What are the 10 Most Common HIPAA Violations?

This article looks into the 10 of the most common HIPAA violations.

It should be remember that, in a lot of instances, investigations have found multiple HIPAA violations during one breach. The settlement amounts reflect the seriousness of the breach, the duration the violation has been allowed to persist, the number of violations discovered, and the financial position of the covered entity/business associate.

1. Spying on Healthcare Records

Viewing the health records of patients for reasons other than those allowed by the Privacy Rule – treatment, payment, and healthcare operations – is a serious breach of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations carried out by employees. When identified, these violations usually lead to termination of employment but could also result in criminal charges for the employee involved. Fines for healthcare groups that have failed to stop snooping are relatively unusual, but they are possible.

2. Not Completing an Organization-Wide Risk Analysis

The failure to complete an organization-wide risk analysis is one of the most witnessed HIPAA violations to result in a financial penalty. If the risk analysis is not completed regularly, organizations will not be able to determine whether any flaws to the confidentiality, integrity, and availability of PHI are in place. Risks are therefore likely to remain unaddressed, leaving the door wide open to cybercriminals.

3. Not Addressing Failure to Manage Security Risks / Lack of a Risk Management Process

Completing a risk analysis is crucial, but it is not just a checkbox item for compliance. Dangers that are identified must then be subjected to a risk management process. They should be prioritized and remedied in a reasonable time frame. Knowing about dangers to PHI and failing to remedy them one of the most common HIPAA breaches penalized by the Office for Civil Rights.

4. Not Completing a HIPAA-Compliant Business Associate Agreement

The failure to complete a HIPAA-compliant business associate agreement with all vendors that are supplied with or given access to PHI is another of the most witnessed HIPAA violations. Even when business associate agreements are held for all vendors, they may not be completely HIPAA compliant, especially if they have not been updated after the Omnibus Final Rule.

5. Inadequate ePHI Access Controls

The HIPAA Security Rule obligates covered entities and their business associates to restrict access to ePHI to authorized people. The failure to configure proper ePHI access controls is also one of the most common HIPAA violations and one that has attracted several fines.

6. Failure to Implement Encryption or an Equivalent Measure to Secure ePHI on Portable Devices

One of the best ways methods of preventing data breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also illegally taken. Encryption is not mandatory under HIPAA Rules, but it cannot be disregarded. If the decision is taken not to use encryption, an alternative, equivalent security measure must be used in its stead.

7. Not Adhering to the 60-Day Deadline for Issuing Breach Notifications

The HIPAA Breach Notification Rule askes that covered entities to issue notifications of breaches without unnecessary delay, and certainly no more than 60 days following the identification of a data breach. Exceeding that time frame is one of the most witnessed HIPAA violations.

8. Illegal Sharing of Protected Health Information

Any sharing of protected health information that is not allowed under the HIPAA Privacy Rule can attract a financial penalty. This breach category includes sharing PHI to a patient’s employer, potential disclosures following the theft or loss of unencrypted laptop computers, careless management of PHI, disclosing PHI unnecessarily, not adhering to the ‘minimum necessary’ standard, and sharing of PHI after patient authorizations have expired.

9. Inadequate Disposal of PHI

When physical PHI and ePHI are no longer needed and retention periods have expired, HIPAA Rules require the information to be safely and permanently destroyed. For paper records this could include shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to stop impermissible disclosures.

10 No Allowing Patients Access to Health Records/Exceeding Timescale for Supplying Access

The HIPAA Privacy Rule allows patients the right to access their medical records and obtain copies whenever they wish. This allows patients to review their records for errors and share them with other entities and individuals. Not allowing patients copies of their health records, charging too much for copies, or failing to provide those records within 30 days is a breach of HIPAA.