Home > Security and Compliance Blog > HIPAA Compliance > What Is a HIPAA Violation? Most Common Violation Examples

What Is a HIPAA Violation? Most Common Violation Examples

by Robert Dougherty updated June 29, 2022 HIPAA Compliance

Reading Time: 13 minutes

The healthcare industry is rife with risks, particularly as it pertains to protecting patient privacy. Unauthorized access to patient data takes many forms: a nosy employee, a lost or stolen device, an unsecured computer or server, a phishing email, or a ransomware attack. These and other forms of healthcare data breaches can lead to identity theft, insurance fraud, and more.

Legislation is one solution to safeguard protected health information (PHI) and ultimately ensure patient privacy. By ensuring patient data is secure and confidential, the healthcare industry is able to protect patients and their personal information from being misused, abused, or exploited. Additionally, legislation can help safeguard patient safety by ensuring that only authorized personnel have access to medical records, medication orders, and other health-related records.

What Is HIPAA and Who Does It Apply To?

HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law that requires healthcare organizations, including healthcare providers, health plans, health insurers, and healthcare clearinghouses, to protect the privacy of individuals’ health information. HIPAA also requires organizations to protect the security of such data, and to provide individuals with access to and control over their health information. HIPAA applies to all individuals who work for the covered entities and providers, as well as any business associates with whom the covered entities have contracted to carry out certain functions.

What Is a HIPAA Violation?

A HIPAA violation occurs when there is a breach of confidentiality, integrity, or availability of protected health information (PHI). Examples of HIPAA violations include:

Improper disposal of PHI, unauthorized access or disclosure of PHI
Failing to implement appropriate security measures to protect PHI
Improper use of PHI for marketing purposes
Failing to ensure patient authorization before sharing PHI
Failing to properly train staff on HIPAA compliance

What Are the Repercussions of a HIPAA Violation?

A HIPAA violation can result in serious consequences for healthcare providers and organizations. Repercussions can include hefty fines, revocation of licenses, public disclosure of the breach, and even criminal charges. The severity of the penalty depends on the nature and extent of the breach. Therefore, it’s crucial for healthcare providers and organizations to strictly adhere to HIPAA regulations to avoid any potential breach and its costly repercussions.

Further, a HIPAA violation can result in a loss of trust and reputational damage for healthcare providers and organizations. Patients and clients rely on healthcare providers to protect their sensitive health information, and a breach can lead to a loss of confidence in their ability to do so. This loss of trust can also lead to potential legal action from affected patients and clients, adding further financial and legal consequences.

In addition, a HIPAA violation can harm a healthcare provider’s competitive edge, as patients may choose to seek care from a competing organization with a better reputation for HIPAA compliance. Overall, the repercussions of a HIPAA violation are serious and can significantly impact the financial stability and reputation of healthcare providers and organizations. It’s imperative therefore for healthcare organizations (covered entities) and their partners (business associates) to prioritize adherence to HIPAA regulations to prevent potential breaches and the costly outcomes that follow.

Most Common HIPAA Violations Among Healthcare Workers

There are several examples of HIPAA violations that healthcare workers commonly commit. One of the most frequent violations is the unauthorized access to patient information. This is often done out of curiosity or for personal gain, such as accessing the medical records of a celebrity.

Another common violation is the improper disposal of patient information. This can occur when healthcare workers fail to shred documents containing PHI or properly dispose of electronic devices that contain PHI.

Additionally, healthcare workers can violate HIPAA by sharing patient information with unauthorized individuals or using patient information for marketing purposes without obtaining the patient’s consent. These violations can result in hefty fines and legal action against healthcare workers and their employers. It is essential therefore for healthcare workers to understand the importance of protecting patient confidentiality and how to abide by HIPAA regulations to avoid potential violations.

What Is the Penalty for a HIPAA Violation by a Hospital Volunteer?

HIPAA breaches committed by hospital volunteers can have severe consequences for both the volunteer and the hospital they work for. In the event of a breach of PHI, the volunteer and hospital may be subject to civil and criminal penalties, as well as reputational damage. Depending on the severity of the breach and the extent of the damage caused, the volunteer may face fines of up to $50,000 and a potential prison sentence. Additionally, the hospital could face civil penalties of up to $1.5 million. To avoid these fines and penalties, it is essential that hospital volunteers are provided with adequate training in handling PHI and understand the importance of protecting patient privacy and confidential information.

How Are HIPAA Violations Discovered?

HIPAA violations are typically discovered through self-reported incidents, or reported by someone who is aware of the violation, as well as through periodic operational reviews, and third-party audits or assessments. In addition, state and federal agencies may also uncover violations through complaint investigations, surveillance, or spot-checks.

Examples of HIPAA Violations

The U.S Department of Health and Human Services Office for Civil Rights (OCR) is authorized to take action against any HIPAA entity or business associate for failure to adhere to HIPAA laws and regulations. The OCR has the power to impose civil money penalties ranging from $100 to a maximum of $50,000 per violation. The OCR also has the authority to impose corrective actions and to require organizations to adopt an effective compliance program. Some of the largest known settlements for HIPAA violations include:

Anthem Inc.—In 2020, the OCR settled with Anthem Inc. for $16 million after a data breach impacted more than 78.8 million individuals.
Cignet Health—In 2010, Cignet Health settled with the OCR for $4.3 million after refusing 41 individuals of their right to access their medical records.
NewYork-Presbyterian Hospital and Columbia University—In 2019, the OCR settled with NewYork-Presbyterian Hospital and Columbia University for $8.3 million after a film crew filmed patient rooms without proper authorization.
University of Mississippi Medical Center—In 2020, the OCR settled with the University of Mississippi Medical Center for $2.75 million after failing to timely report a case of impermissible use and disclosure of protected health information.
Advocate Health Care—In 2017, the OCR settled with Advocate Health Care for $5.55 million after an unencrypted server was stolen and impacted 4 million individuals.

Are Penalties for HIPAA Violations Always Related to Data Breaches?

No, penalties for HIPAA violations are not always related to data breaches. HIPAA violations are violations of patient privacy rules established by the Health Insurance Portability and Accountability Act. Breaches in these rules can come in many forms, including using patient information for marketing purposes or failing to properly protect patient data.

Penalties for HIPAA violations can include civil fines, criminal penalties, new administration or business practices, or follow-up investigations and audits; however, not all of these are necessarily related to data breaches. In some cases, such penalties may be the result of employee actions or due to a failure to properly implement HIPAA requirements. Ultimately, it depends on the specifics of the violation and the discretion of the enforcing agency.

What Is the HIPAA Privacy Rule?

The HIPAA Privacy Rule (more formally known as the “Standards for Privacy of Individually Identifiable Health Information”) is one of the core rules that make up the entirety of the HIPAA regulation and defines the roles and responsibilities of organizations that fall under HIPAA jurisdiction.

The short definition of the Privacy Rule is that it spells out the information that organizations must protect against “unauthorized disclosure,” or the disclosure of patient information without the direct permission of that individual.

The rule also defines what types of organizations must follow these data protection rules, the penalties for failure to protect that information, and the limited contexts in which unauthorized disclosure may be permitted under law.

Protected health information (PHI), the core responsibility of any entity governed by HIPAA, is to implement security and privacy controls for PHI related to a patient’s care or payment for care.

Under the Privacy Rule, PHI is defined as information about:

An individual’s past, present, or future physical or mental health condition
The provision of healthcare to that individual, or
Past, present, or future payments for the provision of healthcare to that individual
The identity of the individual outside of their healthcare

In short, any information used to denote a patient’s care, state of their health, or how they pay for their healthcare, along with personally identifiable information (PII), is considered PHI for HIPAA compliance and governance.

In general practice, HIPAA defines only two legitimate forms of required PHI disclosure:

When they request access, the individual (patient) or an authorized representative
To the Department of Health and Human Services (HHS) for compliance investigations

There are, however, several permitted areas of disclosure as well, discussed below.

Covered Entities and Business Associates

HIPAA doesn’t cover every single individual. For example, if someone comes across sensitive PHI by accident and discloses it, they aren’t subject to the penalties or fines of actual, governed entities.

HIPAA applies specifically to two different types of organizations:

What Are Covered Entities Under HIPAA?

A Covered Entity, or CE, is the primary organization subject to HIPAA jurisdiction. These organizations include:

Health Plans: Health insurance companies, including drug insurers, HMOs, Medicare, Medicaid, or insurance companies that provide coverage through private plans or those offered by employers, are all subject to HIPAA rules (precisely because they handle both information about care and the payment of care).

Healthcare Providers: These are the primary providers of healthcare. Hospitals, doctors’ offices, urgent care clinics, and specialists all fall under this category.

Healthcare Clearinghouses: Clearinghouses are essentially middle-man organizations between insurance companies and providers, meant to help insurers properly process claims from various platforms and entities.

What Are Business Associates Under HIPAA?

Business Associates, or BAs, are (as the name suggests) third-party vendors or partners of Covered Entities that fill in some function that touches on PHI. They may not be a CE in and of themselves, but they provide a critical service like payment processing, cloud storage, or application development.

As part of a Covered Entity-Business Associate relationship, HIPAA requires that the partners have a Business Associate Agreement (BAA) that articulates the compliance requirements of their arrangement and how they apply to HIPAA compliance.

Note that while a BA isn’t a CE by definition, they can be. In one sense, an organization that functions as a CE may offer services to other CEs as a Business Associate (with a corresponding BAA).

What Happens If a Business Associate Violates HIPAA?

When a CE or a BA discloses PHI to an unauthorized user (anyone who isn’t the patient, a company providing healthcare to that patient, or an authorized representative), they have violated HIPAA.

However, per the guidelines and further clarification by HHS, not all disclosures are created equal. In fact, accidental disclosure is the most common form of HIPAA violation.

What does that mean for Covered Entities and Business Associates? The most important part of HIPAA compliance is pursuing, effectively and in good faith, true compliance to the guidelines.

HIPAA compliance doesn’t mean stopping a breach or creating airtight data security. It means following requirements to reduce risk and quickly addressing the issue in cases where violations occur.

However, there are penalties for noncompliance, which aren’t to be sneezed at. Overall, HIPAA penalties are divided into two categories:

Civil Penalties for Violating HIPAA

Civil penalties are the most common form of disciplinary action in the field. HHS and the Office of Civil Rights (OCR) prefer to pursue nonpunitive measures in cases of noncompliance, opting for efforts to remediate issues. As violations become more significant, civil penalties will include higher and higher financial measures. The significance of a violation is determined, in part, by the efforts made by the organization to address the issue.

With that being said, civil penalties for HIPAA violations are divided into four tiers:

Tier 1: This lowest tier covers issues where unauthorized disclosure occurs, but such disclosure was due to an issue the organization was not aware of and couldn’t reasonably be expected to know. Additionally, the organization has, and is, taking sufficient steps to ensure HIPAA compliance.

Tier 2: A step up from Tier 1, Tier 2 covers violations the organization should have been aware of but couldn’t have avoided. That is, the disclosure isn’t due to willful neglect, and the organization is taking steps to remediate.

Tier 3: Tier 3 violations occur due to willful neglect of HIPAA where the organization has knowingly failed to meet their responsibilities under the law. However, they have demonstrated attempts to correct the underlying issue of the violation.

Tier 4: Tier 4 refers to disclosures that occur due to willful neglect without any attempt to correct the core issue.

As is clear, penalties are tied to how well an organization approaches its responsibilities and how seriously they take those responsibilities in cases of disclosure or breaches.

Penalties can fall on a wide spectrum, and HHS will determine these penalties based on the type of HIPAA breach, the willingness of the organization to cooperate with an investigation, and other factors. As of January 2022, the baseline for these penalty (adjusted for inflation) tiers are:

Tier	Minimum Penalty (per Violation)	Maximum Penalty (per Violation)	Maximum Penalty (per Calendar Year)
Tier 1	$127	$60,973	$1,919,173
Tier 2	$1,280	$60,973	$1,919,173
Tier 3	$12,794	$60,973	$1,919,173
Tier 4	$60,973	$1,919,173	$1,919,173

These penalty tiers were put into law with the HITECH Act of 2009.

Criminal Penalties for Violating HIPAA

Criminal HIPAA penalties are much rarer than civil penalties. Most violations are organizational and not the result of individual criminality, and these fall under the definition of a civil offense.

Additionally, many of the issues that would fall under a criminal penalty (committing digital or identity fraud, hacking, etc.) are governed by other laws and aren’t specific to HIPAA or the healthcare industry.

However, individuals directly involved in healthcare can purposely violate HIPAA for personal gain, thus necessitating criminal penalties. These penalties are also broken into tiers:

Tier 1: If an individual or organization knowingly obtains unauthorized PHI, they can face a fine of $50,000 and 1 year in jail.

Tier 2: If the offender knowingly obtains PHI and uses false pretenses (fraud) to do so, they can face fines up to $100,000 and up to 5 years in jail.

Tier 3: If the offender fraudulently obtains PHI with the intent to sell, transfer, or use that information, they can face fines up to $250,000 and up to 10 years in jail.

Who Can Sue for a HIPAA Violation?

The litigation process for a HIPAA violation typically begins with the filing of a complaint in the appropriate court by a plaintiff against a defendant. The complaint will refer to the relevant HIPAA regulations that have been violated and any other applicable state laws. Both parties will then exchange information and documents as part of the discovery process, which is supervised and overseen by the court. After discovery, both parties can enter into settlement negotiations, if they wish to do so. If a settlement is not reached, then the case will proceed to trial.

How Can I Prevent HIPAA Violations?

The best way to avoid HIPAA violations is to adhere to HIPAA requirements aggressively. That means:

Understand the best solutions to address HIPAA requirements, particularly through a review of NIST Special Publication 800-66.

Protect access to systems with strong identity and access management (IAM).

Encrypt data stored in servers (at rest) and moving between systems (in transit) with strong encryption, including AES-256 encryption for data at rest and TLS 1.2+ for that in transit.

Don’t use cleartext communication methods to share PHI (plain email, SMS, etc.).

Destroy PHI when it is no longer needed and retention periods have expired. This includes shredding or burning hard copies and destroying or sanitizing hard drives and USB thumb drives.

Maintain strong vetting and training processes for employees and third-party Business Associates.

Keep up-to-date BAAs for all contractor and vendor relationships.

Maintain strong access control systems to avoid accidental disclosure of PHI to internal employees.

Secure devices (phones, laptops, tablets) against physical and digital access. Encrypt devices, keep devices locked in secure areas, etc.

Additionally, it’s a good idea to understand the contexts in which you can disclose PHI, as defined in the Privacy Rule:

Individuals: You may always disclose PHI to the patient, so long as you do so securely (using encrypted and secure communication systems).

Treatment, Payment, and Healthcare Operations: Organizations can disclose PHI internally for treatment, payment, and care purposes. Likewise, the CE may disclose this information to another CE if both organizations have a relationship with that patient.

Incidental Risk: If the organization takes all precautions against disclosure and that data is still disclosed to an unauthorized party as part of a legitimate disclosure, then the organization isn’t liable.

Public Interest: Several contexts related to the public good allow for disclosure of PHI, including disclosures required by law (court orders, law enforcement, or other statutes), those authorized for public health activities (like a pandemic), reporting abuse or neglect, funeral arrangements, organ donation, workers’ compensation, or research purposes.

HIPAA Infringements Checklist

We have developed this checklist to assist organizations in evaluating their HIPAA compliance and identifying potential infringements. This checklist serves as a valuable tool to assess adherence to HIPAA and proactively address any areas of concern. By reviewing and addressing the items on this checklist, organizations can enhance their data security practices, mitigate risks, and maintain regulatory compliance.

The checklist covers a wide range of HIPAA-related areas, including written policies and procedures, PHI storage, access controls, business associate agreements, privacy notices, individual rights, training and awareness, breach notification, risk assessments, incident response, device and media controls, audit controls, encryption and data security, and documentation retention.

It is important to note that this checklist provides a general overview of potential HIPAA infringements and is not an exhaustive list. Each organization’s circumstances and requirements may vary, and it is recommended to consult healthcare-focused legal experts or HIPAA compliance professionals for a comprehensive assessment tailored to specific organizational needs.

Infringement Type	Description	Status	Responsible Party
PHI Breach	Unauthorized access to patient records	Open/Resolved	IT Department
Lack of BAA	Failure to establish Business Associate Agreements	Open/Resolved	Compliance Team
Insufficient Training	Employees not adequately trained on HIPAA	Open/Resolved	HR Department
Data Storage Violation	PHI stored on unencrypted devices	Open/Resolved	IT Department
Unauthorized Disclosure	PHI shared with unauthorized individuals	Open/Resolved	Compliance Team
Privacy Notice Issue	Incomplete or inaccurate privacy notice	Open/Resolved	Legal Department
Risk Assessment Delay	Delay in conducting regular risk assessments	Open/Resolved	Security Department
Improper Disposal	Failure to properly dispose of PHI	Open/Resolved	Operations Team
Lack of Encryption	PHI transmitted without encryption	Open/Resolved	IT Department
Incident Response Plan	Inadequate or missing incident response plan	Open/Resolved	Security Department

Protecting PHI and Communicating Effectively With Kiteworks

It’s crucial for organizations that want to avoid HIPAA violations to have the technical infrastructure in place to secure PHI. However, such technology can provide challenges when patients expect CEs to communicate with them as accustomed—that is, through email or other messaging systems.

The Kiteworks Private Content Network is a solution that provides enterprises with significant HIPAA requirements to ensure they meet those requirements without hampering their ability to streamline internal communication and work effectively with patients. After acquiring totemo, Kiteworks implemented a complete network of end-to-end encryption and HIPAA security that can integrate with common productivity and collaboration software.

Strong Encryption

Kiteworks encrypts sensitive content communications with a unique, strong key at the file level and with a different strong key at the disk-level volume. This ensures that each file is double encrypted. Further, file keys, volume keys, and other intermediate keys are encrypted when stored.

Just as importantly, Kiteworks uses a passphrase entered by an administrator to generate a super key used in the encryption of all stored keys—which is only accessible by the Kiteworks customer. Thus, when an administrator rotates the passphrase on a regular basis, as recommended, the process is quick and efficient because only the keys need to be re-encrypted and not all content.

Compliance Tracking and Reporting

The Kiteworks platform has out-of-the-box compliance reporting for industry and government regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), SOC 2, and General Data Protection Regulation (GDPR).

In addition, Kiteworks touts certification and compliance with various standards that include, but are not limited to, FedRAMP, FIPS (Federal Information Processing Standards), and FISMA (Federal Information Security Management Act).

Likewise, Kiteworks is assessed to IRAP (Information Security Registered Assessors Program) PROTECTED level controls. Additionally, based on a recent assessment, Kiteworks achieves compliance with nearly 89% of Cybersecurity Maturity Model Certification (CMMC) Level 2 practices.

In-depth, Hardened Security

Kiteworks’ unified syslog and alerts merge and standardize entries from all components, saving security operations center teams crucial time while helping compliance teams to prepare for audits. In particular, with the Kiteworks platform’s immutable audit logs, organizations can trust that attacks are detected sooner and maintain the correct chain of evidence to perform forensics.

There are several aspects about the Kiteworks Private Content Network that provide organizations with enhanced security, including:

SIEM Integration: Kiteworks supports integration with major security information and event management (SIEM) solutions, including IBM QRadar, ArcSight, FireEye Helix, LogRhythm, and others. It also has the Splunk Forwarder and includes a Splunk App.

Visibility and Management: The CISO Dashboard in Kiteworks gives organizations an overview of their information: where it is, who is accessing it, how it is being used, and if data being sent, shared, or transferred complies with regulations and standards. The CISO Dashboard enables business leaders to make informed decisions while providing a detailed view of compliance.

Single-tenant Cloud Environment: Secure file sharing, automated file transfers, file storage, and user access occur on a dedicated Kiteworks instance, deployed on-premises, on an organization’s Infrastructure-as-a-Service (IaaS) resources, or hosted as a private single-tenant instance by Kiteworks in the cloud by the Kiteworks Cloud server. This means no shared runtime, shared databases or repositories, shared resources, or potential for cross-cloud breaches or attacks.

Discover how Kiteworks supports your HIPAA compliance efforts by requesting a custom demo.

Additional Resources

Blog Post What Are HIPAA Compliance Requirements? [Complete Checklist]
Blog Post How to Send a HIPAA-compliant Email
Blog Post How to Handle a HIPAA Breach
Blog Post HIPAA Encryption: Requirements, Best Practices & Software
Blog Post What Is a HIPAA Breach & How to Handle the Aftermath