HIPAA FINES: 10 Common HIPAA Violations to Avoid

The US DHHS enforces the HIPAA Regualtions
The US DHHS enforces the HIPAA Regualtions | Source

Mistakes happen and it is normal for human beings to make errors. But when it comes to HIPAA regulations, making mistakes can cost you and your company millions of dollars in fines or settlement payments.

Many mistakes have been made in the handling of personal health information and some have just been plain silly. Learning from other peoples’ mistakes is the best way to avoid the pain that accompanies these errors.

The following are 10 common mistakes that have resulted in payment of large fines for HIPAA violation.

1. Telephone Messages to Unauthorized Parties

In this case, a hospital staff called a patient’s home and left a message with the daughter that revealed personal health information. This information contained details on her medical condition and the kind of treatment she was receiving. According to HIPAA regulations, confidential communications must be relayed to the patient through the mode that they specify. In this case, the hospital had called her home while she had specifically stated that any calls should be to her office number.

2. Sending Out More Information Than Is Required

A health provider caused the personal health information of a patient to be disclosed when it sent the entire patient’s record to an insurance company without authorisation. The mistake happened because the patient had used their own authorization form instead of the standard forms when giving out authorization. Though the mistake could have been blamed on the patient, it was the health provider’s responsibility to use the right document.

3. Failing to Provide Notice of Privacy

A mental institution failed to provide a notice of privacy to a patient that is required before a medical evaluation is carried out. Under HIPAA, patients must be given a notice of privacy that states their rights and obligation before any service is provided by a health institution. The notice describes how the personal health information that will be collected will be used and how the patient can access the information.

4. Insecurely Photocopying Patient Records

A health plan leased photocopying machines that were used to get copies of thousands of patient records. Upon returning the copiers to the leasing company, the health plan realized that they had inadvertently forgotten to erase the hard-drives. This left the records of thousands of people in the wrong hands and is a serious breach under the HIPAA rules.

HIPAA Complaints per Year

Year
No. of Complaints
Increase
2005
6866
n/a
2006
7362
496
2007
8221
859
2008
8729
508
2009
7587
-1142
2010
8674
1087
2011
9022
348
2012
10545
1523
2013
12915
2370
Yearly HIPAA Complaints received by the HHS. Source: HHS-OCR

5. Failure to Secure Online Records

A health provider failed to provide adequate protection to its web-based services thereby exposing the records of thousands of patients to unauthorized access. The electronic personal health information (ePHI) held in the databases of the web application was not secure and there was no documented assurance that the data could not be accessed by unauthorized parties.

6. Loss of Thumb Drive Containing Health Information

An employee left a thumb drive containing medical records of over 2000 records of personal health information in the car, and the thumb drive was stolen and never recovered. In addition to the loss, the institution did not notify the HHS in the prescribed time which is thirty days after such an incident.

Has your personal health information ever been illegally revealed?

  • 89% Yes

  • 11% No

44 people have voted in this poll.

7. Releasing a Patient’s Details to the Media

In response to allegations on the inadequacy of their operating procedures, a medical facility gave an interview to the media that touched on the personal information of a patient. The medical centre gave details regarding the kind of treatment that the patient had been given and lab results without her authorization.

8. Discussing Medical Information of a Patient in Public

A health centre was fined heavily for violating the HIPAA privacy policy when a practitioner discussed patient information within ear-shot of the public in a waiting room. This was a clear breach of the privacy policy because people who were not supposed to gain access to the personal health information obtained it through overhearing the conversation.

Did You Know?

The most common compliance issues that the HHS normally investigate yearly include:

  • Impermissible use of personal health information
  • Lack of proper safeguards to prevent loss of electronic data
  • Illegal disclosures of individually identifiable health information
  • Lack of safeguards against disclosures

9. Sending Patient Details to Employers Before the Patient Accesses Them

The health provider in this case sent all the patient information after an evaluation to a patient’s employer before he had been given access to them. Under HIPAA, patient authorization was required before the information was sent out to the employer and this resulted in a complaint that was resolved under a resolution agreement with the HHS-Office of Civil Rights (OCR).

10. Failure to Provide Access to Records

A covered entity under HIPAA failed to allow its employees access to their medical records which it held even after continued requests. The reason the employees wanted their medical records was because they were seeking the services of health providers other than the ones the company was using. This refusal to grant the employees access to their records resulted in the company being slapped with the first ever Civil Money Penalty (CMP) under HIPAA regulations.

11. Sending Personal Health Information to the Wrong Address

Due diligence must be taken to ensure that the correct address is used for sending personal health information. In this case the covered entity sent PHI to an address that was not the one that in the record and had to have it returned. Though the information was returned intact and was not seen by unauthorized parties, the action represented a serious violation under HIPAA. This is because the procedures for handling personal health information were not in place.

Definition of HIPAA Terms

Business Associate is any party that does not work under the Covered Entity but provides support services that puts them into contact with patient information either directly or indirectly

Criminal Penalties are the fines and jail terms given to parties who misuse personal health information

Covered Entities are individuals or corporations that provide services in health care. These services include treatment, payment or operations related to the health care industry

Security Rule is the section of the HIPAA regulations that is meant for the protection of health information that is stored and transmitted electronically

HIPAA Violations are the non-conformities with the HIPAA regulations that will result in criminal or monetary penalties

Protected Health Information: any individually identifiable health information that is collected by healthcare providers or personnel.

Due Diligence is the taking of all possible and foreseeable steps to prevent a HIPAA violation from occurring.

Business Associate Agreement: a document that defines the roles and responsibilities of the Covered Entities and their Business Associates and acts as an assurance that each party will act in a manner that provides the requisite safeguards against breach of patient rights in regards to information.

Individually Identifiable Health Information is information such as address, name, or social security number that can be used to identify a patient.