healthcare organizations big money for inadvertently disclosing or exposing PHI. What is the best data recovery software and ransomware protection to deal with these common human errors?
Unintentional HIPAA violation examples are, unfortunately, numerous.
In fact, it is easier to find examples of HIPAA violations that are unintentional than intentional ones.
That is to say that, in most cases, a HIPAA covered entity or business associate does not go out of its way to expose the protected health information (PHI) or medical records of its patients. Nor do they actively welcome data breaches, or deliberately give an unauthorized person or persons access to patients’ sensitive medical information.
On the contrary – the reality is that most healthcare organizations want to do everything in their power to safeguard medical records, grant only authorized access to PHI and always maintain HIPAA compliance.
Nonetheless, accidental HIPAA violations are common.
And when such violations occur, the healthcare organization can expect fines and legal action to be pursued by the Department of Health and Human Services (HHS).
Consequences of HIPAA Violations
In simple terms, a HIPAA violation occurs when a HIPAA covered entity or business associate does not maintain appropriate safeguards to prevent either the intentional or unintentional disclosure of PHI.
Specifically, HIPAA covered entities are required to implement technical, physical, and administrative safeguards of PHI to maintain HIPAA compliance.
Failure to do so can lead to huge penalties.
Because the penalty structure is tiered, the actual size of the penalty issued depends on the severity of the violation.
As the HIPAA Journal points out, most HIPAA violations are the result of negligence, such as the failure to perform appropriate risk assessments. Willful neglect is the worst kind of HIPAA violation – but suffice to say, even accidental violations can result in a hefty fine.
In all, there are four tiers that make up the penalty structure, outlined in the graphic below.
(Image source: hipaajournal.com)
Examples of Unintentional HIPAA Violations
Every year, the HHS’s Office for Civil Rights (OCR) collects millions of dollars in penalties for HIPAA violations across all four tiers.
Let’s look at some real-life examples of unintentional HIPAA violations in recent history that cost healthcare organizations big for inadvertently disclosing or exposing PHI.
1. Right of Access Violation
In November 2020, the OCR fined the Riverside Psychiatric Medical Group $25,000 for violating the HIPAA Right of Access provision under the HIPAA Privacy Rule.
The case is a prime example of how practices can be fined on technicalities – and underlines the importance of understanding exactly how each HIPAA provision works.
The HIPAA Right of Access provision gives patients the right to obtain a copy of their health information upon request. There is an exception to this right, however, with regards to psychotherapy notes, which should not be provided.
A Riverside patient made several requests for her medical records. The practice did not provide them, as they contained psychotherapy notes. However, under the HIPAA Right of Access, when requests are received, the patient must be provided with a written explanation as to why the records will not be provided.
In addition, the correct practice is to provide records, minus any psychotherapy notes. Before the OCR intervened, Riverside had neither written to the patient to offer an explanation, nor provided the requested medical records, resulting in the fine being issued.
2. Failure to Terminate Access Rights when Employee Leaves
Also in November 2020, the OCR collected $202,400 from the City of New Haven, Connecticut, following a HIPAA violation.
This is a HIPAA Breach example that can easily happen to many organisations.
An investigation found that an employee of the New Haven Health Department had been terminated from her position on July 27, 2016. However, the former employee subsequently returned to her office – using her still-active access key to enter – and logged into her old computer using her still-active username and password. She proceeded to download the PHI of 498 patients onto a USB drive (a clear-cut data breach) before exiting the premises.
Additionally, the investigation revealed the employee had shared her login credentials with an intern, who continued to use them to access PHI after the employee’s termination. HIPAA does not permit the sharing of login credentials, as it makes it impossible to track information system activity accurately.
In all, the OCR concluded that between 2014 and 2018, HIPAA Privacy Rule policies and procedures had not been implemented.
Namely, procedures were not in place to terminate access to PHI when the employment of a workforce member ends, nor had New Haven assigned unique usernames and passwords to all staff to track individual user activity.
As OCR Director Roger Severino put it, “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”
3. PHI Disclosures on Yelp
In October 2019, the OCR collected $10,000 from Elite Dental Associates in Dallas, Texas, due to disclosures of multiple patients’ PHI on the online review website Yelp. Which is an example of a Social Media HIPAA violation.
The case related to an incident in June 2016, when the OCR received a complaint from an Elite patient, who claimed the dental practice had publicly disclosed her PHI on Yelp in response to a review she had left. It was found that Elite had disclosed the patient’s name, as well as details of her health condition, treatment plan, insurance, and cost information.
The following investigation found this was not the first time such an incident had occurred.
Ultimately, the OCR ruled that Elite was in breach of several provisions pertaining to the HIPAA Privacy Rule.
“Social media is not the place for providers to discuss a patient’s care,” said Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
4. Failure to Obtain a Business Associate Agreement
All HIPAA covered entities must obtain a business associate agreement (BAA) from any third parties they work with who handle PHI.
No information sharing between such parties is HIPAA compliant until a BAA has been signed.
In 2016, Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for failing to enter into a BAA with an outside vendor, who was tasked with converting X-Ray films into digital format.
Raleigh handed over the PHI of 17,300 patients without obtaining a BAA detailing the responsibilities the company had to ensure X-Ray data were safeguarded in accordance with HIPAA rules.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
What happens if someone accidentally violate HIPAA
The HIPAA regulations state that an accidental HIPAA violation must be reported to the covered entity within 60 days of discovery. It’s important that notifications are sent as soon as possible without any delays.
Failure to report a breach in a timely manner can turn a simple error into a major incident that could result in disciplinary action and penalties for the employer.
Maintain Compliance with Central Data Storage
HIPAA is a minefield of potential violations to which anyone can unintentionally fall foul during their normal course of work.
From lost or stolen USB drives, to lack of employee HIPAA training, to the access of PHI by a person without their own unique login credentials – costly mistakes are common occurrences.
If you’re concerned about your current practices, why not be proactive and implement solutions that ensure you never fall afoul of HIPAA? Central Data Storage can provide you with actionable insights on how to improve your data security processes and implement solutions that fit your business’s unique needs.
UnisonBDR and WisperMSG are Central Data Storage’s two unique, compliant, and ransomware-proof solutions to help HIPAA covered entities meet regulatory requirements and avoid HIPAA violations.
In addition, we work hand in hand with covered entities to help them develop and implement policies, procedures, and training programs so they can be sure their whole organization is fully HIPAA compliant.