Previously, there was an alarming increase in HIPAA-related violations. Recent statistics show that around 20 million individuals were affected by data breaches due to malware attacks and unauthorized access. According to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the most notable healthcare data breaches happened in the first quarter of 2023.
This article provides an in-depth overview of HIPAA violation statistics, including trends and key insights into the types of violations reported.
Table of Contents
Understanding the Scope of HIPAA Violations
Covered entities that fail to comply with HIPAA rules can face hefty penalties. HIPAA violations mainly stem from unauthorized access and disclosure of protected health information (PHI). During internal audits, supervisors may also identify employees who fail to adhere to the company’s compliance procedures and policies.
Here are some examples of common HIPAA violations:
Healthcare records snooping
Gaining access to patient PHI without proper consent or authorization violates the HIPAA Privacy Rule. Employees caught snooping on medical records often get disciplinary action, leading to temporary suspension or termination.
Incomplete risk analysis
Failure to conduct an organization-wide risk analysis is one of the common HIPAA violations. Without regular risk management, organizations couldn’t identify and resolve vulnerabilities that may affect the safety and integrity of PHI.
Denying patients access to their health records
Under the HIPAA Privacy Rule, patients can obtain copies of their medical records. They can even check their records for errors and ask for corrections. A medical provider denying a patient’s right to access medical records could lead to legal or financial repercussions. Overcharging for copies and not giving patients access to their medical records within 30 days is a clear violation of HIPAA.
Not securing a Business Associate Agreement (BAA)
Failure to secure a BAA with third-party vendors is one of the most common HIPAA violations. Without a duly signed BAA, it would be difficult to determine a business associate’s compliance with HIPAA. A BAA makes a third-party vendor or partner legally accountable in case of a breach.
Lack of ePHI access controls and encryption
Covered entities under HIPAA are strictly required to limit access to ePHI to authorized individuals only. Organizations may unknowingly commit data breaches if they fail to use robust encryption methods and secure user access controls. Encryption and other security measures are mandatory and non-negotiable.
Failure to issue breach notifications
Following a HIPAA violation, covered entities must immediately update the affected individuals. The HIPAA Breach Notification Rule requires healthcare organizations to notify their patients no later than 60 days after the discovery of the data breach. Delaying this deadline can also lead to financial penalties.
Unauthorized disclosure of PHI
Disclosing PHI to individuals other than the patient without proper consent is strictly prohibited. Most of these unauthorized disclosures involve a patient’s employer, unattended computers, and medical record mishandling. Releasing PHI after the authorization expiry is also forbidden under the HIPAA Privacy Rule.
Wrongful disposal of PHI
If the retention periods of PHI have passed, organizations must ensure the secure and permanent disposal of sensitive patient health records. Shredding paper records can prevent malicious actors from retrieving the disposed data. As for electronic health records, it’s best to perform a complete wipe of media storage or physically destroy hard drives to prevent unauthorized access.
Notable HIPAA Violation Trends
Cyberattacks continue to challenge the HIPAA compliance efforts of most organizations. From 2020 to the present, more and more covered entities are undergoing HIPAA investigations.
The list below shows the trends based on recent HIPAA violation statistics:
1. The healthcare industry is a top security breach contributor.
In 2020, 79% of reported breaches arose from the healthcare sector. The most common violation was unauthorized disclosure of PHI. Patient data were compromised, including laboratory test results, prescriptions, names, addresses, Social Security numbers, and emails.
2. Exposed medical records continue to rise.
The HHS Office for Civil Rights (OCR) evaluated 5,150 healthcare data breaches in the last decade. Compared to data from 2018, the number of data breaches doubled in 2023. This suggests the need for organizations to develop stringent access controls and updated security policies.
3. HIPAA penalties and data breach costs are higher than prevention.
As of 2023, businesses spend an average of $9.3 million per violation. They would rather hire new staff than improve their data security measures. Despite HIPAA compliance standards, 60% of healthcare organizations still rely on their own protocols.
Recent HIPAA Violation Case Studies
The HHS’ OCR recently reviewed multiple HIPAA-related complaints involving major hospitals, foundations, and medical centers. Most of these reported HIPAA violations were security breaches within their IT systems.
Memorial Hermann Health System: Impermissible disclosure of PHI
Memorial Hermann Health System has agreed to settle for $2.4 million worth of financial penalty due to impermissible disclosure of PHI. Accordingly, a hospital staff disclosed the name of the patient who presented a fraudulent identification card.
New England Dermatology and Laser Center: Improper Disposal of PHI
New England Dermatology and Laser Center (NDELC) paid a $300,640 penalty to resolve the improper disposal of PHI case filed against them. NDELC tossed empty specimen containers in the trash without removing patients’ names, birth dates, sample collection dates, and the names of the providers.
Oklahoma State University: Delayed breach notification
Oklahoma State University – Center for Health Sciences (OSU-CHS) agreed to settle with HHS OCR and paid $875,000 following a delayed breach notification violation. Accordingly, 279,865 individuals were affected by a malware attack on November 7, 2017, but hackers had access since March 2016.
Common Causes of HIPAA Violations in the Workplace
HIPAA violations often result from poor data security policies and procedures. Sometimes, organizations are unaware of a data breach until it brings massive damage.
Here’s why HIPAA violations commonly occur inside or outside the workplace:
Employee negligence
According to the HIPAA Journal, 53% of healthcare data breaches are due to employee negligence. Improper handling of medical data can lead to unauthorized disclosure of PHI. This can be accidental or intentional. Some employees also intend to give out a patient’s health data and use false identities to sell or claim money from insurance.
Lack of training
A survey from 2021 suggests that 24% of healthcare employees did not undergo sufficient security awareness training. Improperly trained staff may not readily identify malicious activities such as phishing and cyber-attacks. Thus, it’s a must for organizations to undergo regular compliance and security awareness training to minimize the occurrence of such incidents.
Lost devices
68% of healthcare data breaches stemmed from lost devices in 2022. Misplaced computers and phones with confidential information can be vulnerable to hackers. As a result, hackers can leak or use data on lost devices and sell them to the black market.
Impact and Consequences of HIPAA Violations
Breaking the HIPAA rules is subject to severe consequences and hefty penalties. Criminal violations of HIPAA can be charged from $50,000 up to a maximum fine of $250,000, depending on severity. Meanwhile, civil penalties for HIPAA violations can range from $100 to $1,500,000 per violation.
On top of this, any entity or individual found guilty of intentionally disclosing PHI without consent could face years of imprisonment. Ultimately, violating HIPAA means losing a patient’s trust, causing significant damage to reputation.
