HIPAA Violations: Types, Examples & Biggest Violations in History

HIPAA Compliance Explainers:

What Is the HIPAA Compliance Standard and How to Adhere to It?
> HIPAA Violations: Types, Examples, and Biggest Violations in History
HIPAA Security: 7 Steps for Compliance with the Security Rule
9-Step HIPAA Compliance Checklist

HIPAA Violations: Types, Examples, and Biggest Violations in History

What Is a HIPAA Violation? 

HIPAA, the U.S. Health Insurance Portability and Accountability Act, was enacted in 1996 to protect individuals’ sensitive health information. A HIPAA violation occurs when there is an unpermitted use or disclosure of Protected Health Information (PHI) that compromises the security or privacy of the PHI. As healthcare providers, it’s our responsibility to ensure we’re compliant with these regulations at all times.

HIPAA violations can occur in various ways, and are not always the result of willful neglect or intentional wrongdoing. They can be as simple as a healthcare worker discussing a patient’s condition with a friend or as complex as a system-wide data breach resulting from a sophisticated cyberattack. Regardless of how they occur, depending on their escalation each violation can carry severe penalties, including substantial fines and potential jail time.

This is part of a series of articles about HIPAA compliance.

Types of HIPAA Violations 

4 Levels of HIPAA Violations

HIPAA violations are divided into four levels based on the level of culpability involved: 

  • The first level is when the entity was unaware of the violation and could not have realistically avoided it. 
  • The second level involves a violation that the entity should have been aware of but could not have avoided even with a reasonable amount of care. 
  • The third level is a violation that the entity willfully neglected, but corrected in a timely manner. 
  • The fourth and highest level includes violations that the entity willfully neglected and did not correct in a timely manner.

Each of these levels corresponds to a different penalty amount, which can range from $100 to $1.5 million per violation. The severity of the penalty often depends on the level of negligence involved and the harm done to the patient or patients affected.

Civil vs. Criminal Violations

In some cases, HIPAA violations can result in criminal charges. This typically occurs when the violation is particularly egregious, and the person responsible acted knowingly and with harmful intent. Criminal violations of HIPAA can result in fines and imprisonment, with penalties ranging from $50,000 and one year in prison to $250,000 and up to 10 years in prison.

Civil violations of HIPAA are far more common. These involve unintentional breaches of privacy, such as when a healthcare provider accidentally discloses PHI or fails to adequately protect it. While these violations typically don’t involve malicious intent, they can still result in significant fines.

Breach Notifications

When a breach of PHI (Protected Health Information) occurs, HIPAA mandates specific procedures for notifying the affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media. A breach is defined as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. 

There are several types of notifications:

  • Notification to individuals: Covered entities must notify affected individuals without unreasonable delay, and in no case later than 60 days following the discovery of a breach. This notification must include a description of what happened, the types of PHI involved, steps individuals should take to protect themselves, what the entity is doing to investigate and mitigate harm, and contact information for further inquiries.
  • Notification to HHS: For breaches affecting fewer than 500 individuals, covered entities must maintain a log and annually submit it to the HHS. For breaches impacting 500 or more individuals, entities must notify the HHS at the same time as they notify the individuals, preferably via the HHS website.
  • Notification to the media: In cases where a breach affects more than 500 residents of a state or jurisdiction, the covered entity must also provide notice to prominent media outlets serving that state or jurisdiction. This requirement is intended to disseminate information about the breach more widely to ensure that individuals who might have been affected but are unaware of the breach can take protective measures.

Examples of HIPAA Violations You Should Avoid 

Impermissible Disclosures of Protected Health Information (PHI)

PHI, or Protected Health Information, is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. One of the most common HIPAA violations involves the impermissible disclosure of PHI. This usually occurs when healthcare providers or their associates disclose PHI without patient’s authorization or for non-health related purposes.

These impermissible disclosures could happen intentionally or unintentionally. For instance, they can occur when a medical practitioner talks about a patient’s condition in a public area, or when a staff member loses documents containing PHI. Even a simple act such as sending an email containing PHI to the wrong recipient can lead to a violation.

Unauthorized Access to PHI

Another common HIPAA violation is unauthorized access to PHI. This violation often occurs when healthcare professionals access patient information unnecessarily or for personal reasons, despite being aware that such actions are against the law.

An example of unauthorized access could be a hospital worker viewing a celebrity’s medical records out of curiosity, or a medical professional checking a family member’s health record without their consent. The potential harm to the patient in such cases is significant, as it could lead to identity theft, discrimination, or other forms of harm.

Lack of Tools and Processes to Safeguard PHI

HIPAA requires healthcare providers to implement adequate safeguards to protect PHI. This includes the use of secure communication channels, encryption of electronic PHI, and proper disposal of PHI. Lack of these tools and processes can lead to HIPAA violations.

One common example of this violation is the use of unsecured networks or applications which transmit PHI. Healthcare providers or insurers may also fail to use encryption tools to secure PHI at both ends of a transaction, leaving it vulnerable to unauthorized access. On the physical side, improper disposal of PHI, such as not shredding documents containing PHI before throwing them away, can also lead to violations. This can happen both to non-healthcare companies and to healthcare providers and insurers.

Failing to Enter into a HIPAA-Compliant Business Associate Agreement

Healthcare providers often work with business associates, who perform services on their behalf involving PHI. HIPAA requires that healthcare providers enter into a HIPAA-compliant Business Associate Agreement (BAA) with these entities. A BAA ensures that business associates understand their responsibilities under HIPAA and agree to comply with its requirements.

Failure to have a proper BAA in place can result in a HIPAA violation. This violation commonly occurs when healthcare providers neglect to sign a BAA with a business associate, or when the BAA does not fully comply with HIPAA requirements.

Not Providing Patients Access to Their Health Information

HIPAA gives patients the right to access their health information. A common HIPAA violation occurs when healthcare providers fail to provide patients with this access. This could be due to lack of knowledge about HIPAA requirements, or intentional denial of access to discourage patients from seeking care elsewhere.

Improper Disclosures to Employers

HIPAA also protects against improper disclosures of PHI to employers. Healthcare providers cannot share PHI with employers without the patient’s explicit authorization. Violations can happen when healthcare providers disclose PHI to employers for reasons unrelated to workers’ compensation or other work-related benefits.

The Biggest HIPAA Violations and Fines 

To illustrate the risk of HIPAA violations and the need for comprehensive compliance measures, here are some of the biggest HIPAA violations in recent years.

Anthem

Anthem, one of the largest health insurance companies in the US, experienced a massive data breach in 2015. The breach affected nearly 79 million people, exposing their names, social security numbers, and other personal information. This resulted in Anthem being fined a record $16 million by the Office for Civil Rights (OCR) for multiple HIPAA violations.

Memorial Healthcare System (MHS)

In 2012, MHS had a data breach which resulted in unauthorized access to PHI of 115,143 individuals. The breach occurred when former employees retained access to PHI after their employment had ended. The lack of access control and failure to regularly review records resulted in a $5.5 million fine.

NY-Presbyterian Hospital and Columbia University Medical Center

In 2010, the two entities were fined a total of $4.8 million after the electronic protected health information (ePHI) of 6,800 individuals was inadvertently disclosed due to the deactivation of a personal server. The OCR determined that neither entity had conducted an accurate and thorough risk analysis that could have identified the server as a risk.

Advocate Health Care (AHC)

AHC settled multiple potential HIPAA violations in 2016 with a payment of $5.55 million. These violations included lack of risk analysis, failure to implement policies and procedures, and failure to enter into a Business Associate Agreement.

Cignet Health

Cignet Health was fined $4.3 million in 2010 for denying 41 patients access to their medical records and then failing to cooperate with OCR’s investigations into the complaints.

Related content: Learn more about HIPAA security.

HIPAA Compliance with Exabeam

Noncompliance with HIPAA can result in heavy fines from OCR and other consequences. When patch management, access controls, and monitoring are not fully implemented with the right solution stack, it leaves the organization vulnerable to ransomware and other attack vectors that can impact patient care. 

Exabeam Security Operations Platform telemetry combines logs with context, security intelligence feeds, and AI analysis to identify anomalous behaviors that indicate potential attacks. Pre-built Dashboards make HIPAA Compliance reporting easier. Whether you are using a framework like NIST or MITRE ATT&CK, Exabeam offers a clear path to track your compliance and governance request needs — while all establishing what normal looks like in your environment and for every entity logged in. 

The Outcomes Navigator offers continuous visualization and insight into your detection coverage and improvements made, which provides suggestions for improvements in log parsing as well as showing which sources and detections are most effective against which parts of the ATT&CK framework and use cases are most indicative of network penetration, persistence, and lateral movement.

For more info, visit the Exabeam Compliance page.

Quick Links:

What Is a HIPAA Violation? 
Types of HIPAA Violations
Examples of HIPAA Violations You Should Avoid
The Biggest HIPAA Violations and Fines
HIPAA Compliance with Exabeam