Who can violate HIPAA?

One of the main aims Health Information Portability and Accountability Act of 1996 is to safeguard patient privacy, but who can violate HIPAA? The Act stipulates that all organizations that it considers to be “covered entities” must be HIPAA-compliant. These CEs are defined as any healthcare providers, health plans, or healthcare clearinghouses who have access to and can transmit patients’ protected health information (PHI). As these CEs – and their employees – are subject to HIPAA rules, it means that have the potential to violate them. But should they? 

The short answer is no; under no circumstances should a CE or their employees willfully violate HIPAA. Doing so puts patient privacy and well-being at a huge risk; the nature of the information included in PHI is often very sensitive and can contain information about health prognoses, bank details, social security numbers, etc. The use of any one of these identifiers by malicious parties (for example, hindering a patient’s employment opportunities), but together could leave the patient vulnerable to identity theft or fraud. 

Of course, mistakes can be made and unintentional HIPAA violations can occur. There is a distinction between incidental HIPAA violations, which occur despite the best efforts of the actors, and accidental HIPAA violations, which are often the result of ignorance of failure to comply with best practices. For example, if a patient is being brought to a consultation room, and happens to see the names of other patients on a sign-in sheet at the reception desk, this would be considered an incidental exposure. If, however, someone was taking a photo and the sign-in sheet was visible, and then that photo was shared, that would be considered an accidental breach. Incidental breaches are usually more limited in scope, and are therefore often less minor, but both should be taken seriously and avoided wherever possible. 

Any organization that enters a business associate agreement (BAA) with a CE (and are therefore considered “Business Associates”) must also be HIPAA-compliant. They, therefore, have the potential to violate HIPAA, but as with the CEs, should undertake every effort to avoid such breaches. The BAA will outline the requirements needed for the BA to be compliant. 

Other groups are also covered by HIPAA; researchers, for example, may use PHI under specific circumstances. Any subcontractors to BAs must also be HIPAA compliant.

HIPAA violations are taken seriously by the Department for Health and Human Services, and have penalty structures in place for severe breaches. In the most extreme cases, for example where employees have demonstrated willful neglect, a fine of up to $50,000 per violation may be issued. In some cases, criminal protection is necessary. 

There are a number of bodies – namely, covered entities and business associates – who have the potential to violate HIPAA. However, both to safeguard patient privacy and prevent against fines, no one should ever violate HIPAA.