Legal Implications of HIPAA Violation

Data breaches and HIPAA violations have increased by 51% In recent years, partly due to the COVID-19 crisis and the upswing of cybersecurity risks. For example, in the month of September 2021 alone, the Department of Health and Human Services (HHS) received 40 reports of data breaches within the healthcare industry – a total of 1,206,799 people in the United States with compromised protected health information (PHI) in just one month.

HIPAA is necessary for providing patients the security with their health records and information. It assures patients that their medical records are safe and secure and do not fall into the wrong hands. In addition, the act ensures that all healthcare providers, health vendors, healthcare clearinghouses, and other entities implement multiple safeguards to protect sensitive personal and health information. 

With violations reaching up to $1.5 million per year, this can be intimidating for businesses and organizations, especially if you don’t know how to avoid a violation. You and your organization should have a clear understanding of what you should and shouldn’t do to avoid a breach.

First off… what is a HIPAA Violation?

HIPAA, also known as the Health Insurance Portability and Accountability Act, was enacted in 1996. This landmark piece of legislation was introduced to simplify the administration of healthcare, eliminate wastage, prevent fraud, and protect patients. 

Protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity when providing healthcare services.

A HIPAA violation happens when there is a failure to comply with any aspect of HIPAA standards and provisions; or when there is the acquisition, access, use, or disclosure of PHI done in such a way that puts a patient at significant personal risk. 

HIPAA violations can occur intentionally or unintentionally. Either way, they are unlawful and can result in significant penalties. 

What happens if you violate HIPAA?

The penalties and fines administered by the Office for Civil Rights are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. The possible penalties are as follows: 

Depending on the category, financial penalties for HIPAA violations range from $100 per violation (up to $50,000) to $50,000 per violation per year that the violation was allowed to persist, maxing out at $1.5 million per violation category per year. 

Fines can be issued from $100 per violation up to $25,000 per violation category per year. A breach that involves multiple states can result in fines for multiple states. 

Alongside civil financial penalties, those responsible for HIPAA violations and PHI breaches may also face criminal charges. Three tiers of criminal penalties for HIPAA violations exist, ranging from one year in jail up to 10 years of jail time.

Affected patients can seek litigation against the healthcare practice or organization in which the breach occurred. If multiple patients become involved and affected, that could result in a big, long, and expensive legal battle.

How is a HIPAA violation discovered? 

There are several ways a HIPAA violation can be discovered. Most commonly through the following ways:

1. Compliance Audit. Violations of HIPAA can go under the radar for months or years until they are discovered. The longer a violation exists, the steeper the penalty will be when it is finally found out.
2. Complaints about an entity.
3. Report of the violation from a third party.

If you discover a colleague, associate, or entity that has violated HIPAA, you can report it to OCR. For instance, if a patient’s privacy has been violated within your organization, reporting the violation will allow your organization to take steps to reduce the potential for further harm and will help ensure that similar incidents do not occur in the future.

Tips on how to avoid HIPAA violations

Here’s how you can avoid the most common HIPAA violations: 

• Invest in employee education and training. This provides the strongest safeguard against breaches. Your weakest spot could be your employees, so training is required to maintain professionalism and avoid breaches. 
• Do not engage in gossip. Engaging in gossip about patients and their families may seem harmless, but discussing PHI is off-limits – with colleagues and with people outside the organization. This is because, under HIPAA, you are responsible for protecting the privacy of patients.
• Never disclose passwords or share login credentials! Every employee should provide a unique login that will grant them access to sensitive information and should never be shared or written down. 
• Don’t access your own medical records using your login credentials. Healthcare employees do not have the right to access their medical records using their own login credentials. 
• Never leave portable devices or documents Unattended. Using paper records increases the chances of PHI being left exposed for unauthorized people to see. Leaving computers open for use and unlocked also poses a risk. If lost or stolen, report it immediately to the Office for Civil Rights. 
• Do not text PHI. - SMS messages are not encrypted, so it's better to refrain from doing it. 
• Don’t dispose of PHI with regular trash. PHI must always be secured and only to be disposed of when it's no longer needed or required. Improper disposal of PHI. Shredding, destroying, and thoroughly cleaning your hardware is necessary when disposing of PHI.
• Never access patient records out of curiosity. It may be tempting to look into records of friends, family, and celebrities, but health care workers should only access records when they are authorized to do so.
• Don’t take medical records with you when you change jobs. It is considered data theft and could result in criminal charges.
• Do not Share ePHI on social media (including photos). - Selfies or any form of photos taken at work and posted to social media accounts would violate HIPAA Rules if patients are included in the photograph and prior consent has not been obtained in writing. It's easy to get swept up in the enthusiasm of simply sharing your thoughts on social media. Yet even an innocent-sounding post could lead to a breach. Therefore, healthcare employees must be cautious about what they post online. 
• Report potential HIPAA violations. If you believe a colleague has violated HIPAA Rules it is essential to take action to prevent similar incidents from occurring in the future. 
• Regularly review and improve security procedures. Using un-secure technology to share PHI is a considerable risk and should never be done because it will expose your organization to a breach. Being a step ahead of data hackers is an effective way to prevent HIPAA violations. 
• Never forward PHI to your personal email. PHI or files that contain PHI in form of images, call recordings, visit notes, etc. should never be forwarded or shared to one’s personal email.

HIPAA compliance made easy with ER Tech Pros 

PHI is just as – or sometimes even more valuable – than credit card information on the dark web. These days, being-HIPAA compliant is more critical than ever. Boost up cybersecurity to protect your systems from possible attacks.

ER Tech Pros is your healthcare IT partner to help your organization avoid HIPAA violations. We partnered with Compliancy Group to help our clients maintain HIPAA compliance. 

Schedule a free consultation with one of our experts to find out how we can help your practice succeed.