Jul 24, 2024
Topics on this page:
Violations of patients’ privacy — whether intentional or not — can have serious liability implications for healthcare professionals. And while most of us could never imagine actively doing something unethical to the people we care for, accidents do happen. In fact, between April 2003 and May 2019, there were 38,722 HIPAA-related complaints — and 70 percent of those cases had corrective action taken.
Despite these eye-opening statistics, it’s easy to feel like you’d never find yourself in this position. After all, you chose to work in healthcare because you wanted to take care of people, not violate their trust. But as you’ll see, it’s a whole lot easier to breach patients’ privacy than you might think. In this article, we’ll refresh your memory of what a HIPAA violation is and what the consequences are if you commit one. We’ll also provide you with six real-life case studies to help put it all into context for you.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Passed by Congress in 1996, it’s a federal law that requires healthcare providers and organizations (and their business associates) to develop and follow procedures that ensure the confidentiality and security of patients’ protected health information (PHI). That means protecting everything from the mere fact that a patient goes to a specific doctor to what medications they take.
The HIPAA Journal provides the following definition of PHI:
“Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).”
In other words, HIPAA laws protect a patient’s past, present, and even future health information, such as diagnoses, treatment plans, medical test results, prescriptions, and identification information (e.g., birth dates, demographics, emergency contact information). It’s important to note, though, that information can only be designated as PHI if someone could be directly identified by it. If specific identifiers are removed from the data, the information in question isn’t considered to be PHI.
In plain terms, a HIPAA violation is any action — deliberate or not — that exposes a patient’s PHI to anyone who isn’t directly involved in their care. This could be anything from accessing the records of a patient you’re not caring for (e.g., looking up your family member’s test results) to posting a work selfie on social media and not realizing a patient’s spouse is in the background (thereby making it public knowledge that the patient is receiving care at your hospital). It could also occur if a care provider makes any records or data available for unauthorized individuals to access (e.g., logging into a computer system and then walking away without logging out).
Unfortunately, there are countless ways in which a provider could violate a patient’s privacy. The following is a list of the 10 most common types of HIPAA violations:
At a high level, these are the kinds of consequences you may face if you violate HIPAA:
Ultimately, the consequences you face will depend on the specifics and severity of the violation. When determining the appropriate punishment, the relevant authorities will examine your actions, the motivations behind those actions, what harm (if any) occurred as a result of the violation, and whether criminal charges are necessary.
Both the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general have the authority to issue penalties for HIPAA violations. Violations are classified into four tiered categories, and these tiers determine the severity of the penalties given. For the sake of accuracy, we pulled the definitions for each penalty tier directly from the HIPAA Journal:
Tier 1: “A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.”
Tier 2: “A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of ‘willful neglect’ of HIPAA Rules).”
Tier 3: “A violation suffered as a direct result of ‘willful neglect’ of HIPAA Rules, in cases where an attempt has been made to correct the violation.”
Tier 4: “A violation of HIPAA Rules constituting ‘willful neglect,’ where no attempt has been made to correct the violation.”
The level of HIPAA fines and punishments for each tier are as follows:
| Penalty Tier | Definition | Financial Penalty |
|---|---|---|
| Tier 1 | “Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA Rules had been violated.” | $100 – $50,000 per violation; Maximum $25,000 per year |
| Tier 2 | “Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.” | $1,000 – $50,000 per violation; Maximum $100,000 per year |
| Tier 3 | “Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery.” | $10,000 – $50,000 per violation; Maximum $250,000 per year |
| Tier 4 | “Willful neglect of HIPAA Rules and no effort made to correct the violation within 30 days of discovery.” | $50,000 per violation; Maximum $1.5 million per year |
Source: HIPAA Journal. “What Are the Penalties for HIPAA Violations?” (2015)
The Department of Justice is responsible for prosecuting criminal HIPAA violations, as well as determining the amount of jail time and fines the offender will get.
This is the three-tiered structure for criminal penalties:
| Penalty Tier | Definition | Criminal Penalty |
|---|---|---|
| Tier 1 | “Reasonable cause or no knowledge of violation.” | Up to 1 year in jail |
| Tier 2 | “Obtaining PHI under false pretenses.” | Up to 5 years in jail |
| Tier 3 | “Obtaining PHI for personal gain or with malicious intent.” | Up to 10 years in jail |
Source: HIPAA Journal. “What Are the Penalties for HIPAA Violations?” (2015)
No matter your profession, specialty, or work setting, any information you learn about a patient while they’re under your care is privileged and confidential, and therefore should absolutely never be shared with anyone.
To give you a better idea of what this can look like in real life, we’ll walk you through six examples of real-life case studies of HIPAA violations that were committed by healthcare providers.
Perhaps unsurprisingly, social media is rife with opportunities for healthcare professionals to inadvertently violate HIPAA. But the truth is, anything you post on social media is public. It doesn’t matter if you don’t post things while you’re at work, if you feel like you’re being careful, or if you delete the post after the fact. Here are a few real-life examples of healthcare professionals who learned this the hard way.
While privacy might seem like a no-brainer, you must be extremely careful when it comes to protecting the confidentiality of the patients in your facility, even if they’re no longer under your care. It’s important that your entire team — as well as any visiting consultants — understand and diligently follow HIPAA laws. This is particularly true now that smartphones are always in-hand and society is getting more desensitized to personal information shared on social media. And if you need extra information, the U.S. Health and Human Services provides online HIPAA courses and resources to help you stay compliant.
Image courtesy of iStock.com/Deagreez
Last updated on Jul 24, 2024.
Originally published on Nov 18, 2019.
More:
The views expressed in this article are those of the author and do not necessarily reflect those of Berxi™ or Berkshire Hathaway Specialty Insurance Company. This article (subject to change without notice) is for informational purposes only, and does not constitute professional advice. Click here to read our full disclaimer
The product descriptions provided here are only brief summaries and may be changed without notice. The full coverage terms and details, including limitations and exclusions, are contained in the insurance policy. If you have questions about coverage available under our plans, please review the policy or contact us at 833-242-3794 or support@berxi.com. “20% savings” is based on industry pricing averages.
Berxi™ is a part of Berkshire Hathaway Specialty Insurance (BHSI). Insurance products are distributed through Berkshire Hathaway Global Insurance Services, California License # 0K09397. BHSI is part of Berkshire Hathaway’s National Indemnity group of insurance companies, consisting of National Indemnity and its affiliates, which hold financial strength ratings of A++ from AM Best and AA+ from Standard & Poor’s. The rating scales can be found at www.ambest.com and www.standardandpoors.com, respectively.
No warranty, guarantee, or representation, either expressed or implied, is made as to the correctness, accuracy, completeness, adequacy, or sufficiency of any representation or information. Any opinions expressed herein are subject to change without notice.
The information on this web site is not intended or implied to be a substitute for professional medical advice, diagnosis or treatment, and does not purport to establish a standard of care under any circumstances. All content, including text, graphics, images and information, contained on or available through this web site is for general information purposes only based upon the information available at the time of presentation, and does not constitute medical, legal, regulatory, compliance, financial, professional, or any other advice.
BHSI makes no representation and assumes no responsibility or liability for the accuracy of information contained on or available through this web site, and such information is subject to change without notice. You are encouraged to consider and confirm any information obtained from or through this web site with other sources, and review all information regarding any medical condition or treatment with your physician or medical care provider. NEVER DISREGARD PROFESSIONAL MEDICAL ADVICE OR DELAY SEEKING MEDICAL TREATMENT BECAUSE OF SOMETHING THAT YOU HAVE READ ON OR ACCESSED THROUGH THIS WEB SITE.
BHSI is not a medical organization, and does not recommend, endorse or make any representation about the efficacy, appropriateness or suitability of any specific tests, products, procedures, treatments, services, opinions, health care providers or other information contained on or available through this web site. BHSI IS NOT RESPONSIBLE FOR, AND EXPRESSLY DISCLAIMS ALL LIABILITY FOR, ANY ADVICE, COURSE OF TREATMENT, DIAGNOSIS OR ANY OTHER SERVICES OR PRODUCTS THAT YOU OBTAIN AFTER REVIEWING THIS WEB SITE.
Click to collapse disclamerWant Berxi articles delivered straight to your inbox? Sign up for our monthly newsletter below!
"*" indicates required fields
Chaunie Brusie, BSN, RN is a contributing writer for Berxi. She is a labor and delivery nurse-turned-writer who lives on a farm in Michigan with her husband and (soon-to-be!) five kids. Find her at @chauniebrusie.
Lauren Katulka Nov 19, 2024
Robyn Correll, MPH Jul 24, 2024
Want Berxi articles delivered straight to your inbox? Sign up for our monthly newsletter below!
