The healthcare industry has been plagued by inadequate security measures and common protocol mistakes that result in significant HIPAA penalties imposed by the Office for Civil Rights (OCR).
Poor security protocols, neglected risk assessment audits, internal human errors, and the lack of employee HIPAA training are just a few factors contributing to lost, compromised, or stolen patient data and sensitive medical records. In fact, almost 40% of medical office professionals do not clearly understand HIPAA regulations.
As of 2022, there have been over 300,000 registered complaints for violations of HIPAA laws reported to the OCR. With the right security controls implemented, regular auditing, and proper employee training, HIPAA violations can be easily avoided. This article will cover the most common violations of HIPAA, the potential damages they carry, advice on prevention methods to minimize risks, and the best practices to avoid them.
Top 10 Most Common HIPAA Violations
The most important thing to remember about the HIPAA Privacy Rule is that the security of sensitive patient information should always be prioritized. Any number of careless or negligent practices can result in the loss of medical records, which can lead to large fines and penalties.
Learn more about the worst HIPAA violation cases here.
1. Poor Access Control Policies
The HHS (Department of Health and Human Services) and state attorney generals cite “failure to implement proper access controls” for protecting patient information as one of the most common HIPAA violations by healthcare services.
Digitally-accessible medical records like ePHI (electronically protected health information) have their own share of risks and vulnerabilities that need to be secured properly. This applies to medical staff or physicians that may inadvertently access PHI that they aren’t authorized to view.
Under the HIPAA Security Rule, all third-party business associates and healthcare providers must have restricted access controls for protecting and storing ePHI. This way, only authorized personnel has access to the sensitive data.
To avoid the risks of unauthorized parties (cybercriminals or insider threats) gaining unauthorized access to ePHI, healthcare organizations must:
- Implement security risk control measures such as a zero-trust model
- Ensure continuous activity monitoring that tracks all devices and systems
- Use two-factor (2FA) or multi-factor authentication (MFA)
- Use temporary authorization codes to ensure the right parties are accessing only the information they need
- Decide which security measure is both the most HIPAA-compliant and most efficient without slowing down workflow
Learn how to choose an ideal HIPAA compliance product >
2. Device Theft
One of the most common ways that PHI is lost is through device theft. Lost or stolen devices from healthcare institutions usually contain sensitive data that may be used for cyber crimes such as medical fraud or identity theft. Stolen devices typically included mobile devices, laptops, and USBs.
Device theft is often the result of poor physical security and a lack of device policies within the institution. Physicians or doctors often take their work devices home and leave them unattended in cars, hotel rooms, or other public areas, which results in the devices being stolen. In most cases of device theft, the devices were also left unencrypted, which makes matters worse.
To avoid devices being stolen, healthcare institutions need to create policies surrounding the following:
- Employee training around proper device handling and storage policies
- Physical device security (physical security and sign-out policies)
- Device encryption (in case of theft)
- Device tracking software
- Reporting device theft
3. Failure to Encrypt and Secure Data
Many healthcare providers also neglect to encrypt their data or implement an equal security measure that would safeguard important PHI. Often times with device theft, the information is left completely open and unsecured, making it easier for criminals to access that data.
However, in the case of cyber attacks, the healthcare institution needs to have some type of defense to protect patient records. If the cybercriminal successfully breaches initial cyber defenses, there need to be safeguards that significantly reduce their chances of accessing that data.
While HIPAA doesn’t mandate healthcare providers to encrypt their data, data breaches involving medical records that are unencrypted may be considered a reportable security incident. An important thing to note is that if encrypted data is stolen, it’s NOT considered a security breach or a reportable incident unless the decryption key is also stolen.
In most cases, healthcare providers dismiss encryption because it’s not considered mandatory and is only categorized as “addressable.” That being said, security experts advise that all medical companies should strongly consider utilizing proper encryption techniques.
As an alternative, pseudonymization is an acceptable equivalent to data encryption, and this can also be considered compliant with GDPR, which is the data protection regulation that covers European businesses.
4. Improper Disposal of PHI and Medical Data
Improperly disposing of or discarding medical records might be one of the most overlooked HIPAA breaches. While it rarely occurs, it’s still a serious violation with heavy fines. The New England Dermatology and Laser Center was fined a settlement of $300,640 for improperly disposing of PHI in 2022.
Many interns or new hospital staff often discard or throw away complete physical copies of medical records without attempting to destroy the sensitive information. This also includes digital data within old laptops, hard drives, or USBs that contain PHI and are improperly wiped after the expiry of their retention period.
Disposable medical data that isn’t accounted for carries the risk of unauthorized disclosure, which may constitute a HIPAA violation and, in turn, stiff penalties.
HIPAA regulations mandate that all hospitals and clinics must have the proper procedures for disposing of both physical and digital medical data. Implementing comprehensive policies for handling expired PHI data is crucial, including training employees on the best practices for disposing of medical data.
To avoid the improper disposal of PHI and medical data, healthcare providers should:
- Regularly conduct shredding or pulping of physical paper copies that store PHI
- Wipe or destroy portable devices like hard drives and USBs that store PHI
5. Impermissible PHI Disclosure and Employee Misconduct
Under the HIPAA Privacy Rule, any disclosure of confidential PHI is considered impermissible and in violation of the law. Impermissible PHI disclosure and employee misconduct — unintentional or otherwise — constitute a large number of HIPAA breaches.
Unless the attending medical professional has a direct reason to access specific medical records, all patient information is considered off-limits. Even disclosing PHI with expired patient authorization is considered impermissible PHI disclosure.
Understandably, intentional breaches carry much higher HIPAA violation penalties. For example, a former UCLA doctor and researcher was sentenced to four months in prison for intentionally violating HIPAA rules by viewing the medical records of celebrities.
Employee misconduct may also include other instances of patient data exposure, as well as more serious ones, such as:
- Accidentally disclosing patient data to a friend or family member in non-private settings
- Gossiping with coworkers about private and confidential patient data
- Viewing medical records for personal use or non-medical reasons
- Posting photos on social media of instances where patients' PII (personally identifiable information) is exposed
- Accidentally discarding, misplacing, or losing physical or digital documents that contain PHI files
- Sharing passwords to accounts with access to medical information
To reduce impermissible PHI disclosure and prevent employee misconduct, healthcare providers should carry out employee training that covers proper handling of PHI, as well as maintaining best practices for security (for example, not leaving a laptop unattended, implementing screen locks, etc.)
6. Failure to Enter Business Associate Agreements (BAA) with Third-Party Contractors
Nearly all healthcare organizations work with third-party companies in their operations, many of whom are often allowed access to PHI. Under HIPAA rules, any entity that handles PHI must follow HIPAA standards. For third-party contractors that do business with healthcare providers, a business associate agreement (BAA) is required before allowing access to PHI.
A BAA is required because most third parties don’t typically handle sensitive patient data as their primary job. Many vendors or suppliers may not be up to standard with their data security protocols because they aren’t required in their specific industry. However, once they enter into a business contract with the healthcare organization, they must comply with HIPAA.
Some examples of potential incidents include:
- Unauthorized handling of medical contracts via off-site or regional departments
- The possibility of other vendors or companies buying, selling, or merging with the third-party company
- Abrupt onboarding of third-party business associates to meet the healthcare provider’s urgent requirements
To avoid HIPAA non-compliance, organizations should appoint a specific individual to be in charge of managing all third-party contracts to ensure that the entire BAA process is complete and compliant with HIPAA. Oftentimes, when organizations fail to enter a BAA, it results from a lack of oversight or institutions simply not understanding the HIPAA laws and requirements.
Organizations can also use Third-Party Risk Management (TPRM) solutions to help oversee their vendors, contractors, and other third parties within the supply chain. TPRM solutions can identify immediate security risks, track security progress and implementation, and monitor compliance with HIPAA laws. More importantly, it allows larger hospitals to manage hundreds of vendors to ensure they follow regulatory standards.
Learn the best third-party risk management practices for health organizations.
7. Failure to Conduct an Organization-Wide Risk Analysis
An organization-wide risk analysis helps healthcare organizations pinpoint vulnerabilities and flaws in their systems and security measures, improve confidentiality standards, and ultimately help with HIPAA compliance. The risk assessment itself is not optional, and simply stating that safeguards are in place is not an acceptable replacement.
Medical institutions that neglect regular organization-wide risk assessments face costly fines as part of their failure to safeguard their data. Some healthcare institutions may end up conducting risk analysis procedures but do not follow the recommended procedures after the auditing, and wait until a cybersecurity incident occurs, often too late.
A proper organization-wide risk analysis consists of the following:
- Regularly auditing for network security flaws and vulnerabilities
- Implementing proper authentication protocols
- Evaluating employee training
- Identifying the cyber threats that most likely to compromise data
- Examining incident response plans
Medical institutions must either conduct an internal risk analysis or use a third-party auditor that can do the analysis thoroughly. Third-party external auditors typically are more recommended because they can provide guidance and evaluations from a fresh, unbiased perspective.
Perhaps even more importantly, healthcare institutions must take the recommended action to remediate any security risks and vulnerabilities as soon as possible or risk even more severe fines from HIPAA. Understandably, organization-wide risk analysis procedures are costly, but ultimately, they are necessary and play a major part in preventing security problems.
8. Failure to Report a Data Breach
The HIPAA Breach Notification Rule clearly states that all covered entities of the medical facility are obliged to report data breaches after the discovery of the breach “without unnecessary delay” and in a timely manner no later than 60 days. Breach notifications must be reported to the OCR if it affects more than 500 people.
Medical institutions may be fined with serious penalties if they exceed the 60-day deadline.
To prevent this HIPAA violation from occurring, healthcare providers must:
- Define a standard internal reporting policy to relevant directors or officials
- Ensure that all relevant data breach details are sent to the OCR (Office for Civil Rights)
- Report the breach to a media outlet relevant to the data breach
- Post the notification for the data breach on their website
9. Denying or Delaying Patient Access to Health Records
Although not as common as other violations, denial of access to patient records is still regarded as a major violation of HIPAA rules. All patients have a right to view and access their own health records as part of HIPAA requirements, and providers must provide that information within 60 days. Any health organization that refuses patient access is subject to major fines.
In 2011, Cignet Health was fined $4.3 million by OCR for denying patients access to their own records.
Medical services are in violation of the HIPAA act if they:
- Deny patients’ rights to obtain their records
- Fail to give the requested medical records in a timely manner (within 30-60 days)
- Charge extra for requested copies of medical records (the cost of obtaining records can be collected from patients)
Avoiding this mistake is relatively easy — hospitals should establish strict procedures that enable their administration to respond to patient requests and distribute the records on time.
10. Lack of HIPAA-Certified Employee Training
All HIPAA-covered entities are required to provide HIPAA-certified training to their staff and employees. All relevant staff (including business associates, nurses, office administrators, receptionists, hospital volunteers, interns, and doctors) that handles important PHI are required to obtain a HIPAA certification to prove that adequate training has been provided. Basic cybersecurity training will not suffice under HIPAA rules — the Privacy and Security Rules have specific rules that need adhering to that may differ from other industries or companies.
Training and education need to be carried out during the following times:
- The onboarding and new hire process
- When job roles and responsibilities change
- On an annual basis
- When new HIPAA updates regarding security are released
- Change in hospital security policies
HIPAA is an enforced law, and ignorance of HIPAA policies is not an excuse for violations. However, training should be thorough and comprehensive, not just a way to avoid incurring penalties and fines. Training should be a proactive step in helping health organizations prevent and minimize the likelihood of a data breach.