Request a call
  • Hidden

A HIPAA violation is a non-compliant disclosure of protected health information (PHI) that compromises healthcare data privacy and security. Simply saying any unauthorized use or disclosure of PHI is considered a data breach and leads to penalties.

HIPAA violation fines can reach up to $50,000 per occurrence and the highest annual penalty is $1.5 million per violation. Moreover, such breaches can threaten medical practices, jeopardize the institution’s reputation and even lead to suspension of the guilty party’s medical license or jail time. That’s why any medical organizations need to ensure they are HIPAA compliant at all times, including the software they use.

As technology continues to enhance patient outcomes and engagement, it’s more critical than ever that healthcare institutions know how to comply with HIPAA and avoid data breaches.

Consequences of HIPAA Violation 

The Department of Health and Human Services’ Office for Civil Rights (OCR) has the power to penalize any involved hospital or health-related service for HIPAA violations of any scale.

The HIPAA violations usually revealed in three main ways:

  1. Investigations into data breaches by OCR or state attorneys general
  2. Investigations into complaints about healthcare facilities or business associates
  3. HIPAA compliance audits
Examples of HIPAA violation and ways to prevent breaches

The consequences of HIPAA violations can be severe, and it’s important to know what fines can be applied by OCR even if no breach of PHI has occurred. The financial consequences of a data breach depending on the level of negligence and the number of records exposed and the risk posed by the unauthorized disclosure.

Types of Data Breaches and Ways to Prevent Them

Examples of HIPAA violation and ways to prevent breaches

Malware and Ransomware

Ransomware is a type of malicious program that can be received through email or a suspicious link through corrupted files. Usually, the message states that all captured data from the device or even the entire network will be wiped or released to the public if the organization fails to pay a certain fee. However, there’s no guarantee that it will regain access to its data even after paying up. Such types of malicious programs may not only wipe essential data but also shut down the entire system leading to severe consequences.

Examples of HIPAA violation and ways to prevent breaches

Malware or viruses can be sent to people to destroy data stored on the devices. If a malware virus was sent to a medical institution, it could wipe millions of records containing patients’ data, resulting in severe consequences.

How to prevent:

  • Use an up-to-date and secure antivirus system on all corporate devices;
  • Store all data in a cloud server or on-premise with limited access;
  • Back-up your system in separate data storage. For example, if the data center where a HIPAA-compliant application has a power loss, you need to be able to restore or run the application in a second data center;
  • Utilize software solutions that are able to track real-time data and send alarms in the case of suspicious activities.

Emailing ePHI to Personal Email Accounts and Disclosing Patient Information

It’s one of the more common HIPAA violation cases and may be routine practice at a healthcare facility with a personnel shortage when employees email ePHI to personal email accounts.

Despite the intentions, whether it is to complete work at home or catch up on a backlog, it is a HIPAA violation. Also, any emailing of ePHI to a personal email could be considered theft, the consequences of which could be far more severe than termination of an employе.

If employees talk about patients to coworkers or friends, it is a HIPAA violation leading to severe consequences. Employees should only discuss patient information privately and only with other medical personnel.

HIPAA compliance for email is not always required if a healthcare provider has an internal email network protected by an appropriate firewall. But messages need to be secured in transit if they contain ePHI and are sent outside a protected internal email network beyond the firewall.

It’s essential to ensure that only authorized personnel have access to data centers, server cabinets, vaults, and any other location where ePHI data is stored.

How to prevent:

  • Using cloud-based email servers that host a HIPAA compliant server only when all senders and all recipients have accounts on the same cloud-based email service;
  • Employing encrypted email services that allow for securing the email on its way to the recipient;
  • Utilizing secure data-exchange portals if your EMR/EHR system can provide a patient portal, gives you a secure place to store information. When an email is sent to the recipient, they receive notification about the message that can be read-only after logging in.

Hacking

Hacking is a real threat to medical ePHI, and there are many people who want to use this data for ill-disposed purposes. Hence, medical institutions need to ensure that their data is protected against hacking.

HIPAA Journal data breach statistics show hacking is now the main cause of healthcare data breaches.

Examples of HIPAA violation and ways to prevent breaches

How to prevent:

  • Using unique and secure passwords to access digital files, changing them frequently;
  • Encrypting the data and ensure the system is supported by firewalls that block the secure network from the internet and only allows pre-cleared data to pass-through;
  • Using a secure personnel authorization system with two-factor authentication;
  • Initiating security risk analysis to identify vulnerabilities in the security systems and threats.

Data Stored On Devices

Approximately half of all data breaches are the result of device theft. If the data stored on devices is not encrypted or password-protected, the device’s loss or theft becomes a more severe issue.

Some doctors and nurses tend to use their own laptops or smartphones to access patient data after hours. In itself, this isn’t a HIPAA violation, but it can very simply transform into one in case the screen is left unattended, and some family members took a glance.

How to prevent:

  • Encrypting the PHI data is extra protection in case a device (smartphone, tablet, laptop, etc.) containing PHI is lost or stolen. It offers an additional security layer if a password-protected device is somehow accessed. Although it’s not a strict HIPAA requirement, it protects secure information from falling into the wrong hands;
  • Developing the highly-secure apps that don’t allow to take screenshots, download or copy data to devices;
  • Using a secure network and ensure that the user can’t access the data without authorization.

Improper Disposal of Records

One of the essential procedures to enforce is the proper disposal of PHI records. Employees should understand that all data that contains PHI, such as social security numbers, medical practices, diagnoses, should be destroyed or wiped from the hard drive.

Suppose any of this information is left lying around, for example, in a computer’s recent files folder or in a trash can. In that case, it could get into the wrong person’s hands, and this would be a severe HIPAA violation.

Examples of HIPAA violation and ways to prevent breaches

How to prevent:

  • Ensuring that all electronic media stored on digital devices has been permanently erased when an electronic data carrier’s service life comes to an end or there or there is a need for repair. Besides devices that are used ePHI storage, this includes digital printers, scanners, copiers, and fax machines.

5 Biggest HIPAA Violation Cases 

Examples of HIPAA violations and lessons we can learn from them are a way to minimize data breaches. below there some of the latest and biggest violation cases.

1. PHI Breach at a Cancer Center 

A cancer center located in Texas was forced to pay over $4.3 million in civil penalties after three data breaches that lead to HIPAA violations. The OCR investigation showed that a PHI breach for over 34,000 patients was because three devices were stolen. While the cancer center had encryption policies for preventing a potential breach from theft, the laptop and USB thumb drives were without encryption or password protection.

Lessons to learn: A HIPAA violation occurred since not all devices were encrypted or password-protected along with using unprotected flash drives. Instead, it’s much secure to transfer data within a closed network. Such safeguards are needed to protect the integrity, confidentiality, and availability of PHI.

2. Failure to Safeguard ePHI at the University

Idaho State University’s Medicine Clinic disabled the firewall that was protecting a server with the medical records of 17,500 patients. The firewall was inactive for ten months, leading to the data explosion to unauthorized third parties for an unacceptable period. To resolve the HIPAA violations, OCR agreed to a fee of $400,000.

Lessons to learn: Suppose the university reviewed the procedures, policies, and system as required under the HIPAA Security Rule. In that case, they could have identified the deactivated firewall earlier and could have taken prompt action to address the issue.

Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” – said Leon Rodriguez, OCR Director.

3. Unsecured FTP Servers

The FBI informed Touchstone Medical Imaging that one of its file transfer protocol (FTP) servers was accessible over the Internet and allowed anonymous connections to a shared directory. This breach exposed PHI files of 307,839 individuals, and OCR obliged Touchstone Medical Imaging to pay $3,000,000 to resolve the violations.

Lessons to learn: Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality of ePHI. Moreover, the organization didn’t enter into a business associate agreement with vendors before providing access to systems containing ePHI.

4. 78.8 Million Record Breach for Multiple Compliance Failures

An investigation into Anthem Inc’s massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. Cybercriminals had breached Anthem Inc’s defenses and had gained access to its systems and members’ sensitive data. The attackers gained a loophole in the network through spear-phishing emails sent to one of its subsidiaries. OCR obliged Anthem to a record-breaking settlement of $16,000,000 to resolve the violations.

Lessons to learn: Insufficient technical controls to prevent unauthorized ePHI access and electronic information systems’ access and procedures lead to HIPAA violations.

5. Disclosure of PHI in Mailing

A case occurred when a patient submitted a complaint to OCR about an unaccepted disclosure of PHI in a mailing. Sentara Hospitals reported that the breach impacted eight individuals, but the OCR investigation discovered that 577 patients had been affected in reality that was settled for $2.175 million.

Lessons to learn: It’s essential to revise policies and procedures at least annually, or more frequently if appropriate, ensuring the organization’s compliance with HIPAA Rules.

Wrapping Up 

Many of the most common causes of HIPAA violations can be attributed to a lack of employee education about HIPAA. That’s why it’s essential to provide regular HIPAA training for personnel when there are changes to regulations and then keep the rules fresh in everyone’s mind.

Likewise, healthcare organizations and providers must establish business associate agreements with any third-party solution to ensure data confidentiality. Technology is a great tool to streamline and improve patient care, especially when it is used by companies that value and prioritize HIPAA compliance.

In this article, we shared some of the practices that help to prevent data breaches by ensuring high-level security. But there are more procedures that should be implemented such as administrative, physical, and technical safeguards.

NIX has vast experience in providing software engineering services for the healthcare industry. From mobile to web healthcare solutions, we know how to develop HIPAA-compliant software and are ready to offer technical assistance.

Telemedicine: How it Works and Benefits for Your Business
Natalie Tkachenko Healthcare Software Solutions Consultant at NIX

Natalie is a HIPAA-certified expert with high-grade knowledge in the healthcare and pharmaceutical industries with 5+ years of experience. She helps CIOs, CTOs of medical organizations, and founders of agile healthtech startups get the most valuable tech solutions for fundamental digital reinforcement in patient care, automation of operational processes, and overall business progress.

nix-logo

Subscribe to our newsletter

This field is required.
This field is required.
This field is required.
nix-logo

Thank you for subscribing to our newsletter

nix-logo
close
nix-logo

Thank you for subscribing to our newsletter

Configure subscription preferences configure open configure close

This field is required.
This field is required.
This field is required.

Contact Us