What is a HIPAA Violation?
If you believe that a covered entity violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates. Visit the Dept. of Health & Human Services website and find out How To File a Compliant.
There are all kinds of HIPAA violation cases out there - whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more.
If you’re looking for what the penalties and fines are for certain types of HIPAA violations, see the chart below (recently updated to reflect the final HIPAA rules):
|VIOLATION TYPE||EACH VIOLATION
||VIOLATIONS OF AN IDENTICAL PROVISION IN A CALENDAR YEAR
|Individual didn't know they violated HIPAA||$100 - $50,000||$1,500,000|
|Reasonable cause and not willful neglect||$1,000 - $50,000||$1,500,000|
|Willful neglect but corrected within time||$10,000 - $50,000||$1,500,000|
|Willful neglect and is not corrected||$50,000||$1,500,000|
According to the final HIPAA modifications, in applying these amounts, the Department will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors.
For other HIPAA compliant resources, check out:
The most common cases in the news involved the following:
Although this may be due to the fact that encrypted data breaches do not have to be reported, the vast majority of data breaches are due to stolen or lost data that was unencrypted. A common theme includes the data archiving method of using backup tapes to store patient health records.
While increasing and monitoring security of the storage facilities is important, another alternative is IT disaster recovery for the cloud. By eliminating tape backup, cloud disaster recovery can increase recovery time objectives (RTO) and restore your server data and applications in hours.
Two separate cases involved an employee leaving unencrypted backup tapes with PHI in their vehicles while parked off-premises. Another case was due to employees mistakenly sending PHI to contractors that posted the information publicly online. Still others include disclosing sensitive information on social media networks that could be personally identifiable.
Training, documenting and monitoring employee adherence to company security policies and procedures is extremely important and one of the easiest preventative actions an organization could take to avoid a data breach. While you should train your own employees, remember that part of due diligence in checking your business associates’ compliance is also verifying their employees have been trained. Ask your HIPAA hosting provider for the latest dates of their employee training.
Data Stored on Devices
Almost half of all data breach types can be attributed to the theft of physical records - 49 percent. When portable devices are unencrypted or not properly secured by passwords, pins and other security methods, the risk of a PHI breach increases considerably. Additionally, if you’re not backing up your data frequently, you can lose a lot of valuable patient records if you lose your laptop, smartphone, etc.
One solution is using a HIPAA compliant data center to host your data and applications securely in an offsite location with the appropriate technical, physical, logical and network security in place. With limited remote access, your data is safely stored off of your personal and portable devices while your servers are being managed and monitored by trained professionals.
Sixty-two percent of data breaches involved a business associate, according to HHS.gov, making the vendor selection process an essential step toward achieving full compliance.
What should you look for when you’re comparing HIPAA hosting providers?
- An independent HIPAA audit report for verification of that a HIPAA hosting provider can actually provide compliant solutions and a compliant hosting environment that can withstand scrutiny by an auditor measuring against the OCR HIPAA Audit Protocol.
- Knowledge of what services are essential to helping you meet compliance - a dedicated or virtual firewall/VPN, antivirus, OS patch management, offsite backup/DR - as well as what services are strongly recommended or considered best practice in the industry.
- Documented, formal policies and procedures, as well as dates and documentation that all of their employees have undergone training. Dates are important to verify their ongoing compliance.
- A business associate agreement (BAA) that outlines their responsibilities, ownership, timeline of breach notification, how they handle PHI, etc.
Lapse in Notification
Another mistake made in many HIPAA violation cases is the date of notification to HHS and affected individuals. HHS requires extensive documentation within 10 days of a data breach, with at least 15 specific components that relate to the covered entity’s internal investigation, policies and procedures, physical safeguards, risk assessment, and breach notification. Get a full checklist of the OCR Audit Requirements Following a Self-Reported HIPAA Breach.
Or see an example of Online Tech’s actual BAA Breach Notification Clause crafted by attorneys Brian Balow and Tatiana Melnik from the Dickinson Wright firm, stating we’ll notify our clients within 72 hours of any issues with PHI use or disclosure.