What is an Example of a HIPAA Violation?

HIPAA Covered Entities

Covered entities are any healthcare providers, health plans, or healthcare clearinghouses. Any individual or organization that fits under the following description of these three groups is required to follow HIPAA rules. 

• Healthcare providers provide medical or health services. Some examples would include clinics, pharmacies, doctors, nursing homes, and dentists.
• Health plans would be any individual or company that covers the cost of medical care. Examples would include health insurance companies as well as government-sponsored healthcare. 
• Healthcare clearinghouses are individuals or companies that receive health information from another entity and process the data. Some good examples of these would be billing services and community health information systems.  

Protected Health Information

Protected Health Information (PHI) is any personal information that healthcare providers collect to identify or determine appropriate care for an individual. This could include information like:

• Demographic information
• Medical history
• Lab tests and results
• Mental health conditions
• Health plan information

PHI Identifiers

HIPAA has a list of 18 different personal health identifiers that can become PHI if paired with health information. Some of these identifiers by themselves may allow an individual to be identified, contacted, or located. The 18 identifiers are as follows:

1. Name
2. Address
3. Dates
4. Phone number
5. Fax number
6. Email address
7. Social security number
8. Medical record number
9. Health plan beneficiary
10. Account number
11. Certificate or license number
12. Vehicle identifiers and serial numbers
13. Device identifiers and serial numbers
14. Web URL
15. IP address
16. Biometrics ID
17. Full-face photographs
18. Identifying characteristics, like tattoos or piercings

What is a HIPAA Violation?

A HIPAA violation happens when the access, use, or disclosure of PHI results in a significant personal risk for the patient and their identity. This regulation concerns everyone that works with PHI, including:

• Health plans
• Healthcare clearinghouses
• Healthcare providers
• Business associates

Best Way to Avoid HIPAA Violations

There are many ways to prevent or avoid a HIPAA violation. As an employer, one of the most important things you can do is ensure that your employees have received proper training when it comes to understanding and following the HIPAA guidelines. Some other great ways to avoid an intentional or accidental violation of the HIPAA rules are:

• Maintain possession of mobile devices: The most common HIPAA violation today is mobile devices storing PHI being lost or stolen. Employees should continually be aware of where the device is at all times and shut them down when they’re not being used. 
• Double check that files are correctly stored: Misfiling a patient’s paperwork in a cabinet or saving it on the wrong computer drive or network is a costly mistake. 
• Keep anything with patient information out of the public’s eye: Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas, and keep your computer monitors and mobile device screens hidden from patients. 

Consequences of HIPAA Violations

Civil penalties may be issued by the US Department of Health and Human Services if a HIPAA violation were to occur. The Office of Civil Rights (OCR) has the responsibility of analyzing official complaints for potential HIPAA violations. There are four tiers of civil penalties; each tier and consequence is based on the severity and number of violations. These four tiers are as follows:

• Tier 1 applies to people who didn’t know that HIPAA rules were being violated. The minimum penalty for a tier 1 violation is a $100 fine per violation with a maximum fine of $25,000 for repeated violations. 
• Tier 2 applies to violations that are found with reasonable cause. Tier 2 violations include a minimum fine of $1,000 per violation and up to a $100,000 for repeated violations.
• Tier 3 applies to situations involving willful neglect of HIPAA rules and only when the violation has been corrected within the required period of time. The minimum fine per violation is $10,000. The maximum fine for repeated violations is $250,000.
• Tier 4 applies to violations involving willful neglect of HIPAA rules and with no attempt made to correct the violation. This violation could result in a minimum penalty of $50,000 per violation and a cap of $1.5 million for repeated violations. 

Criminal Penalties

If a potential criminal violation of the HIPAA rules is being investigated, the OCR can refer the violation to the Department of Justice for review and further investigation. Criminal penalties for HIPAA violations are not common; however, if the intentions behind the violation are determined to be criminal, then criminal penalties will be necessary. There are only three tiers for criminal violations. They are as follows:

• Tier 1 applies to negligence or reasonable cause violations, resulting in a fine of up to $50,000 and up to one year in prison. 
• Tier 2 applies to false pretense violations that end up with a fine of up to $100,000 and up to five years in prison. 
• Tier 3 applies to violations caused by personal gain or malicious intent. A violation of this degree results in a fine of up to $250,000 and up to 10 years in prison. 

More HIPAA Violation Examples

Aside from the examples we discussed earlier in this article, there are many common ways for HIPAA violations to occur. Some are a little less obvious than others and can potentially be overlooked. This is why understanding what causes HIPAA violations is so important.

Employees Exposing Patient Information

A patient’s health information and medical histories are required to be kept protected and private. Healthcare employees who talk about their patients with unauthorized coworkers, family, or friends are violating HIPAA rules and will end up having to pay some hefty fines. Healthcare providers and employees are not allowed to share patient information with their friends, family members, third-party individuals, or other organizations. 

If a discussion is necessary in providing the best patient care, healthcare providers and employees should only discuss patient information in private places and only with other medical professionals. 

Texting a Patient’s Private Information

While texting private information may seem faster and more efficient, it also gives hackers and overlookers the ability to get their hands on that private information. If you get caught putting a patient’s full name or other private information in a text, even if it is informational, you will end up with a fine on your hands. 

Discussing Information Over The Phone

Another potential HIPAA violation that can be easily overlooked is discussing private information over the phone. You need to always be aware of your surroundings when discussing patients’ private health information over the phone. Ensure you discuss this in a private place where no one can hear the conversation. 

When contacting an individual, it is important to always ensure that the person you are speaking with is actually the patient. Asking for them to verbally confirm their birthdate or last four of their social security number can be an efficient way to identify the individual. 

Employees Accessing Patient Files Without Authorization

This is one of the most common HIPAA violations, and the ultimate cause for someone to make this decision does not matter in the end. Accessing patient information without the proper authorization is illegal, even if your intentions are good. 

Using PHI for Personal Gain

Accessing or selling an individual’s PHI for personal gain is also very illegal. Not only is this a HIPAA violation, but it is also a criminal offense and will most likely cause you to serve time in prison. 

Data Breach Notification Rule

The HIPAA Breach Notification Rules require HIPAA covered entities as well as business associates to provide notification to the local law enforcement following a data breach of PHI. It also applies to vendors of personal health services and their third-party service providers. 

Define Breach

Generally, a breach is an ill-intentioned use or disclosure of a patient’s PHI under the Privacy Rule, which compromises the individual’s security and privacy. However, if the covered entity or business associate can prove that there is a low probability that the PHI was compromised, then it would not be considered a breach.

Requirements 

Following a breach of PHI, covered entities are required to notify the individuals that would be affected that the breach occurred. In some cases, they also must notify the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate level. 

Three Types of Data Breaches: HIPAA

There are three different types of data breaches, each one sharing the same amount of risk and consequences but are unique in the way they were performed. The three types of data breaches are listed below: 

• Physical breach: A physical breach involves the physical theft of documents or devices that contain PHI.
• Electronic breach: An electronic breach is an unauthorized access or deliberate attack on a system or network environment where PHI is stored. 
• Skimming: Skimming involves a dishonest employee utilizing an external device to collect PHI off of an inside server.

Our Safety Training

Here at Hard Hat Training, our courses are updated whenever any formal changes are made to the applicable safety standards. This enables us to provide our customers with the most thorough and up-to-date training options for employees. Our overall goal is to make safety training courses fun and engaging. Our HIPAA Training course is ready for purchase today!