What is a HIPAA violation?

With all the talk about HIPAA and its stringent rules, what exactly is a HIPAA violation? A HIPAA violation is when a covered entity doesn’t comply with outlined HIPAA standards and provisions outlined in their guidelines. There are a number of ways a covered entity can have a HIPAA violation:

  • Disclosing protected health information (PHI) without permission
  • Accessing PHI without authorization
  • Improper disposal of PHI
  • Failing to conduct a risk analysis
  • Failure to manage risks
  • Failure to implement safeguards to ensure confidentiality, integrity and available of PHI
  • Failure to implement the proper safeguards
  • Failure to maintain and monitor PHI access logs
  • Failure to enter into a HIPAA-compliant business associate agreement prior to giving access to PHI
  • Failure to provide copies of PHI to patients when they ask
  • Failure to have limited access controls
  • Failure to terminate access right to PHI when they aren’t required
  • Failure to provide HIPAA and security awareness training
  • Sharing PHI online or via social media without permission
  • Mishandling or sending PHI mail to the wrong person
  • Any patient record thefts
  • Failure to encrypt PHI or using an alternative to prevent unauthorized access
  • Failure to have compliance documentation
  • Failure to notify persons or OCR of any security incidents of PHI within 60 days of a breach

HIPAA violations can be uncovered through internal audits, by supervisors who have observed employees in violation, by being reported by individuals or vendors. When a violation is reported, OCR investigates when the covered entity breach is more than 500 records. They also conduct periodic audits of HIPAA covered entities and their business associates.

There are different penalties based on the HIPAA Rules. The fines can be up to $25,000 per violation category per calendar year. Additionally, OCR can issue fines up to $15 million per violation category per calendar year.