The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) places restrictions on the transfer of sensitive patient information. This is an important way that patients’ privacy and assets are protected within the healthcare industry. However, there are exceptions to personal privacy rules. For example, in the case of minors, a parent or guardian acts as a personal representative and can typically access the minor’s records and make decisions on their behalf. While HIPAA is comprehensive in terms of its protections, what is and is not protected by HIPAA is a common source of misunderstanding.
What Is a HIPAA Violation?
A HIPAA violation is an action taken by a “covered entity” that breaks the guidelines set by HIPAA and may constitute grounds for penalties to be applied. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is the agency that oversees and enforces the HIPAA Privacy and Security Rules. The penalty will be determined based on the severity of the breach.
What Does PHI Mean?
Protected Health Information (PHI) refers to the type of information that is protected under HIPAA. Examples of PHI include:
Billing Information: This is all personal information related to billing, such as insurance information.
Biometric Data: This is all unique identifying information related to biometrics, such as fingerprints and voiceprints.
Contact Information: This is all personal identifying information that allows providers to contact you, such as phone numbers and emails.
Device Identifiers: This is all identifying information unique to personal devices, such as serial numbers.
Identifiable Imagery: This is all imagery on record that can help identify a patient, such as photographs.
Other Identifiers: This is various personal identifying information such as your name and address.
IP Addresses: These are the unique identifying numbers assigned to devices connected to the internet, and these addresses may sometimes be attached to patient medical records.
Medical Records: These are records of a patient’s history and medical information, such as test results and treatment plans.
While these records are typically automatically protected under HIPAA, a patient can choose to authorize a provider to share the information. This requires written consent, usually with a HIPAA release form, which can be requested through your healthcare provider or insurance company. This permission can also be revoked. There are several reasons someone may authorize access to their protected health information, such as release to an attorney for a lawsuit, involvement of family support in treatment, or use of information in research materials.
Examples of HIPAA Violations and Breaches of PHI
There are many ways that HIPAA can be violated by covered entities, and therefore this is not an exhaustive list. However, this list will illustrate some common ways that HIPAA is breached. Examples of HIPAA violations include:
- Accessing PHI without authorization: A common example of this is a healthcare employee accessing records without express permission or reason. This may be malicious snooping or just a result of poor training and ignorance of compliance standards. For example, families must be authorized to access resident information in behavioral health programs.
- Failing to encrypt PHI: All PHI should be properly encrypted and secure methods used to store and transfer this information. This type of breach may result from issues such as improper vetting of third party cybersecurity providers or failure to path cybersecurity software.
- Improperly identifying and preparing for risks: Any entity managing PHI should regularly conduct risk assessments, prepare to prevent these risks, and develop an emergency response plan. Improper procedural development is a common cause of poor risk management.
- Denying patients access to their records: Patients should always have access to their own PHI. Poor access control or “information blocking” can account for this type of violation.
- Failing to promptly notify affected individuals about a breach: Covered entities must notify affected individuals within 60 days. They must be notified individually without unreasonable delay.
- Disposing of PHI improperly: PHI should be disposed of once it is no longer needed for healthcare reasons and the specified retention period has passed. Improper disposal may involve failure to fully shred paper documents so they are unreadable or failure to use effective data disposal software.
- Sharing PHI through insecure means: Covered entities must take reasonable precautions to prevent the interception of PHI as it is transferred. This may involve negligent actions such as failure to use an encrypted email service or transfer of documents over an unsecure platform.
- Purposely exposing PHI: For a variety of reasons, bad actors may choose to purposely expose PHI. For example, a bad actor may choose to snoop through health information and post their findings on social media to damage the reputation of the patient.
On the part of providers, HIPAA violations can be avoided with a strong system of procedures, thorough employee training, client education, and the use of tools such as EHRs and EMRs to maintain compliance. Some EHRs may even be specialized for different aspects of patient care, such as behavioral health and addiction treatment. If a patient believes that protected health information was exposed in breach of HIPAA, the first thing they should do is report the suspected violation.
How To Report a HIPAA Violation
You can report a suspected violation of your PHI or someone else’s through the OCR, who investigates such complaints. You can file a complaint through mail, email, fax or the OCR’s Complaint Portal online, although the OCR recommends using the online portal due to limited onsite personnel.
In order to file a complaint, you will need to name the entity that you believe violated HIPAA guidelines within 180 days of the violation coming to your attention, although you can file for an extension if there is deemed to be “good cause” for the delay. You will need to detail the circumstances of the potential violation or violations and provide your name and contact information.
While you cannot directly sue an entity through HIPAA, it may still be advisable to contact an attorney to help you navigate the process, as state laws may vary on patient privacy. OCR estimates that the typical investigation takes approximately 180 days to complete, after which the entity — if found in breach of HIPAA regulations — will be expected to take corrective action and come to an appropriate settlement.
HIPAA Violation Penalties
There is a tiered system that outlines the penalties applied for a breach under HIPAA. However, enforcement and penalties change over time, and therefore penalties are subject to change. For civil violations, there are four tiers for penalties:
- Tier 1 (Unknowing): The entity was unaware of the violation and could not have reasonably known through due diligence. As of 2024, fines for this tier fell between $141 and $71,162 for each violation with a cap of $2,134,831 per year.
- Tier 2 (Reasonable Cause): The breach was not caused through willful neglect, but the entity could have become aware of the violation through due diligence. As of 2024, fines for this tier fell between $1,424 and $71,162 for each violation with a cap of $2,134,831 per year.
- Tier 3 (Willful Neglect-Corrected): The entity was found to be guilty of willful neglect but the violation was corrected within 30 days. As of 2024, fines for this tier fell between $14,232 and $71,162 for each violation with a cap of $2,134,831 per year.
- Tier 4 (Willful Neglect- Not Corrected): The entity was found to be guilty of willful neglect and did not correct the violation within 30 days. As of 2024, fines for this tier fell between $71,162 and $2,134,831 for each violation with a cap of $2,134,831 per year.
While the OCR established January 15, 2025 as its date to set adjustments to these penalties according to inflation (the 2025 multiplier being 1.02598), they historically have missed this deadline by a substantial — often several months, and have had even further delays in applying the adjustment. In the case where grounds for a criminal case are found the OCR may refer the case to the Department of Justice (DOJ).