The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity.
The five most common most common HIPPA violations of this type are;
• failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI)
• failure to enter into a HIPAA-compliant business associate agreement
• impermissible disclosures of PHI
• delayed breach notifications
• failure to safeguard PHI.
The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are only for the most serious violations of HIPAA Rules, and generally only when the covered entity has severely neglected their duty to maintain the integrity of PHI. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.
The five the most common HIPAA violations that have resulted in settlements with covered entities and their business associates are detailed further below.
Data Breaches and HIPAA Violations
Healthcare organisations have had to deal with an increasing number of data breaches in the past decade. Even with multi-layered cybersecurity defenses, it is possible for data breaches to occur. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is not possible to implement impregnable security defenses.
HIPAA compliance is about reducing the risk of a data breach to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.
The OCR breach portal now reflects this more clearly. Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.
Discovery of HIPAA Violations
HIPAA violations can continue for many months, or even years, before they are discovered, depending on the nature of the breach. The longer they persist, the greater the penalty will be when they are eventually discovered. It is therefore important for HIPAA-covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected before they are identified by regulators.
There are three main ways that HIPAA violations are discovered:
1. Investigations into a data breach by OCR (or state attorneys general)
2. Investigations into complaints about covered entities and business associates
3. HIPAA compliance audits
Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a financial penalty.
The Most Common HIPAA Violations
Listed below are 5 of the most common HIPAA violations. We have included examples of HIPAA-covered entities and business associates that have been discovered to be in violation of HIPAA Rules and have had to settle those violations with OCR and state attorneys general. In many cases, investigations into the breach revealed multiple HIPAA violations. The settlement amounts reflect the seriousness of the violation, the length of time the violation has been allowed to persist, the number of violations identified, and the financial position of the covered entity/business associate.
Failure to Perform an Organization-Wide Risk Analysis
The failure to perform an organization wide risk analysis is arguably the most common HIPAA violation, and one that frequently results in financial settlements with OCR. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain unaddressed, leaving the door wide open to hackers.
HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:
• Oregon Health & Science University– $2.7 million settlement for the lack of an enterprise-wide risk analysis.
• Cardionet – $2.5 million settlement for an incomplete risk analysis and lack of risk management processes.
• Lahey Hospital and Medical Center – $850,000 settlement for the failure to conduct an organization-wide risk assessment and other HIPAA violations.
Failure to Enter into a HIPAA-Compliant Business Associate Agreement
The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most common HIPAA violations. Even when business associate agreements are held for all vendors, they may not be HIPAA compliant. This is particularly true if the business associate agreement was not updated after the Omnibus Final Rule was revised.
Notable settlements for these common HIPAA violations include:
• Raleigh Orthopaedic Clinic, P.A. of North Carolina – $750,000 settlement for the failure to execute a HIPAA-compliant business associate agreement.
• North Memorial Health Care of Minnesota – $1.55 million settlement for failing to enter into a BAA with a major contractor and other HIPAA violations.
• Care New England Health System– $400,000 settlement for the failure to update business associate agreements
Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices
The encryption of PHI is one of the most effective methods of preventing a serious data breach. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen. Despite these benefits, encryption is not mandatory under HIPAA Rules. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its place.
Recent settlements for the failure to safeguard PHI include:
• Children’s Medical Center of Dallas – $3.2 million civil monetary penalty for failing to act to address known risks, including the failure to use encryption on portable devices.
• Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000 settlement for the failure to use encryption, the failure to conduct an enterprise wide risk analysis, and to manage risks.
Exceeding the 60-Day Deadline for Issuing Breach Notifications
The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach. Exceeding that time frame is one of the most common HIPAA violations.
There have been two breaches of this nature in the past year:
• Presence Health – $475,000 settlement for delaying the issuing of breach notifications by a month.
• CoPilot Provider Support Services Inc. – $130,000 settlement with NY Attorney General for delayed breach notifications.
Impermissible Disclosures of Protected Health Information
Any disclosure of protected health information that is not permitted under the HIPAA Privacy Rule can result a financial penalty. This violation category includes disclosing PHI to a patient’s employer, potential disclosures following the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and disclosures of PHI after patient authorizations have expired.
Two notable settlements include:
• Memorial Hermann Health System – $2.4 million settlement for disclosing a patient’s PHI in a press release.
• Luke’s-Roosevelt Hospital Center – $387,000 settlement for careless handling of PHI/Disclosure of a patient’s HIV status to their employer.