Examples of unintentional HIPAA violations are, unfortunately, numerous.
In fact, it is easier to find examples of unintentional HIPAA violations than intentional ones.
That is to say that, in most cases, a HIPAA covered entity or business associate does not go out of its way to expose the protected health information (PHI) or medical records of its patients. Nor do they actively welcome data breaches, or deliberately give an unauthorized person or persons access to patients’ sensitive medical information.
On the contrary – the reality is that most healthcare organizations want to do everything in their power to safeguard medical records, grant only authorized access to PHI and always maintain HIPAA compliance.
Nonetheless, accidental HIPAA violations are common.
And when such violations occur, the healthcare organization can expect fines and legal action to be pursued by the Department of Health and Human Services (HHS).
Consequences of HIPAA Violations
In simple terms, a HIPAA violation occurs when a HIPAA covered entity or business associate does not maintain appropriate safeguards to prevent either the intentional or unintentional disclosure of PHI.
Specifically, HIPAA covered entities are required to implement technical, physical, and administrative safeguards of PHI to maintain HIPAA compliance.
Failure to do so can lead to huge penalties.
Because the penalty structure is tiered, the actual size of the penalty issued depends on the severity of the violation.
As the HIPAA Journal points out, most HIPAA violations are the result of negligence, such as the failure to perform appropriate risk assessments. Willful neglect is the worst kind of HIPAA violation – but suffice to say, even accidental violations can result in a hefty fine.
In all, there are four tiers that make up the penalty structure, outlined in the graphic below.
(Image source: hipaajournal.com)
Examples of Unintentional HIPAA Violations
Every year, the HHS’s Office for Civil Rights (OCR) collects millions of dollars in penalties for HIPAA violations across all four tiers.
Let’s look at some real-life examples of unintentional HIPAA violations in recent history that cost healthcare organizations big for inadvertently disclosing or exposing PHI.
1. Right of Access Violation
In November 2020, the OCR fined the Riverside Psychiatric Medical Group $25,000 for violating the HIPAA Right of Access provision under the HIPAA Privacy Rule.
The case is a prime example of how practices can be fined on technicalities – and underlines the importance of understanding exactly how each HIPAA provision works.
The HIPAA Right of Access provision gives patients the right to obtain a copy of their health information upon request. There is an exception to this right, however, with regards to psychotherapy notes, which should not be provided.
A Riverside patient made several requests for her medical records. The practice did not provide them, as they contained psychotherapy notes. However, under the HIPAA Right of Access, when requests are received, the patient must be provided with a written explanation as to why the records will not be provided.
In addition, the correct practice is to provide records, minus any psychotherapy notes. Before the OCR intervened, Riverside had neither written to the patient to offer an explanation, nor provided the requested medical records, resulting in the fine being issued.
2. Failure to Terminate Access Rights when Employee Leaves
Also in November 2020, the OCR collected $202,400 from the City of New Haven, Connecticut, following a HIPAA violation.
An investigation found that an employee of the New Haven Health Department had been terminated from her position on July 27, 2016. However, the former employee subsequently returned to her office – using her still-active access key to enter – and logged into her old computer using her still-active username and password. She proceeded to download the PHI of 498 patients onto a USB drive (a clear-cut data breach) before exiting the premises.
Additionally, the investigation revealed the employee had shared her login credentials with an intern, who continued to use them to access PHI after the employee’s termination. HIPAA does not permit the sharing of login credentials, as it makes it impossible to track information system activity accurately.
In all, the OCR concluded that between 2014 and 2018, HIPAA Privacy Rule policies and procedures had not been implemented.
Namely, procedures were not in place to terminate access to PHI when the employment of a workforce member ends, nor had New Haven assigned unique usernames and passwords to all staff to track individual user activity.
As OCR Director Roger Severino put it, “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”
3. PHI Disclosures on Yelp
In October 2019, the OCR collected $10,000 from Elite Dental Associates in Dallas, Texas, due to disclosures of multiple patients’ PHI on the online review website Yelp.
The case related to an incident in June 2016, when the OCR received a complaint from an Elite patient, who claimed the dental practice had publicly disclosed her PHI on Yelp in response to a review she had left. It was found that Elite had disclosed the patient’s name, as well as details of her health condition, treatment plan, insurance, and cost information.
The following investigation found this was not the first time such an incident had occurred.
Ultimately, the OCR ruled that Elite was in breach of several provisions pertaining to the HIPAA Privacy Rule.
“Social media is not the place for providers to discuss a patient’s care,” said Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
4. Failure to Obtain a Business Associate Agreement
All HIPAA covered entities must obtain a business associate agreement (BAA) from any third parties they work with who handle PHI.
No information sharing between such parties is HIPAA compliant until a BAA has been signed.
In 2016, Raleigh Orthopedic Clinic in North Carolina was fined $750,000 for failing to enter into a BAA with an outside vendor, who was tasked with converting X-Ray films into digital format.
Raleigh handed over the PHI of 17,300 patients without obtaining a BAA detailing the responsibilities the company had to ensure X-Ray data were safeguarded in accordance with HIPAA rules.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Maintain HIPAA Compliance with Central Data Storage
HIPAA is a minefield of potential violations to which anyone can unintentionally fall foul during their normal course of work.
From lost or stolen USB drives, to lack of employee HIPAA training, to the access of PHI by a person without their own unique login credentials – costly mistakes are common occurrences.
If you’re concerned about your current practices, why not take a free, no obligation data assessment from Central Data Storage, during which we will provide you with actionable insights on how to improve your data security processes and recommend solutions that fit your business’s unique needs.
At Central Data Storage, our mission is to help HIPAA covered entities meet regulatory requirements and avoid HIPAA violations.
Our Encrypted Sharing and Data Backup & Recovery products are HIPAA compliant by design and we sign BAAs with all our clients.
In addition, we work hand in hand with covered entities to help them develop and implement policies, procedures, and training programs so they can be sure their whole organization is fully HIPAA compliant.