When it was first introduced in 1996, the Health Insurance Portability and Accountability Act [HIPAA] was intended to completely reshape the healthcare landscape, ushering it into the 21st century. In truth, its initial rollout was a failure, seeing as it lacked the teeth necessary to enforce compliance. However, over the years, the release of additional rules and measures such as HITECH have buffed up the enforcement protocols.
Today, if your business is found guilty of a breach or violation of HIPAA’s rules, you can face some stiff repercussions. Therefore, it’s crucial that you know what breaches are, the penalties for such breaches, and measures you can take to comply with HIPAA.
Want to know what is considered a breach of HIPAA? Below, we’ll cover this and more so that your business and its private data is safe and secure.
What is Considered a Breach of HIPAA?
According to HHS, a breach of HIPAA typically involves the:
Impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
In order to determine the punishment and severity of the breach, a risk assessment must be conducted to see the extent of a covered entity’s culpability. Per the HHS, the risk assessment is based on the following factors:
- “The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.”
HIPAA Breach Notification Rule
One of the complaints about the original HIPAA rollout was that it allowed for many uses and disclosures of electronically protected health information [ePHI] without patient consent. In addition, covered entities had no obligation to notify patients about data breaches. Dr. Deborah Peel, a psychiatrist and founder of the Patient Privacy Rights Foundation wrote:
Our existing federal privacy law is toothless. The federal government amended HIPAA in 2003, allowing more than 600,000 types of businesses and millions of their business associates to access medical records without patient consent for the “treatment, payment and operations of health-care-related activities.” To argue that medical privacy will result in higher costs and obstruct research is simply wrong. How can anything possibly be private with this type of loophole?
HITECH sought to remedy this issue by requiring covered entities to notify the government and the public, particularly about larger breaches. Reporting standards and requirements could be broken down by smaller and larger breaches:
- Smaller breaches – In the case of breaches that consisted of 500 or fewer individuals, the entities need to notify individuals about the data intrusion and make a note of the issue in its annual data intrusion account to the HHS Secretary.
- Larger breaches – In the case of breaches that impacted more than 500 individuals, the entity would be required to notify them of the breach, and then also alert both the HHS Secretary and the general public.
What is PHI?
Under HIPPA, protected health information [PHI] can be categorized as, “Any individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).” As a note, PHI only pertains to personal information involving patients or health plan members.
According to HHS, examples of PHI include:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code.
- All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
- Telephone numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web Universal Resource Locators (URLs)
- Social security numbers
- Internet Protocol (IP) addresses
- Medical record numbers
- Biometric identifiers, including finger and voiceprints
- Health plan beneficiary numbers
- Full-face photographs and any comparable images
- Account numbers
- Any other unique identifying number, characteristic, or code
- Certificate/license numbers
Common Breaches of HIPAA
One of the most obvious and innocent reasons for a HIPAA violation simply comes down to a lack of awareness about what does or does not constitute a HIPAA violation. Therefore, it’s essential that you require regular compliance training so that employees know what they can or can’t do.
The following list contains some of the most commonly listed HIPAA violations and breaches:
- Mishandling of medical records – The law states that printed medical records–patient charts, medical history, notes, or tests–need to be locked away and kept out of the view of prying eyes. All too often, practices mishandle patient records by leaving them out for other patients to see or steal.
- Lost or stolen devices – The theft of PHI is another common concern since such information can be readily stored, accessed, and disseminated via laptops, smartphones, or tablets. Because of their portability, all such devices are vulnerable to theft or loss. As a result, businesses need to take steps to follow NIST Mobile Security Guidelines. This includes adding measures to protect unwarranted access to PHI such as:
- Social media – Although it may seem harmless, if your business has a social media account, posting photos of your patients can be a serious HIPAA violation. Even if a photo is posted without a name, someone may recognize the person, see what type of doctor they’re going to, and then glean the information they wouldn’t otherwise know about the patient’s medical history. This is a clear violation of their patient information.
- Employees sharing information – Employees are not allowed to discuss or gossip about patients with either their friends, family members, or coworkers. Conversations regarding patients need to be kept private between those nurses and doctors working their case. Even disclosing private information with their friends and family members without their permission can be considered a serious breach of HIPAA.
- Social conversation breaches – Although social breaches are harder to quantify or measure, they can be just as damaging. At their essence, it involves a person discussing with a doctor or nurse about a friend or colleague who they know has been seeing them. Even if they are simply inquiring as to their friend’s health and diagnosis, discussing those details without the patient’s consent can result in serious penalties.
- Texting or messaging patient information – While it may seem easier for coworkers to quickly relay patient information, such as test results, doctor’s orders, or vital signs via text or messenger service, doing so exposes patient data to potential cybercriminals. If you wish to be able to communicate in such a manner, both parties are required to use encryption programs in order to protect that private information.
- Reading patient information on home computers – It’s quite common for doctors to review patient information on their home computers or laptops. While, on its face, this is not a violation, if the information is left up on the screen it could be seen by friends, family, or guests. To prevent this, it’s recommended that doctor’s laptops are password protected and encrypted.
- Failure to obtain authorization – Patients are required to give written consent for covered entities to use or share any of their personal data that’s unrelated to payment, healthcare operations, or treatment. If you are unsure as to what does or does not require an authorization, it’s best to be safe and ask for it instead of exposing yourself to violations.
- Illegal access of patient files by employees – Employees who access patient information outside of the bounds of their work, whether it’s out of curiosity, spite, personal gain, or they were simply checking up on a friend, is illegal and can be a costly breach of HIPAA.
Penalties for Breach of HIPAA
Through HITECH, HHS created an enforcement mechanism for HIPAA breaches and failure to address noncompliance. In order to distinguish the levels of noncompliance, HHS outlined a four-tier penalty system that looks as follows:
- Tier 1 – Your business was unaware of the fact that they were violating HIPAA violations, and had you done your due diligence, those rules would likely have not been broken.
- Prescribes a penalty range of $100 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 2 – There is reasonable cause that your business was aware or should have been aware of the violation, would you have exercised reasonable due diligence.
- Prescribes a penalty of $1,000 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 3 – Your business willfully neglected the rules of HIPAA but then corrected such issues within 30 days of their discovery.
- Prescribes a penalty of $10,000 to $50,000 in fines per violation with an annual maximum of $1,500,000.
- Tier 4 – Your business willfully neglected the rules of HIPAA and then made no corrective efforts.
- Prescribes a penalty of $50,000 in fines per violation with an annual maximum of $1,500,000.
Individual Civil Penalties
Employees who violate HIPAA rules can face serious Civil penalties if found guilty. According to the HIPAA Journal:
The Office for Civil Rights can impose a penalty of $100 per violation of HIPAA when an employee was unaware that he/she was violating HIPAA Rules up to a maximum of $25,000 for repeat violations. In cases of reasonable cause, the fine rises to $1,000 per violation with a maximum of $100,000 for repeat violations, for willful neglect of HIPAA Rules where the violation was corrected the fine is $10,000 and up to $250,000 for repeat violations and willful neglect with no correction carries a penalty of $50,000 per violation and up to $1.5 million for repeat violations.
If the Office for Civil Rights sees conduct, whether by business or employee, that it considers being malicious and criminal, they can refer the case to the Department of Justice. Similar to the penalty tiers, punishment is based on the extent to which an employee knew that they were violating HIPAA rules. This might look like the following:
- Low-level violation – Max penalty of $50,000, and/or up to a year in prison.
- Violation under false pretenses – Max fine of $100,000 and/or up to five years in prison.
- Max level violation – Knowingly violating HIPAA’s rules can result in a max fine of $250,000 “when healthcare information is stolen with the intent to sell, transfer, or use for personal gain, commercial advantage, or malicious harm.” Also, the guilty party may face up to 10 years in jail.
Complying with HIPAA
Breaches of HIPAA can result in a loss of patient trust, damage to your company’s reputation, and a host of fines and fees. Therefore, if you wish to protect your business, employees, and patients, it’s crucial that you take all proper measures to ensure that you are acting in accordance with the rules of HIPAA.
RSI Security has worked with countless companies to ensure that their operations and employees are compliant with HIPAA and HITECH. We are a full-service HIPAA Compliance Assessor and Advisory. We have spent more than a decade providing employee training, oversight, patient data security assessments, and prescriptive recommendations. So, if you want an expert on your side, we’re here to help!
Peel, D. Healthcare IT News. Privacy and Health Research can Co-Exist. (2006). https://www.healthcareitnews.com/news/peel-privacy-and-health-research-can-co-exist
HIPAA Journal. What is Considered Protected Health Information Under HIPAA? (2018). https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/
HHS. Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with HIPAA’s Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
NIST. Guidelines for Managing the Security of Mobile Devices in Enterprise. (2018). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
HIPAA Journal. What is the Civil Penalty for Knowingly Violating HIPAA? (2018). https://www.hipaajournal.com/civil-penalty-for-knowingly-violating-hipaa/#targetText=Criminal%20Charges%20for%20HIPAA%20Violations&targetText=At%20the%20lowest%20level%2C%20a,up%20to%20one%20year%20imprisonment.&targetText=In%20addition%20to%20the%20punishment,prison%20term%20of%202%20years.