Does Hiippa Prevent People From Knowing You Are in the Hospital

Posted By on Jan 2, 2022

Share this article on:

The well-nigh common HIPAA violations that accept resulted in fiscal penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business organization associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI.

The settlements pursued by the Department of Health and Human Services' Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are too pursued to highlight common HIPAA violations to raise awareness of the demand to comply with specific aspects of HIPAA Rules.

This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business organization associates over the past few years.

Are Information Breaches HIPAA Violations?

Information breaches are at present a fact of life. Even with multi-layered cybersecurity defenses, information breaches are still likely to occur from time to fourth dimension. OCR understands that healthcare organizations are being targeted by cybercriminals and that it is non possible to implement impregnable security defenses.

Being HIPAA compliant is non about making sure that data breaches never happen. HIPAA compliance is nigh reducing risk to an advisable and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.

The OCR alienation portal now reflects this more clearly. Many data breaches are investigated by OCR and are found non to involve whatever violations of HIPAA Rules. Consequently, the investigations are closed without any activeness being taken.

How are HIPAA Violations Discovered?

HIPAA violations can go along for many months, or even years, before they are discovered. The longer they are allowed to persist, the greater the penalty volition be when they are somewhen discovered. It is therefore important for HIPAA-covered entities to conduct regular HIPAA compliance reviews to make sure HIPAA violations are discovered and corrected earlier they are identified by regulators.

There are three main ways that HIPAA violations are discovered:

Investigations into a data alienation by OCR (or state attorneys general)
Investigations into complaints about covered entities and business associates
HIPAA compliance audits

Even when a data breach does not involve a HIPAA violation, or a complaint proves to be unfounded, OCR may uncover unrelated HIPAA violations that could warrant a fiscal punishment.

What are the 10 Most Common HIPAA Violations?

Listed below are x of the most common HIPAA violations, together with examples of HIPAA-covered entities and business associates that have been discovered to exist in violation of HIPAA Rules and have had to settle those violations with OCR and country attorneys general. In many cases, investigations have uncovered multiple HIPAA violations. The settlement amounts reflect the seriousness of the violation, the length of fourth dimension the violation has been allowed to persist, the number of violations identified, and the fiscal position of the covered entity/business acquaintance.

Snooping on Healthcare Records

Accessing the health records of patients for reasons other than those permitted past the Privacy Rule – handling, payment, and healthcare operations – is a violation of patient privacy. Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the nigh mutual HIPAA violations committed by employees. When discovered, these violations commonly effect in termination of employment but could as well result in criminal charges for the employee concerned. Financial penalties for healthcare organizations that have failed to prevent snooping are relatively uncommon, just they are possible every bit Academy of California Los Angeles Health System discovered.

University of California Los Angeles Wellness Organisation was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated post-obit the discovery that a physician had accessed the medical records of celebrities and other patients without authorization. Dr. Huping Zhou accessed the records of patients without authorization 323 times after learning that he would before long be dismissed. Dr. Zhou became the starting time healthcare employee to be jailed for a HIPAA violation and was sentenced to 4 months in federal prison.

Failure to Perform an Arrangement-Broad Gamble Analysis

The failure to perform an organization-broad risk assay is ane of the most common HIPAA violations to event in a financial penalisation. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI be. Risks are therefore likely to remain unaddressed, leaving the door wide open to hackers.

HIPAA settlements with covered entities for the failure to carry an organization-wide risk assessment include:

Premera Blue Cantankerous– $six,850,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
Excellus Wellness Plan – $five,100,000 settlement for risk analysis and risk management failures, and other potential HIPAA violations
Oregon Health & Scientific discipline University– $2.7 meg settlement for the lack of an enterprise-wide gamble analysis.
Cardionet – $2.5 million settlement for an incomplete adventure analysis and lack of risk direction processes.
Cancer Care Grouping – $750,000 settlement for the failure to deport an enterprise-broad run a risk analysis.
Lahey Hospital and Medical Center – $850,000 settlement for the failure to behave an organization-wide risk cess and other HIPAA violations.
Steven A. Porter, K.D – $100,000 penalty for risk analysis and gamble direction failures.

Failure to Manage Security Risks / Lack of a Take chances Management Process

Performing a risk assay is essential, but it is not just a checkbox item for compliance. Risks that are identified must then exist subjected to a risk direction process. They should be prioritized and addressed in a reasonable time frame. Knowing about risks to PHI and failing to accost them one of the nearly common HIPAA violations penalized by the Office for Ceremonious Rights.

HIPAA settlements with covered entities for the failure to manage identified risks include:

Alaska Department of health and Social Services – $1.vii million penalty for the failure to perform risk analysis and gamble direction failures.
University of Massachusetts Amherst (UMass) – $650,000 penalty for chance direction failures.
Metro Customs Provider Network – $400,000 penalty for risk management failures.
Anchorage Customs Mental Health Services – $150,000 penalty for the failure to manage gamble to ePHI.

Denying Patients Access to Wellness Records/Exceeding Timescale for Providing Access

The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. This allows patients to bank check their records for errors and share them with other entities and individuals. Denying patients copies of their health records, overcharging for copies, or failing to provide those records within 30 days is a violation of HIPAA. OCR made HIPAA Right of Admission violations one of its primal enforcement objectives in late 2019.

HIPAA settlements with covered entities for denying patients access to their records or unnecessary delays in providing access include:

Cignet Wellness of Prince George's County – $iv,300,000 punishment for denying patients access to their medical records.
Imprint Health – $200,000 penalty for delayed response to patient's request for a copy of their medical records.
Dignity Wellness, dba St. Joseph'due south Hospital and Medical Center – $160,000 penalty for delayed response to patient's asking for a copy of their medical records.
NY Spine – $100,000 penalization for delayed response to patient'southward asking for a copy of their medical records.
Beth State of israel Lahey Health Behavioral Services – $seventy,000 penalty for delayed response to patient'south request for a copy of their medical records.
University of Cincinnati Medical Eye – $65,000 penalisation for delayed response to patient'due south request for a copy of their medical records.
Housing Works Inc – $38,000 punishment for delayed response to patient'south request for a copy of their medical records.
Peter Wrobel, Grand.D., P.C., dba Elite Primary Care – $36,000 penalty for delayed response to patient's request for a re-create of their medical records.
Riverside Psychiatric Medical Group – $25,000 penalty for delayed response to patient's request for a copy of their medical records.
Dr. Rajendra Bhayani – $xv,000 penalisation for delayed response to patient's asking for a re-create of their medical records.
All Inclusive Medical Services Inc – $15,000 penalty for delayed response to patient's asking for a copy of their medical records.
Wise Psychiatry, PC – $10,000 penalty for delayed response to patient's request for a copy of their medical records.
Rex MD – $3,500 penalty for delayed response to patient's request for a re-create of their medical records.

Failure to Enter into a HIPAA-Compliant Business Associate Agreement

The failure to enter into a HIPAA-compliant business associate agreement with all vendors that are provided with or given access to PHI is another of the most mutual HIPAA violations. Even when business organization associate agreements are held for all vendors, they may non be HIPAA compliant, especially if they accept not been revised after the Omnibus Concluding Dominion.

Notable settlements for these common HIPAA violations include:

Raleigh Orthopaedic Clinic, P.A. of N Carolina – $750,000 settlement for the failure to execute a HIPAA-compliant business associate understanding.
North Memorial Health Intendance of Minnesota – $1.55 1000000 settlement for failing to enter into a BAA with a major contractor and other HIPAA violations.
Intendance New England Wellness System– $400,000 settlement for the failure to update business associate agreements

Insufficient ePHI Access Controls

The HIPAA Security Dominion requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is as well ane of the most common HIPAA violations and one that has attracted several fiscal penalties.

Financial penalties issued to covered entities for ePHI access control failures include:

Anthem Inc. – $sixteen,000,000 penalty for access control failures and other serious HIPAA violations.
Memorial Healthcare System – $five,500,000 penalty for insufficient ePHI access controls.
Texas Department of Aging and Disability Services – $1,600,000 penalty for risk analysis failures, access control failures, and information system monitoring failures.
University of California Los Angeles Health Arrangement – $865,500 penalty for the failure to restrict access to medical records.
Pagosa Springs Medical Center – $111,400 punishment for the failure to finish access to ePHI subsequently an employee termination and a lack of a business acquaintance understanding.

Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices

One of the most effective methods of preventing information breaches is to encrypt PHI. Breaches of encrypted PHI are not reportable security incidents unless the fundamental to decrypt data is also stolen. Encryption is not mandatory under HIPAA Rules, merely it cannot be ignored. If the decision is taken not to employ encryption, an alternative, equivalent security measure must be used in its identify.

Contempo settlements for the failure to safeguard PHI include:

Children's Medical Center of Dallas – $3.2 1000000 ceremonious monetary punishment for failing to accept action to accost known risks, including the failure to utilize encryption on portable devices.
Catholic Health Care Services of the Archdiocese of Philadelphia– $650,000 settlement for the failure to utilise encryption, the failure to acquit an enterprise broad take a chance analysis, and to manage risks.
Lifespan Health System Affiliated Covered Entity – $1,040,000 penalty for the failure to encrypt information and a of device and media controls, resulting in the impermissible disclosure of twenty,431 patients' ePHI

Exceeding the 60-Mean solar day Borderline for Issuing Breach Notifications

The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary filibuster, and certainly no later than 60 days post-obit the discovery of a data breach. Exceeding that fourth dimension frame is one of the well-nigh mutual HIPAA violations, which has seen two penalties issued this yr:

Presence Health – $475,000 settlement for delaying the issuing of alienation notifications by a month.
CoPilot Provider Support Services Inc. – $130,000 settlement with NY Attorney Full general for delayed alienation notifications.

Impermissible Disclosures of Protected Health Data

Any disclosure of protected health information that is not permitted nether the HIPAA Privacy Rule can attract a financial penalty. This violation category includes disclosing PHI to a patient's employer, potential disclosures post-obit the theft or loss of unencrypted laptop computers, careless handling of PHI, disclosing PHI unnecessarily, not adhering to the 'minimum necessary' standard, and disclosures of PHI afterwards patient authorizations have expired.

Settlements for impermissible disclosures of PHI include:

Memorial Hermann Health System – $2.4 million settlement for disclosing a patient's PHI in a press release.
New York Presbyterian Infirmary – $two,200,000 penalisation for filming patients without consent.
Massachusetts General Hospital– $515,000 penalization for filming patients without consent.
Luke's-Roosevelt Infirmary Center – $387,000 settlement for careless handling of PHI/Disclosure of a patient's HIV status to their employer.
Brigham and Women's Hospital– $384,000 penalty for filming patients without consent.
Boston Medical Middle – $100,000 penalisation for filming patients without consent.

Improper Disposal of PHI

When physical PHI and ePHI are no longer required and retention periods have expired, HIPAA Rules require the data to be securely and permanently destroyed. For paper records this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to forbid impermissible disclosures.

Financial penalties issued to covered entities for improper disposal of PHI/ePHI include:

Parkview Wellness – $800,000 punishment for the failure to securely dispose of newspaper records containing PHI.
Cornell Prescription Chemist's – $125,000 penalisation for the improper disposal of PHI.
FileFax Inc. – $100,000 penalty for a defunct business over improper disposal of medical records.

Mutual HIPAA Violations by Healthcare Employees

Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer's policies and HIPAA Rules.

Other common HIPAA violations oft come up about as a effect of misunderstandings about HIPAA requirements. While each of these mutual HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a meaning amount of impairment: To the patient(southward) involved and their employer. They can as well result in disciplinary activeness against the employee responsible including termination.

Listed below are some of the common HIPAA violations committed by healthcare employees. These mutual HIPAA violations should be covered every bit function of the HIPAA training given to employees to raise awareness to these frequent areas of noncompliance.

Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility

It can be difficult to detect the fourth dimension to complete all the necessary tasks within working hours and it can be tempting to take work habitation to complete. Removing protected health information from a healthcare facility places that data at adventure of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does non mean information technology is an adequate practice.

The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get assistance with spreadsheets, complete work at home to get ahead for the side by side mean solar day, or to grab upwardly on a backlog, it is a violation of HIPAA Rules. Further, any emailing of ePHI to a personal email account could exist considered theft, the repercussions of which could exist far more than severe than termination of an employment contract.

Leaving Portable Electronic Devices and Paperwork Unattended

The HIPAA Security Dominion requires PHI and ePHI to exist secured at all times. If paperwork is left unattended it could be viewed by an unauthorized private, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen information technology would exist considered an impermissible disclosure of PHI.

Electronic devices that contain ePHI must similarly exist secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and proceeds access to ePHI. There take been many cases of healthcare employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can too easily occur within a healthcare facility if devices are not secured. Healthcare employees must ensure that their employer'south policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.

Releasing Patient Data to an Unauthorized Individual

An potency grade must be obtained from a patient earlier any of their PHI can be disclosed to a third political party for a purpose other than one expressly permitted by the HIPAA Privacy Rule. Disclosing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and limited other cases) is a HIPAA violation if authorization has not been received from the patient in accelerate.

Healthcare employees must ensure that prior to disclosing PHI to a third party that authority has been obtained from the patient and information is non disclosed to any individual or company that is not included on the authorization grade. Dominance forms are only valid if they accept been signed past the patient or their nominated representative.

Releasing Patient Data Without Authorization

In a like vein to the previous point, healthcare employees must too do caution about the types of information that are released to third parties, even if an authorization form has been received assuasive a specific private, company, or organization to receive PHI.

The authorization form should include what types of information take been authorized to exist released. Any information that is not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would violate the HIPAA Privacy Dominion.

Disclosures of PHI to 3rd Parties After the Expiry of an Authorization

All HIPAA authorization forms must include the names or classes of individuals who are being authorized to receive PHI, the types of PHI that volition be disclosed, and the reasons for the disclosures. They must also include an expiry engagement for the authorization.

PHI must not be disclosed to any individual listed on the authorization form after the expiry date has passed, even if authorisation has previously been given to that entity to receive PHI. A new dominance course is required earlier any further disclosure takes identify. It should besides exist noted that an authorization form without an expiry date is non HIPAA compliant.

Impermissible Disclosures of Patient Health Records

The HIPAA Privacy Rule permits patients to obtain a copy of their wellness records on asking or accept their records provided to a nominated third political party such as a personal representative or other private. If not collected in person past the patient, the tertiary party must accept been given authorization past the patient – on a HIPAA authorization form – to receive the records before they tin exist released.

Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are just released to an individual authorized to receive them. Intendance must also exist taken to ensure that the correct patient'south records are released.

Downloading PHI onto Unauthorized Devices

It can be difficult for healthcare IT departments to keep track of all devices that connect to the network, given how many different devices have network access. Ensuring those devices are secured can be an even bigger problem, yet this is a requirement for HIPAA compliance.

Employees need to be enlightened that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not simply does this increment the risk of an adventitious disclosure of ePHI – in the event that the device is lost or stolen – it could also exist viewed equally theft and a HIPAA violation.

Providing Unauthorized Admission to Medical Records

Information technology is the responsibleness of the covered entity to ensure that access to patient health data and medical records is merely given to authorized individuals. This is achieved by implementing access controls via unique logins.

Employees have a responsibility to ensure that they practise not give admission to wellness data to co-workers who many not accept the same admission rights. The sharing of login credentials could not but result in an impermissible disclosure of ePHI, any deportment taken by that employee would be attributed to the individual whose login credentials were used to gain access.

FAQs

What does information technology mean to "reduce risk to an appropriate and adequate level"?

When potential risks and vulnerabilities are identified, covered entities and business associates have to decide what measures to implement according to the size, complexity, and capabilities of the organizations, the existing measures already in place, and the toll of implementing further measures in relation to the likelihood of a data breach and the calibration of injury it would cause.

How is it possible to preclude employees snooping on healthcare records?

Although many cases of healthcare snooping are attributable to curiosity rather than malicious intent, all cases of healthcare snooping are HIPAA violations. To prevent employees snooping on healthcare records, covered entities should implement a programme of preparation, ensure access privileges comply with the Minimum Necessary Standard, actuate audit logs, and enforce sanctions.

If encryption is not mandatory, how tin it be a HIPAA violation if records are unencrypted?

Although encryption is not mandatory, it is an addressable implementation specification of the Security Rule. This means organizations tin but avert implementing the requirement if it is not reasonable and appropriate in the circumstances, or if an alternative security measure is equally as effective. If organizations fail to implement encryption, they take to certificate the reasons why.

Why was the fine for denying patients access to health records so high?

In this particular case, the not-cooperation of the covered entity contributed to the size of the fine (you can read about the case hither). Since this case, the CMS´ Meaningful Utilise program has evolved into the Promoting Interoperability program, and – in addition to being sanctioned for a HIPAA violation – any covered entity failing to provide health records in a timely manner could now also lose a pct of their Medicare payments.