Chat with us, powered by LiveChat

5 Most Common HIPAA Privacy Violations

The HIPAA Privacy Rule was put in place to provide rights to access and amend our protected health information, appropriate disclosers and help reduce fraud, waste and abuse. If your facility and its network aren’t HIPAA compliant, the costs may be significantly higher than taking action. Penalties could result in millions of dollars in fines and could even include some jail time (HITECH failure to report a breach of > 500 individuals to HHS).

Image Source: Yuri Samoilov

Image Source: Yuri Samoilov

That’s one risk you just can’t afford to take.

Take a look at these 5 most common HIPAA privacy violations and learn what preventive measures you can take to avoid these violations and their severe penalties.

1. Losing Devices

The biggest problem today is devices with stored patient health information, i.e. desktop computers, laptops, tablets and smartphones, being stolen or lost. This includes work devices and your own personal devices if you use them to access this information. Mobile devices are the most vulnerable to theft and misplacement because of their smaller size and portability.

Solution: Keep a watchful eye on your devices and keep them locked up when you’re not around. Better secure your files on these devices with encryptions and use a cloud hosting solution for remote access. Encryption won’t reduce the cost of the device or time to rebuild/recover the user’s system, but can alleviate the need to notify HHS of a breach > 500 individuals.

2. Getting Hacked

 Data from several healthcare network servers have been hacked into over the last few years. These servers have PHI for hundreds to millions of patients, so when these skilled hackers — who are only getting better at what they do — get their hands on them, they leak this information out or sell it to the highest bidder. Some of this information includes Social Security numbers, birth dates, addresses and insurance information.

Solution: Take necessary security measures, like encryption and deep-packet inspection firewalls that can block phishing or other malware attacks, to safeguard PHI.

3. Employees Dishonestly Accessing Files

Unfortunately you can’t trust everyone. An all-too-common HIPAA violation is employees accessing files they’re not supposed to. They do this out of curiosity, spite or because a friend or relative asked them to. No matter their excuse, it’s wrong, but it’s still something that continues to happen.

This problem is amplified when accounts are shared between Physicians and their underlings. Physician staff may use the Physician’s System user account assuming they will not be held accountable for these activities (see Huffington Post article on Kim Kardashian’s fall-out from this type of behavior).

Solution: Policies and procedures with annual HIPAA Security training enforcing unique User IDs, Implement passwords, passcodes, user ID codes and/or clearance levels to discourage employees from accessing patient files they’re not authorized to see.

4. Improper Filing and Disposing of Documents

When using a paper filing system, it’s highly likely there will be some human error resulting in an employee incorrectly filing a patient’s record or accidentally getting rid of a document without first shredding it. Sometimes people just have a bad day or get distracted. Mistakes happen, but they happen more so with this system.

Solution: Establish Policies and Procedures to ensure any ePHI or PII on paper is locked at night, or stored in secured disposal bins prior to shredding. Switch over to an electronic filing system or make sure everyone double and triple checks they correctly file and dispose of documents.

5. Releasing Patient Information After the Authorization Period Expires

There are expiration dates on HIPAA authorization forms. Too many times someone hasn’t paid close enough attention to that date when a request for a release of information comes through and ended up sending out that information even though they shouldn’t have. If a request comes in and it’s past the expiration date, you must complete a new HIPAA authorization form.

Solution: Verify the expiration dates for HIPAA authorizations before releasing any information. Complete a new form if needed. See HIPAA Reference: §164.508(a)(1)-(3), §164.508(b)(6), §164.508(c)(1), §164.508(c)(2), §164.530(j)

Another preventive method is performing a HIPAA self-assessment. A self-assessment shows any high-risk vulnerabilities or gaps in compliance your facility and network have, so you then can create an action plan to remediate those issues.

So now you know the most common HIPAA privacy violations, and you know how to prevent them so you steer clear of hefty penalties, keep your facility and network HIPAA compliant and protect patient information.

For more information about HIPAA Privacy compliance and risk assessment, please contact or by phone at 801-770-1199.

The Number of HIPAA Data Breaches Jumps 138 Percent Since 2012

When it comes to HIPAA Security and HIPAA Privacy, numbers do most of the talking and according to recent reports, the number of HIPAA data breaches have increased by 138% since 2012.

Another mind boggling statistic is that 29.2 million patient health records have been compromised in HIPAA data breaches since 2009, according to Redspin, which compiled these numbers in a February 2014 breach report.

But these numbers are skewed since not all breaches are reported. Any breach that involves fewer than 500 people’s health records isn’t required to be publicly reported. According to Lisa Gallagher, the senior director of privacy and security for HIMSS, said at the 2012 Boston Privacy and Security Forum that it’s more likely that 40-45 million patient health care records have been compromised. While she said that’s a more accurate number, it can’t be confirmed since all the data isn’t there.

Redspin also found the percentages of what’s accounted for the HIPAA privacy and security breaches since 2009: 83 percent because of theft, 35 for theft or loss of encrypted devices, 22 due to unauthorized access and 6 from hacking. Many of these breaches could be more easily avoided with consistent risk analysis. Risk analysis failures top the list for the most prevalent security issues for business associates and covered entities based on complaints received by OCR.

While business associates were involved in most of the larger-scale breaches from 2009-2012, only 10 percent were involved in 2013. Business associates and covered entities that violate HIPAA privacy and security rules can face up to $1.5 million in annual fines under the HIPAA Final Omnibus Rule. Only 17 of the 90,000 HIPAA breach cases received by OCR since 2003 have resulted in fines, but it’s anticipated that those numbers will go up, especially since the official audit program goes live this year.


WellPoint Agrees To Pay HHS $1.7 Million For Leaving Information Accessible Over Internet

According to the U.S. Department of Health and Human Services (HHS), WellPoint Inc. has agreed to pay them $1.7 million to settle potential violations to HIPAA Security and Privacy rules. You can read more about it here.

The HHS is hoping that this case and other recent cases send an important message to all HIPAA covered entities to take extreme measure to ensure data privacy and security when implementing changes to their information systems, especially when those changes involve updates to web based application or portals that house consumers’ electronic medical records.

If you are going to be implementing changes to your information systems and want to make sure that you stay compliant and minimize the risk associated with with such changes, we recommend you reach out to our HIPAA experts today!