As more healthcare organizations embrace Software as a Service (Saas) and cloud-based computing, HIPAA compliance becomes more and more critical. Unfortunately, many healthcare organizations and business associates still violate HIPAA regulations, resulting in costly fines and penalties.
In this article, we will look at some of the most common HIPAA violations and the ten biggest HIPAA violations of 2021.
The Most Common HIPAA violations
Before we get to the top ten violations of 2021, let’s examine some of the most common areas where healthcare providers and their business associates run afoul of HIPAA rules.
- Illegal Access to Healthcare Records: One of the most common HIPAA violations is unauthorized access to healthcare records. This can include employees snooping on the files of friends, family members, co-workers or even celebrities.
- Failure to Conduct an Organization-Wide Risk Analysis: A risk analysis is vital for HIPAA compliance, but many organizations fail to conduct one. Without a risk analysis, it’s difficult to identify and mitigate the risks your organization faces with regard to HIPAA.
- Lack of a Risk Management Process: Another essential piece of HIPAA compliance is a risk management process. It outlines how you will address the risks identified during the company-wide risk analysis.
- Denying a Patient Access to their Health Records: The HIPAA Privacy Rule requires healthcare providers to give patients access to their health records upon request. This includes both the electronic and paper versions of the records. Exceeding the timeframe (30 days from the date of request) to provide access is also a HIPAA violation.
- Failure to Sign a HIPAA-Compliant Business Associate Agreement with all Vendors: A HIPAA-compliant business associate agreement (BAA) is a contract between a HIPAA-covered entity and a business associate that outlines the responsibilities of each party with regards to HIPAA compliance.
- Poor ePHI Access Controls: Electronic protected health information (ePHI) is especially vulnerable to theft and unauthorized access. Healthcare providers need to have strong access controls to protect ePHI from prying eyes.
- Lack of Adequate Safeguards on Portable Devices: Healthcare providers use portable devices such as laptops, tablets and smartphones in their day-to-day work. These devices can be easily lost or stolen, leading to a HIPAA violation if they contain any unprotected ePHI.
- Exceeding the 60-Day Deadline for Breach Notifications: The HIPAA Breach Notification Rule requires healthcare providers to notify individuals affected by a data breach within 60 days. Failing to do so can result in hefty fines.
- Impermissible Disclosures of PHI: HIPAA prohibits healthcare providers from disclosing protected health information (PHI) without the patient’s consent or authorization.
- Improper Disposal of PHI: Healthcare providers must take steps to ensure the privacy and security of patient information when disposing of it. This includes destroying or erasing electronic media such as hard drives, CDs, flash drives and shredding paper documents.
- Emailing PHI to a Personal Email Account: HIPAA requires healthcare providers to take precautions when emailing PHI. Unfortunately, one of the most common ways for HIPAA violations to occur is by emailing PHI to a personal email account.
- Leaving Computers, Tablets, Phones and Paperwork Containing PHI Unattended: When leaving computers, tablets, phones and paperwork containing PHI unattended, healthcare providers are taking a risk that unauthorized individuals will access the information.
- Releasing Private Patient Information to Unauthorized People: Releasing private patient information to unauthorized people is a HIPAA violation. This can include releasing information to the media, posting it online, or sharing it with friends and family.
HIPAA Violations 2021
Below are the biggest violations of 2021. Our ranking criteria is the dollar amount of HIPAA fines, penalties, and settlements imposed by The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). Most of the violations for 2021 were regarding the breach of a patient’s right to access their medical records.
Lifetime Healthcare Companies | $5,100,000 Settlement
In January 2021, the Lifetime Healthcare Companies, including its affiliates Excellus Health Plan, Inc., agreed to $5.1 Million to settle a data breach that affected over 9.3 million people in 2015. The OCR’s examination discovered numerous HIPAA breaches, including a failure to conduct an accurate and thorough company-wide risk analysis, reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and the lack of technical rules and procedures for limiting data access to authorized individuals.
As a result, Excellus agreed to settle the case for $5.1 million to avoid costly litigation expenses and also agreed to implement a raft of corrective actions.
Banner Health | $200,000 Settlement
This was concerning two complaints. The Health Insurance Portability and Accountability Act states that patients have the right to access their medical records, which is also known as the HIPAA right of access. The OCR’s audit discovered that Banner Health ACE businesses’ failure to provide timely access to requested medical documents violated patients’ right of access.
Rainrock Treatment Center, LLC | $160,000 Settlement
Rainrock Treatment Center, LLC was accused of failing to provide the complainant with a copy of her medical records in response to two access requests submitted by her on October 1 and November 21, 2019. Rainrock did not deliver the requested documents until May 22, 2020. This was determined to be a HIPAA violation during OCR’s inquiry.
Dr. Robert Glaser | $100,000 Civil Monetary Penalty
Dr. Glaser, a doctor specializing in Cardiovascular Disease and Internal Medicine, received several requests between 2013 and 2018 from a complainant for access to his medical records. Failure to provide the information and cooperate with OCR investigations led to a civic monetary penalty.
Children’s Hospital & Medical Center | $80,000 Settlement
The hospital failed to provide all of the medical records requested by a patient in May 2020 on time.
Renown Health | $75,000 Settlement
In February 2019, a patient submitted a complaint alleging Renown Health did not respond to her request for an electronic copy of her protected health information to be sent to a third party on time. As a result, the OCR opened an inquiry after learning that the healthcare system had failed to provide timely access to the requested documents, including billing statements.
Sharpe Healthcare | $70,000 Settlement
A patient filed a complaint with the OCR on June 11, 2019, alleging that Sharp Healthcare failed to provide him with a copy of his medical records within 30 days as required by HIPAA.
Arbour Hospital | $65,000 Settlement
The enforcement action resulted from a patient complaint to OCR in July 2019. According to the patient, he had requested records from the hospital beginning on May 7, 2019, and had yet to receive them at the time of the complaint, nearly two months later.
Advanced Spine & Pain Management (ASPM) | $32,150 Settlement
An individual filed a complaint with OCR claiming that ASPM failed to provide him with timely access to his protected health information (PHI). The investigation conducted by OCR revealed that the individual had submitted a written records request to ASPM in person on November 25, 2019. However, the individual only received a copy on March 19, 2020, three months later, a clear HIPAA violation.
Denver Retina Center (DRC) | $30,000 Settlement
On June 24, 2019, the HHS received a complaint from a patient alleging that she had made a request for her medical records in December of 2018 and that the DRC had not responded.
To ensure that your organization does not violate HIPAA, it is crucial to be aware of the guidelines set forth by HIPAA and to put into place appropriate compliance measures. Regular audits conducted on your systems and processes are one way to ensure compliance. For more information on how to avoid HIPAA violations, download Central Data Storage’s free eBook.