Call Today 1-877-740-5028

What is a HIPAA Violation?

If you believe that a covered entity violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule, you may file a complaint with OCR. OCR can investigate complaints against covered entities and their business associates. Visit the Dept. of Health & Human Services website and find out How To File a Compliant.

Or, if you need legal advice on what constitutes a HIPAA violation in your workplace, contact Brian Balow, Attorney with Dickinson Wright by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. .

There are all kinds of HIPAA violation cases out there - whether they violate the security, administrative or technical safeguards, data breaches often occur within certain parameters, as can be seen from research of the HHS reported breaches affecting 500 individuals or more.

If you’re looking for what the penalties and fines are for certain types of HIPAA violations, see the chart below (recently updated to reflect the final HIPAA rules):

VIOLATION TYPE EACH VIOLATION
VIOLATIONS OF AN IDENTICAL PROVISION IN A CALENDAR YEAR
Individual didn't know they violated HIPAA  $100 - $50,000 $1,500,000
Reasonable cause and not willful neglect  $1,000 - $50,000  $1,500,000
Willful neglect but corrected within time  $10,000 - $50,000  $1,500,000
Willful neglect and is not corrected  $50,000  $1,500,000

Source: Department of Health and Human Resources, Federal Register.gov (PDF)

According to the final HIPAA modifications, in applying these amounts, the Department will not impose the maximum penalty amount in all cases but rather will determine the penalty amounts  based on the nature and extent of the violation, the nature and extent of the resulting harm, and the other factors. 

For other HIPAA compliant resources, check out:

What is HIPAA Compliance?
Who Needs to be HIPAA Compliant?
HIPAA Glossary of Terms
HIPAA Resources: Policies, Procedures and Training Materials
HIPAA Compliant Hosting White Paper

The most common cases in the news involved the following:

Unencrypted Data

Although this may be due to the fact that encrypted data breaches do not have to be reported, the vast majority of data breaches are due to stolen or lost data that was unencrypted. A common theme includes the data archiving method of using backup tapes to store patient health records.

While increasing and monitoring security of the storage facilities is important, another alternative is IT disaster recovery for the cloud. By eliminating tape backup, cloud disaster recovery can increase recovery time objectives (RTO) and restore your server data and applications in hours.

Employee Error

Two separate cases involved an employee leaving unencrypted backup tapes with PHI in their vehicles while parked off-premises. Another case was due to employees mistakenly sending PHI to contractors that posted the information publicly online. Still others include disclosing sensitive information on social media networks that could be personally identifiable.

Training, documenting and monitoring employee adherence to company security policies and procedures is extremely important and one of the easiest preventative actions an organization could take to avoid a data breach. While you should train your own employees, remember that part of due diligence in checking your business associates’ compliance is also verifying their employees have been trained. Ask your HIPAA hosting provider for the latest dates of their employee training.

Data Stored on Devices

Almost half of all data breach types can be attributed to the theft of physical records - 49 percent. When portable devices are unencrypted or not properly secured by passwords, pins and other security methods, the risk of a PHI breach increases considerably. Additionally, if you’re not backing up your data frequently, you can lose a lot of valuable patient records if you lose your laptop, smartphone, etc.

One solution is using a HIPAA compliant data center to host your data and applications securely in an offsite location with the appropriate technical, physical, logical and network security in place. With limited remote access, your data is safely stored off of your personal and portable devices while your servers are being managed and monitored by trained professionals.

Business Associates

Sixty-two percent of data breaches involved a business associate, according to HHS.gov, making the vendor selection process an essential step toward achieving full compliance.

What should you look for when you’re comparing HIPAA hosting providers?

  • An independent HIPAA audit report for verification of that a HIPAA hosting provider can actually provide compliant solutions and a compliant hosting environment that can withstand scrutiny by an auditor measuring against the OCR HIPAA Audit Protocol.
  • Knowledge of what services are essential to helping you meet compliance - a dedicated or virtual firewall/VPN, antivirus, OS patch management, offsite backup/DR - as well as what services are strongly recommended or considered best practice in the industry.
  • Documented, formal policies and procedures, as well as dates and documentation that all of their employees have undergone training. Dates are important to verify their ongoing compliance.
  • A business associate agreement (BAA) that outlines their responsibilities, ownership, timeline of breach notification, how they handle PHI, etc.

Lapse in Notification

Another mistake made in many HIPAA violation cases is the date of notification to HHS and affected individuals. HHS requires extensive documentation within 10 days of a data breach, with at least 15 specific components that relate to the covered entity’s internal investigation, policies and procedures, physical safeguards, risk assessment, and breach notification. Get a full checklist of the OCR Audit Requirements Following a Self-Reported HIPAA Breach.

Or see an example of Online Tech’s actual BAA Breach Notification Clause crafted by attorneys Brian Balow and Tatiana Melnik from the Dickinson Wright firm, stating we’ll notify our clients within 72 hours of any issues with PHI use or disclosure.

 

A Clear Difference

There was a real difference between the big data centers and the small ones. And especially between the big ones and Online Tech. We really felt that Online Tech came to us with a solid product offering. And then took our input and made that product offering fit our needs.

- Don Griffiths, Senior VP of IT, United Bank & Trust

 

HIPAA Compliant SaaS

When Healthmaster decided to offer our products in a SaaS (Software-as-a-Service) Model, we did not want to recreate the data center environment. Online Tech was able to provide that for us without all of the front end investment required to offer our SaaS products.

- Steve McGovern, Director of Technology, Healthmaster

Have Questions?
Call Today 1-734-213-2020

live-chatemail-us

Live Chat
Events 3