Everything you need to know about HIPAA violations: A study through examples of real-life HIPAA violations

A HIPAA violation is any unauthorized access to, use of, or disclosure of protected health information (PHI) that breaches the confidentiality, integrity, or availability of that information, as defined by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Common types of HIPAA violations include but are not restricted to:

1. Unauthorized access: Accessing PHI without a legitimate need or proper authorization
2. Improper disclosure: Sharing PHI with individuals or entities not permitted to receive it
3. Inadequate security measures: Neglecting to implement adequate safeguards to protect PHI, such as encryption or physical security
4. Lost or stolen devices: Allowing devices containing PHI to be misplaced or stolen without providing appropriate protection measures
5. Failure to provide required notifications: Not informing the affected individuals or the Department of Health and Human Services (HHS) about breaches of PHI as required

HIPAA law aims to modernize healthcare information management in the digital age without compromising on the security and privacy of patient information. It establishes patient data privacy requirements through three primary rules:

1. The Privacy Rule: Governs the use and disclosure of PHI
2. The Security Rule: Requires security measures to protect electronic PHI (ePHI)
3. The Breach Notification Rule: Mandates the reporting of breaches involving PHI

HIPAA goes even further and establishes how organizations will be dealt with should they fail to comply with the rules above. These enforcement requirements are furnished in the HIPAA Enforcement Rule.

Furthermore, a critical piece of legislation called the HITECH Act was enacted to bolster the Enforcement Rule by mandating more frequent audits of entities that have breached ePHI or are reported to be in willful neglect of HIPAA rules. It also asserted the need for the adoption and meaningful use of electronic health records (EHRs) in the healthcare system. It achieved this through financial incentives to encourage healthcare facilities to transition to EHR.

The HITECH Act also introduced penalty tiers that determine fines based on the culpability of the covered entity or its associates as another way to strengthen the Enforcement Rule. This compels covered entities to be mindful and discreet about the sharing of ePHI. These HIPAA fines are adjusted each year to account for inflation.

Below is the HIPAA penalty structure for 2024.

The HIPAA penalty structure in 2024

The HITECH Act also dictates these fines, which are adjusted annually to account for inflation and ensure they remain a significant deterrent to noncompliance.

Understanding HIPAA violations through real-life cases

We'll now look at some real-life examples of HIPAA violations and what the consequences of these violations were for the entities involved.

Tier 1: Lack of knowledge

• In 2022, a physical therapy clinic mistakenly emailed patient information to the wrong recipient. HHS found the clinic unaware of the HIPAA violation and imposed a tier 1 penalty of $10,000 to settle the case. The clinic had to implement a corrective action plan to improve HIPAA compliance training for staff.

Tier 2: Reasonable cause

• In 2021, a social worker at a hospital disclosed a patient's HIV status to a third party without authorization. The hospital argued it was done to prevent harm to the third party, but HHS deemed it a violation. However, due to the social worker's intent to help, a tier 2 penalty of $25,000 was imposed. The hospital also had to implement a corrective action plan.

Tier 3: Willful neglect

• In 2017, a large hospital chain experienced a data breach when a hacker gained access to an unencrypted server containing patient information. The investigation revealed that the hospital had failed to implement proper security measures for ePHI. However, upon discovering the breach, the hospital promptly took corrective actions, including notifying the affected patients, improving security protocols, and conducting employee training. HHS acknowledged the corrective efforts and imposed a tier 3 penalty of $3.5 million.

Tier 4: Willful neglect not corrected within 30 days

• In 2016, a health insurance company allowed a third-party vendor access to its servers for several months without a proper Business Associate Agreement in place. The vendor's security measures were also inadequate, leaving patient data vulnerable. HHS determined that the company knew about these deficiencies but failed to take corrective action, resulting in a prolonged exposure of PHI. Because of the willful neglect and lack of correction, HHS imposed a hefty tier 4 penalty of $4.1 million (reduced from an initial penalty of $16 million).

There is a nuanced difference between willful neglect (a tier 3 violation) and willful neglect not corrected within 30 days (a tier 4 violation). The examples above highlight the key differences between tier 3 and tier 4 violations. The differences are the:

• Response to the violation: In the tier 3 violation, the hospital chain took swift action to address the security lapses after the breach. In the tier 4 violation, the insurance company failed to take corrective measures despite knowing about the vulnerabilities.
• Severity of the consequences: While both cases involved data breaches, the tier 4 case exposed the data of a larger number of patients for a longer duration due to the prolonged lack of action.

Understanding the ambiguity that arises in specific cases

While the examples above show you real-life cases of HIPAA violations and the penalties incurred, let's also go over a few examples of cases that are ambiguous in nature and thus would require deeper investigation and discernment by HHS.

1. Ambiguous disclosure for safety purposes

• Scenario: A therapist treating a patient with a history of violence believed the patient posed a threat to a specific person. The therapist disclosed the patient's name and the details about the threat to the potential victim. This is a violation on the surface because it involved disclosing PHI to a third party without authorization.
• Reasoning: HIPAA allows for the disclosure of PHI under special circumstances, which can include protecting public safety . In this case, there's an argument to be made that the therapist acted to prevent harm. HHS would likely consider the severity of the threat, the details disclosed, and if there were less privacy-invasive ways to achieve the same outcome. The outcome could depend on whether the therapist documented the reason for the disclosure clearly and reported it to HHS as required.
• Possible resolution: While disclosing PHI without consent is a violation, HHS would consider the potential harm of the patient's threat. If the therapist documented the threat, reported the disclosure to HHS, and there were no other options to protect the potential victim, HHS might rule it a reasonable cause violation with a tier 2 penalty . The final rulings for such scenarios are ultimately based on the appeals made by the covered entity to prove the need for the disclosure as well as how HHS interprets the situation.

2. Sharing de-identified data for research

• Scenario: A hospital shared patient data with researchers but removed all personal identifiers (a process called de-identification) to comply with HIPAA. However, some researchers argued that certain data points, even when de-identified, could still be used to re-identify patients in the dataset.
• Reasoning: HIPAA allows for sharing de-identified data for research purposes. The ambiguity lies in what constitutes true de-identification. HHS provides guidance, but it's not always a black-and-white decision. Factors like the size of the dataset, the specific data elements involved, and the potential risk of re-identification are all considered. Hospitals and researchers may consult with privacy experts or HHS to determine if their de-identification process is sufficient.
• Possible resolution: HIPAA encourages research, and de-identification is a key element. HHS would likely provide guidance to the hospital on strengthening its de-identification process to minimize risks. Unless there was evidence that the hospital knowingly shared identifiable data, a penalty wouldn't be likely.

3. An employee snooping on patient records

• Scenario: An employee at a doctor's office accessed patient records out of curiosity and not for any treatment or job-related reason. This is a clear violation of HIPAA, but the employee might argue they didn't steal or use the information for personal gain.
• Reasoning: The severity of the penalty here depends on the employee's intent and actions. If it was a one-time lapse in judgment, and the employee didn't share the information, HHS might impose a low tier 1 penalty with mandatory training. However, if the investigation finds that the employee was browsing multiple records or looking for specific information about someone, it could be a more serious violation with a steeper penalty.
• Possible resolution: Snooping on patient records is a violation, but the severity depends on the details. If it was a single incident, and the employee didn't share the information, HHS might impose a tier 1 penalty with mandatory training. However, if the employee looked at many records or searched for specific information, it suggests a more serious violation and could lead to a tier 2 penalty.

The fictional scenarios above are examples of unauthorized access to or disclosure of ePHI for very individual reasons and would require proper reporting by the entities involved for them to stay on the safe side of the law.

What to do when you receive a HIPAA complaint

Here's what to do if you receive a complaint stating that your organization has breached HIPAA compliance law:

1. Acknowledge the complaint

• Thank the complainant for bringing the issue to your attention.
• Gather basic details about the complaint: the nature of the alleged violation, date(s) of the incident, and any affected individuals (if known).
• Assure the complainant that all complaints are taken seriously and investigated thoroughly.

2. Initiate an internal investigation

• Assemble a team with the relevant expertise (legal, IT privacy, etc.) depending on the nature of the complaint.
• Review the policies, procedures, and training materials related to the alleged violation.
• Interview the staff members involved and review any available documentation (access logs, emails, etc.).
• Keep a detailed record of the investigation, including your findings and corrective actions.

3. Determine the validity of the complaint

• Assess if a HIPAA violation occurred based on your investigation's findings.
• Consider the severity of the violation, the potential harm to individuals, and the level of culpability.

4. Communicate your findings and resolve the issue

• Inform the complainant of the investigation's outcome in a timely manner.
• If a violation is found, explain the corrective actions being taken to address the issue. This may include retraining staff, updating policies, or implementing new safeguards.
• If no violation is found, provide a clear explanation to the complainant.

5. Follow reporting requirements

• Depending on the nature of the violation and the number of individuals affected, you may be required to report the incident to HHS.
• Consult with legal counsel to determine if a report is necessary

6. Take preventative measures

• Review the findings of the investigation to identify any weaknesses in your HIPAA compliance procedures.
• Take corrective actions to prevent this incident from happening again.
• Offer additional training to your staff to reinforce HIPAA regulations and best practices.

How to report a breach when you discover it

We strongly recommend that you, as a covered entity or an associate handling ePHI, conduct your own assessments to check your compliance with HIPAA requirements. If you find that data has been breached, here's what to do and how to report it in time:

1. Assess the breach

• Evaluate the severity: Determine the number of individuals potentially affected by the breach. HIPAA breach notification requirements depend on the breach's severity, defined as affecting either:
  • Fewer than 500 individuals (a low impact): You may need to report the breach to HHS unless you can justify a low probability of harm.
  • More than 500 individuals (an uncovered breach): You are required to report the breach to HHS no later than 60 days after discovering it.

• Gather details: Collect as much information as possible about the breach, including:
  • The nature of the breach (e.g., a lost laptop or unauthorized access).
  • The type of PHI involved.
  • The time frame of the breach.
  • The steps you've taken to mitigate the risks.

2. Follow reporting methods

There are three primary ways to report a HIPAA breach or violation to HHS:

• The HIPAA breach reporting portal: This is the preferred method and allows for the electronic submission of breach information.
• Fax: Submit a completed breach notification form by fax to the appropriate HHS regional office. You can find the contact information for regional offices here:
• Mail: Send a completed breach notification form by mail to the HHS Office for Civil Rights. The mailing address is available on the HHS website.

3. Send breach notifications to the affected individuals

• In addition to reporting to HHS, you may also be required to notify the affected individuals, depending on the severity of the breach. HHS provides guidance on the notification requirements.

4. Take corrective actions

• Investigate the root cause of the breach and take corrective actions to prevent similar incidents in the future. This might involve:
  • Improving data security measures.
  • Enhancing employee training on HIPAA compliance.
  • Reviewing and updating policies and procedures.

Want simplified HIPAA compliance? Consider using Log360, a comprehensive SIEM solution with reports tailored to specific HIPAA requirements. Try a free demo of our product.