Healthcare Cybersecurity

HIPAA Rules on Contingency Planning

Posted by HIPAA Journal

In its March 2018 cybersecurity newsletter, OCR explained HIPAA Rules on contingency planning and urged healthcare organizations to plan for emergencies to ensure a return to normal operations can be achieved in the shortest possible time frame.

A contingency plan is required to ensure that when disaster strikes, organizations know exactly what steps must be taken and in what order.

Contingency plans should cover all types of emergencies, such as natural disasters, fires, vandalism, system failures, cyberattacks, and ransomware incidents. The steps that must be taken for each scenario could well be different, especially in the case of cyberattacks vs. natural disasters. The plan should incorporate procedures to follow for specific types of disasters.

Contingency planning is not simply a best practice. It is a requirement of the HIPAA Security Rule. Contingency planning should not be considered a onetime checkbox item necessary for HIPAA compliance. It should be an ongoing process with plans regularly checked, updated, and tested to ensure any deficiencies are identified and addressed.

What are the HIPAA Rules on Contingency Planning?

HIPAA Rules on contingency planning are concerned with ensuring healthcare organizations return to normal operations as quickly as possible and the confidentiality, integrity, and availability of PHI is safeguarded.

HIPAA Rules on contingency planning can be found in the Security Rule administrative safeguards -45 CFR § 164.308(a)(7)(ii)(A-E).

  • Develop and Implement a Data Backup Plan – 308(a)(7)(ii)(A)
  • Develop a Disaster Recovery Plan – 308(a)(7)(ii)(B)
  • Develop and Emergency Mode Operation Plan – 308(a)(7)(ii)(C)
  • Develop and Implement Procedures for Testing and Revision of Contingency Plans – 308(a)(7)(ii)(D)
  • Perform an Application and Data Criticality Analysis – 308(a)(7)(ii)(E)

A data backup plan ensures that when disaster strikes, PHI is not lost or destroyed. A viable copy of all ePHI must be created that allows exact copies of ePHI to be restored, which includes all forms of ePHI such as medical records, diagnostic images, test results, case management information, and accounting systems.  It is a good best practice to adopt a 3-2-1 approach for backups: Create three copies of data, store them on at least two different media, and have one copy stored securely offsite. Backups must also be tested to ensure the recovery of data is possible.

A disaster recovery plan should establish the procedures that must be followed to restore access to data, including how files should be restored from backups. A copy of the plan should be readily available and stored in more than one location.

The emergency mode operation plan must ensure critical business processes continue to maintain the security of ePHI when operating in emergency mode, for example when there is a technical failure or power outage.

All elements of the contingency plan must be regularly tested and revised as necessary. OCR recommends conducting scenario-based walkthroughs and live tests of the complete plan.

Covered entities should “assess the relative criticality of specific applications and data in support of other contingency plan components.” All software applications that are used to store, maintain, or transmit ePHI must be assessed to determine the level of criticality to business functions as it will be necessary to prioritize each when data is restored.

Summary of Key Elements of Contingency Planning

OCR has provided a summary of the key elements of contingency planning:

  • The primary goal is to maintain critical operations and minimize loss.
  • Define time periods – What must be done during the first hour, day, or week?
  • Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?
  • Ensure the contingency plan can be understood by all types of employees.
  • Communicate and share the plan and roles and responsibilities with the organization.
  • Establish a testing schedule for the plan to identify gaps.
  • Ensure updates for plan effectiveness and increase organizational awareness.
  • Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

The post HIPAA Rules on Contingency Planning appeared first on HIPAA Journal.

Healthcare Data Breach Statistics

Posted by HIPAA Journal

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records.  That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Healthcare data breaches 2019-2017

Healthcare Records Exposed by Year

While there has been a general upward trend in the number of records exposed each year, there was a massive improvement in 2017 – the best year since 2012 in terms of the number of records exposed. However, while breaches were smaller in 2017, it was a record breaking year in terms of the number of healthcare data breaches reported – 359 incidents.

Records Exposed in Healthcare data breaches

Average/Median Healthcare Data Breach Size by Year

Average Size of Healthcare Data Breaches

 

Median Size of Healthcare Data Breaches

 

Largest Healthcare Data Breaches (2009-2017)

Rank Year Entity Entity Type Records Exposed/Stolen Cause of Breach
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2011 Science Applications International Corporation Business Associate 4900000 Loss
5 2014 Community Health Systems Professional Services Corporation Business Associate 4500000 Theft
6 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
7 2013 Advocate Medical Group Healthcare Provider 4029530 Theft
8 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
9 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
10 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
11 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
12 2014 Xerox State Healthcare, LLC Business Associate 2000000 Unauthorized Access/Disclosure
13 2011 IBM Business Associate 1900000 Unknown
14 2011 GRM Information Management Services Business Associate 1700000 Theft
15 2010 AvMed, Inc. Health Plan 1220000 Theft
16 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
17 2014 Montana Department of Public Health & Human Services Health Plan 1062509 Hacking/IT Incident
18 2011 The Nemours Foundation Healthcare Provider 1055489 Loss
19 2010 BlueCross BlueShield of Tennessee, Inc. Health Plan 1023209 Theft
20 2011 Sutter Medical Foundation Healthcare Provider 943434 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although healthcare organizations are now much better at detecting breaches when they do occur. The low hacking/IT incidents in the earlier years is likely to be due, in part, to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents in 2014-2017 occurred many months, and in come cases years, before they were detected.

Healthcare Data Breaches - Hacking

 

Records Exposed in Healthcare Data Breaches - Hacking

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are in close second.

Healthcare Data Breaches - unauthorized access/disclosures

 

records exposed in authorized access/disclosures

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public.

healthcare theft/loss data breaches

 

records exposed by healthcare theft/loss data breaches

Improper Disposal of PHI/ePHI by Year

healthcare data breaches - improper disposal incidents

 

records exposed in healthcare improper disposal incidents

 

Breaches by Entity Type

Year Provider Health Plan Business Associate Other Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 155 22 36 4 217
2013 199 18 56 5 278
2014 202 71 41 0 314
2015 196 62 11 0 269
2016 257 51 19 0 327
2017 288 52 19 0 359
Total 1582 318 271 10 2181

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe with multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

Penalty Structure for HIPAA Violations

OCR Settlements and Fines Over the Years

The data for the healthcare data breach statistics on fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, there has been a steady increase in HIPAA enforcement over the past 9 years.

HIPAA Fines and Settlements 2008-2017

 

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.

HIPAA Fine and Settlement Amounts 2008-2017

 

average HIPAA Fines and Settlements 2008-2017

 

Median HIPAA Fines and Settlements 2008-2017

As the graphs above show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases. 2018 is likely to see fewer fines for HIPAA covered entities than the past two years, although settlement amounts are likely to remain high and even increase in 2018.OCR Director Roger Severino has indicated financial penalties are most likely to be pursued for particularly egregious HIPAA violations.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.

 

Year State Covered Entity Amount Individuals affected Settlement/CMP Reason
2018 NY EmblemHealth $575,000 81,122 Settlement Mailing error
2018 NY Aetna $1,150,000 12,000 Settlement Mailing error
2017 CA Cottage Health System $2,000,000 More than 54,000 Settlement Failure to adequately protect medical records
2017 MA Multi-State Billing Services $100,000 2,600 Settlement Theft of unencrypted laptop containing PHI
2017 NJ Horizon Healthcare Services Inc., $1,100,000 3.7 million Settlement Loss of unencrypted laptop computers
2017 VT SAManage USA, Inc. $264,000 660 Settlement Spreadsheet indexed by search engines and PHI viewable
2017 NY CoPilot Provider Support Services, Inc $130,000 221,178 Settlement Delayed breach notification
2015 NY University of Rochester Medical Center $15,000 3,403 Settlement List of patients provided to nurse who took it to a new employer
2015 CT Hartford Hospital/ EMC Corporation $90,000 8,883 Settlement Theft of unencrypted laptop containing PHI
2014 MA Women & Infants Hospital of Rhode Island $150,000 12,000 Settlement Loss of backup tapes containing PHI
2014 MA Boston Children’s Hospital $40,000 2,159 Settlement Loss of laptop containing PHI
2014 MA Beth Israel Deaconess Medical Center $100,000 3,796 Settlement Loss of laptop containing PHI
2013 MA Goldthwait Associates $140,000 67,000 Settlement Improper disposal
2012 MN Accretive Health $2,500,000 24,000 Settlement Mishandling of PHI
2012 MA South Shore Hospital $750,000 800,000 Settlement Loss of backup tapes containing PHI
2011 VT Health Net Inc. $55,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications
2011 IN WellPoint Inc. $100,000 32,000 Settlement Failure to report breach in a reasonable timeframe
2010 CT Health Net Inc. $250,000 1,500,000 Settlement Loss of unencrypted hard drive/delayed breach notifications

The post Healthcare Data Breach Statistics appeared first on HIPAA Journal.

Analysis of February 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018.

Summary of February 2018 Healthcare Data Breaches

February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches.

Healthcare Data Breaches by Month

While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed.

Records exposed in Healthcare Data Breaches

Largest Healthcare Data Breaches of February 2018

The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below.

Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident Network Server
Tufts Associated Health Maintenance Organization, Inc. Health Plan 70,320 Unauthorized Access/Disclosure Paper/Films
Triple-S Advantage, Inc. Health Plan 36,305 Unauthorized Access/Disclosure Paper/Films
CarePlus Health Plan Health Plan 11,248 Unauthorized Access/Disclosure Paper/Films
Union Lake Supermarket, LLC Healthcare Provider 9,956 Improper Disposal Other Portable Electronic Device

The top five data breaches were responsible for 85% of all exposed healthcare records in February. The largest data breach – a malware-related incident at St. Peter’s Surgery & Endoscopy Center – accounted for 43.6% of the exposed healthcare records in February.

Main Causes of February 2018 Healthcare Data Breaches

Unauthorized access/disclosures topped the list of the main causes of healthcare data breaches in February 2018 with 12 incidents and included three of the most serious breaches. Hacking incidents were in close second with 9 breaches, followed by three loss/theft incidents and one case of improper disposal of ePHI.

Causes of February 2018 Healthcare Data Breaches

Records Exposed by Breach Type

Hacking/IT incidents were the second biggest cause of healthcare data breaches in February, but the incidents resulted in the exposure/theft of the largest amount of healthcare data.

Records Exposed by Breach Type

Location of Breached Records

Overall, there were more breaches involving electronic health data than physical records, although breaches involving paper/films were the most numerous with 6 incidents. The breach reports show that while technological controls are essential to prevent hacks and unauthorized access/disclosures of electronic records, physical security is important for paper records and administrative safeguards are necessary to prevent unauthorized access. All six of the breaches involving paper/films were unauthorized access/disclosures.

Location of breached healthcare records (February 2018)

Data Breaches by Covered Entity

Healthcare providers were the worst affected by data breaches in February with 15 incidents (reported by 14 healthcare providers). There were three breaches reported by pharmacies in February. 8 data breaches were reported by 7 health plans and two security incidents were reported by business associates.

Data Breaches by Covered Entity (February 2018)

Healthcare provider breaches exposed the most health records in February. 168,732 records were exposed by healthcare providers. The mean breach size was 11,248 records and the median breach size was 1,670 records.

Health plans experienced fewer breaches, but the incidents were more severe. 133,580 records were exposed by health plans. The mean breach size was 16,698 records and the median breach size was 6,075 records. The mean and median breach size for business associate data breaches was 3,234 records.

Records exposed by covered entity (February 2018)

February 2018 Healthcare Data Breaches by State

Healthcare organizations based in 18 states reported data breaches in February 2018. There were six states that experienced 2 data breaches– Alabama, California, Massachusetts, Mississippi, Rhode Island, and Wisconsin.

Arkansas, Connecticut, Illinois, Kentucky, Maine, Michigan, Missouri, North Carolina, New Jersey, New York, Tennessee, and Virginia each had one data breach reported.

Financial Penalties for HIPAA Covered Entities in February 2018

The Office for Civil Rights settled one HIPAA violation case in February. Filefax Inc, agreed to settle potential HIPAA violations with OCR for $100,000. The financial penalty sent a message to HIPAA-covered entities and their business associates that HIPAA responsibilities do not end when a business ceases trading. The fine relates to HIPAA violations that occurred after the business closed – the improper disposal of paperwork containing protected health information.

The post Analysis of February 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare

Posted by HIPAA Journal

Anomali has partnered with the National Health Information Sharing and Analysis Center (NH-ISAC) and will be providing threat intelligence to healthcare organizations through NH-ISAC. Anomali will be providing NH-ISAC with the required tools and infrastructure to allow its members to collaborate and share threat intelligence with other members.

Anomali will be providing up to date threat intelligence on new and current external threats specific to the healthcare industry allowing NH-ISAC members to take proactive steps to minimize risk. Anomali’s early warning system helps healthcare organizations respond to threats quickly when suspicious activity is detected on a network.

NH-ISAC members include hospitals, health insurers, medical research institutions, pharma companies, ambulatory providers, medical device manufacturers and other healthcare stakeholders. NH-ISAC community members help each other use physical and cyber threat intelligence to inform security decisions and mitigate threats.

The new collaboration between NH-ISAC and Anomali will help empower the healthcare community to identify and respond to cyber threats. Anomali provides actionable threat intelligence that can be consumed by healthcare organizations and used to compliment internal security threat monitoring programs

The Anomali platform automates collection, normalization, and integration of threat intelligence from a wide range of different sources. The platform allows seamless collaboration with peers in other organizations through Anomali Trusted Circles and gives healthcare organizations complete visibility into attacks that threaten the confidentiality of protected health information and the security of the networks on which the information is stored. A threat detection by one member helps other organizations take preventative steps to block attacks before they occur.

“Sharing threat intelligence among member firms is one of the most essential services of any ISAC. The NH-ISAC Board is pleased with the opportunity to work with the Threatstream platform to enhance threat intelligence sharing for the healthcare sector,” said Jim Routh, NH-ISAC board member.

The post NH-ISAC Partnership with Anomali Helps Accelerate Threat Detection and Information Sharing in Healthcare appeared first on HIPAA Journal.

OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain

Posted by HIPAA Journal

The Department of Health and Human Services’ Office of Inspector General has published the findings of its 2017 fiscal review of HHS compliance with the Federal Information Security Modernization Act of 2014.

The FISMA compliance review revealed the HSS is continuing to make improvements to its information security program, although OIG identified several areas of weakness. The findings from the latest FISMA compliance review highlighted similar vulnerabilities and weaknesses to the review conducted for fiscal 2016.

A department-wide Continuous Diagnostics and Mitigation (CDM) program is being developed by the HHS which will allow it to monitor its networks, information systems, and personnel activity and information security programs have been strengthened since the review was last conducted. However, OIG identified several areas where improvements could be made. Weaknesses and vulnerabilities were found in HHS risk management, identity and access management, configuration management, security training, incident response, contingency planning and information security continuous monitoring.

There were several areas of concern in configuration management. At all four of the operational divisions (OPDIVs) there were instances of noncompliance with configuration management policies and procedures. OIG identified failures to ensure all software was up to date and patches were applied promptly and vulnerability scans using Security Content Automation Protocol (SCAP) tools were missed. OIG also found some operating systems in use that were not supported by the vendors. At some OPDIVs, configuration management personnel were not tracking the approvals, testing results, and migration dates within change management tracking tools.

Weaknesses were found in the detect function, the purpose of which is to develop and implement appropriate activities to identify the occurrence of cybersecurity events.

Training issues were identified with some OPDIVs having failed to train all staff, including new recruits. While the number of employees that had not been sufficiently trained was low, those individuals pose a considerable risk to the security of HHS systems and network. Two OPDIVs were not effectively tracking the security training status of personnel and contractors.

Risk management issues were identified at some of the operating divisions, with risk management policies and procedures not yet finalized. OIG also reports that some OPDIVs could not provide a list of all devices and software used on the network, and neither were they able to provide details of unauthorized software used on the network.

Issues with identity and access management included account management procedures not always being followed, including the monitoring and maintenance of shared accounts. There were failures to remove inactive accounts and enforce resets of active account passwords, and to disable accounts in a timely manner when employees were transferred or terminated.

The flaws and weaknesses identified in the report are common across the entire healthcare industry. The HHS’ Office for Civil Rights has fined HIPAA covered entities for similar flaws to those identified by OIG.

OIG has made several recommendations to the HSS to improve security, processes and procedures to further reduce risk and ensure compliance with FISMA. The HHS concurred with all of OIG’s recommendations and will work at implementing further controls and updating its policies and procedures accordingly.

The post OIG FISMA Compliance Review of HHS Shows Improvements Made but Vulnerabilities Remain appeared first on HIPAA Journal.

Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year

Posted by HIPAA Journal

A recent Ponemon Institute survey has revealed 62% of healthcare organizations have experienced a data breach in the past 12 months. More than half of those organizations experienced data loss as a result.

The Merlin International sponsored survey was conducted on 627 healthcare industry leaders from hospitals and payer organizations. 67% of respondents worked in hospitals with 100-500 beds and had an estimated 10,000 to 100,000 networked devices.

Last year more than 5 million healthcare records were exposed or stolen, and the healthcare was the second most targeted industry behind the business sector. 2017 was the fourth consecutive year that the healthcare industry has been second for data breaches and there are no signs that cyberattacks are likely to reduce over the coming year.

Even though there is a high probability of experiencing a cyberattack, 51% of surveyed organizations have yet to implement an incident response program. This lack of preparedness can hamper recovery if a cyberattack is experienced. As the Cost of a Data Breach Study by the Ponemon Institute showed, a fast response to a data breach can limit the harm caused to breach victims and reduce the cost of mitigating such an attack. Respondents reported that the cost of mitigating an attack and dealing with the fallout from a network compromise was approximately $4 million.

When asked about the biggest threats to their organization and the types of attack that caused the most concern there was little to choose between internal and external threats, which were rated as a top concern by 64% and 63% of respondents respectively. The main perceived targets for hackers were electronic medical records (77%), patient billing information (56%), login credentials (54%), other authentication credentials (49%), and research information (45%).

The methods used to gain access to networks and data were highly varied. The main method of attack was the exploitation of software and operating system vulnerabilities and the use of malware. 71% of respondents said vulnerabilities were exploited while 69% said attacks involved the use of malware. 37% of organizations had experienced ransomware attacks.

The security of medical devices is a major concern, especially since they are a blind spot in many organizations. 65% of respondents said medical devices were not included in their overall cybersecurity strategy or they didn’t know if they were. 31% of respondents said they did not have any plans to include medical devices in their cybersecurity strategies in the near future.

The HHS’ Office for Civil Rights has raised awareness of the need to provide ongoing security awareness training to staff and companies such as Cofense have published data to show how security awareness training and phishing simulations can greatly reduce susceptibility to phishing attacks. However, many healthcare organizations are not heeding that advice and are not providing training regularly. Many healthcare organizations are still only providing security awareness training to employees annually. It is therefore unsurprising that 52% of respondents said a lack of employee security awareness was hampering their ability to improve their security posture.

74% believed the biggest obstacle preventing them from improving security was staffing issues and 60% said they do not have staff with the right cybersecurity qualifications in-house. 51% of respondents said that have not yet appointed a Chief Information Security Officer (CISO).

The post Survey Reveals 62% of Healthcare Organizations Have Experienced a Data Breach in the Past Year appeared first on HIPAA Journal.

What is a HIPAA Violation?

Posted by HIPAA Journal

A HIPAA violation refers to the failure to comply with HIPAA rules, which can include unauthorized access, use, or disclosure of Protected Health Information (PHI), failure to provide patients with access to their PHI, lack of safeguards to protect PHI, failure to conduct regular risk assessments, or insufficient employee training on HIPAA rules. To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what the definition of a HIPAA violation is; for although most people believe they know what a HIPAA compliance violation is, evidence suggests otherwise.

In this article we provide a detailed explanation of HIPAA violations.

Ten Most Common HIPAA ViolationsYou can also use the article in conjunction with our HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange your free copy of the checklist.

Summary Of Article Contents

HIPAA Violation Misunderstandings

The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action.

According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary.

However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity did not violate HIPAA rules. Additionally, in nearly 14,000 cases in which reviews were carried out, no violation of HIPAA was found.

While these statistics imply more than two-thirds of people do not understand what is a HIPAA violation, it is important to put the statistics into context as they only relate to complaints received by the HHS and do reflect complaints made directly to Covered Entities and State Attorney Generals by patients, plan members, and members of the workforce.. Nonetheless, it may be important for some to review their interpretation of what constitutes a violation.

What is HIPAA and Who Does It Apply To?

What is a HIPAA violationThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) was introduced primarily to ensure employees could maintain healthcare coverage between jobs and not be discriminated against for pre-existing conditions. To prevent insurance carriers passing on the cost of compliance to plan members and employers, Congress added a second Title to the Act to simplify the administration of healthcare, eliminate wastage, and prevent healthcare fraud.

Since the passage of HIPAA, most of the regulatory activity has revolved around the Administrative Simplification provisions in 45 CFR Parts 160,162, and 164. These “Parts” include the General HIPAA Provisions, the Transaction and Code Sets Rules, and – most importantly in the context of what is a HIPAA violation – the publication of the Privacy Rule, the Security Rule, and Breach Notification Rule.

The failure to comply with any Standards in these Rules is considered a violation of HIPAA – even if no harm has resulted. For example, one of the most common types of complaint relates to the failure to provide patients with copies of their PHI on request. Examples of other types of HIPAA violations are provided below along with the penalties that may be applied when a violation of HIPAA occurs.

The Standards apply to Covered Entities and Business Associates. Covered Entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards. Most healthcare providers qualify as a Covered Entity, but it is important to be aware that some are exempted.

Business Associates are businesses with whom a Covered Entity shares PHI to help carry out its healthcare activities and functions. Since the publication of the Final Omnibus Rule in 2013, Business Associates have had the same requirements as Covered Entities to comply with the Privacy, Security, and Breach Notification Rules as found in 45 CFR Parts 160, 162, and 164.

What is a PHI Violation?

Violations of HIPAA involving the unauthorized disclosure of PHI beyond the permitted uses and disclosures are the most common type of HIPAA violation. PHI violations can range from providing more information than the minimum necessary to achieve the purpose of an allowable disclosure to the hacking of an unencrypted database that exposes the PHI of thousands of patients.

To avoid a PHI violation, Covered Entities and Business Associates not only need to implement the safeguards stipulated by the Privacy and Security Rules, but also ensure appropriate policies and procedures are in place to minimize the risk of a PHI violation. Members of each entity´s workforce also need to be trained on the policies and procedures and the sanctions for non-compliance.

Other Types of HIPAA Law Violation

One frequent misunderstanding about HIPAA is that a violation is only a violation when it involves authorized uses and disclosures of PHI. However, there are many other ways in which a Covered Entity or Business Associate can violate HIPAA. For example, failing to train members of the workforce on policies and procedures or failing to document the training.

It is also a HIPAA law violation to withhold the details of a breach from the individuals affected by the breach, the HHS´ Office for Civil Rights, and – in certain circumstances – from the media. In recent years, several fines have been issued for HIPAA law violations attributable to non-compliance with the Breach Notification Rule or for failing to comply with the Rule in the time allowed.

Further HIPAA Violation Examples

In addition to the examples previously mentioned, there are many more ways in which Covered Entities and Business Associates can violate HIPAA. Below we list a selection of further HIPAA violation examples:

  • Impermissible disclosures of PHI
  • Improper disposal of PHI
  • Failure to conduct a risk analysis
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to maintain and monitor PHI access logs
  • Failure to enter into a HIPAA-compliant Business Associate Agreement prior to sharing PHI
  • Failure to provide patients with an accounting of disclosures on request
  • Failure to implement access controls to limit who can view PHI
  • Failure to terminate access rights to PHI when no longer required
  • Failure to provide security awareness training
  • Unauthorized release of PHI to individuals not authorized to receive the information
  • Sharing of PHI online or via social media without permission
  • Mishandling and mis-mailing PHI
  • Texting unencrypted PHI
  • Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure

It is important that anybody with access to PHI in an organization is provided with HIPAA training that explains what is a HIPAA violation and that all members of a Covered Entity´s or Business Associate´s workforce are provided with security awareness training regardless of their role.

How are HIPAA Violations Uncovered?

What is a HIPAA compliance ViolationMany HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all Covered Entities that report breaches of more than 500 records, conducts investigations into certain smaller breaches, and periodically audits HIPAA-covered entities and business associates.

State attorneys general also have the power to investigate breaches, and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.

What are the Penalties for Violations of HIPAA Rules?

The penalties for violations of HIPAA rules are dependent on the nature of the violation, the level of culpability, how much harm was caused by the violation, and the efforts made by the Covered Entity or Business Associate to mitigate the breach or its impact. In most cases, the penalties consist of a Corrective Action Plan, but the OCR has the power to impose substantial financial penalties.

State attorneys general also have the power to investigate breaches, and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received. These are in addition to any penalties for violations of HIPAA rules that are issued by individual states when data breaches violate state privacy and security rules.

HIPAA Violation Categories

There are four HIPAA violation categories. Each has a minimum and maximum “limit” within which OCR can impose financial penalties depending on the level of culpability. Two of the HIPAA violation categories are designated for Covered Entities and Business Associates that can demonstrate reasonable due diligence, whereas the other two are for entities guilty of willful neglect.

Category 1 – Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Category 2 – Reasonable cause that the Covered Entity/Business Associate knew about – or should have known about – the violation by exercising reasonable due diligence.

Category 3 – Willful neglect of the HIPAA Rules with the violation corrected and the consequences mitigated within thirty days of discovery.

Category 4 – Willful neglect of the HIPAA Rules and no effort made to correct the violation or mitigate the consequences within thirty days of discovery.

HIPAA Violation Penalties

Originally, the financial HIPAA violation penalties were modest and did not act as an appropriate deterrent to prevent HIPAA-covered entities from violating the HIPAA Rules. They were significantly increased in the HITECH Act of 2009; and, since 2015, they have been adjusted for inflation annually. The table below shows the HIPAA violation penalties for 2023 and includes the maximum an entity can be fined for multiple instances of the same violation. The cost-of-living adjustment multiplier is expected to be set by the Office of Management and Budget (OMB) by January 15, 2023.

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $137 $68,928 $2,067,813
Tier 2 Lack of Oversight $1,379 $68,928 $2,067,813
Tier 3 Neglect – Rectified within 30 days $13,785 $68,928 $2,067,813
Tier 4 Neglect – Not Rectified within 30 days $68,928 $2,067,813 $2,067,813

OCR Reinterprets HITECH Act Penalty Increases

As the above table shows, the maximum penalty per year is the same in all four penalty tiers, which may seem odd. In 2019, the HHS reexamined the text of the HITECH Act and determined that the language had been misinterpreted with respect to the penalty amounts, and OCR determined that the maximum penalty per year should be reduced in three of the four penalty tiers, and set the annual cap at $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1,500,000 for tier 4.

These new maximum penalties have not been made official, as that requires further rulemaking. While that does appear to be the intention of the HHS, this has currently been addressed through a notice of enforcement discretion, which applies indefinitely until the change to the penalty structure is made official. There is still a discrepancy between the maximum penalty per violation in tier 1, which is double that of the annual cap, which will no doubt be clarified in further rulemaking. Adjusted for inflation, the new penalty amounts for 2023, for cases assessed on or after October 6, 2023, are detailed in the table below.

Annual Penalty Limit  Annual Penalty Limit  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Lack of Knowledge $137 $34,464 $34,464
Tier 2 Reasonable Cause  $1,379 $68,928 $137,886
Tier 3 Willful Neglect $13,785 $68,928 $344,638
Tier 4 Willful neglect (not corrected within 30 days $68,928 $68,928 $2,067,813

Recognized Security Practices

In 2021, the HITECH Act was amended to encourage HIPAA-regulated entities to adopt ´recognized security practices` to better protect healthcare data from unauthorized access. If those security practices have been adopted and have been in place continuously for 12 months, they will be considered by OCR when deciding on financial penalties and other actions in response to data incidents. HIPAA-regulated entities that adopt recognized security practices will not avoid financial penalties for HIPAA Security Rule violations, but they will be considered as a mitigating factor and will see any financial penalties reduced. By adopting recognized security practices, HIPAA-regulated entities will also be subjected to less extensive audits and investigations.

FAQs

How can you tell if an organization is in violation of HIPAA?

It is not always easy to tell if an organization is in violation of HIPAA if, as a health plan member or patient, you are unfamiliar with your rights or the permissible uses and disclosures of PHI. In most cases, individuals are not aware that an organization has been in violation of HIPAA until they receive a breach notification letter. However, if you are unsure about whether an organization is in violation of HIPAA, there are several steps you can take.

Health plan members and patients who believe their privacy may have been violated should, in the first instance, file a complaint with the organization concerned. The organization should acknowledge the complaint and respond with either an explanation of why your privacy was not violated or – if it was – an explanation of what the organization is doing to rectify the cause of the violation.

Complaints can also be filed with the HHS’ Office for Civil Rights or your state´s Attorney General. These agencies have the authority to review complaints against HIPAA covered entities and business associates; and, although it may take longer to get a reply, HHS´ Office for Civil Rights and state Attorneys General can thoroughly investigate if an organization is in violation of HIPAA and take action accordingly.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment is generally regarded to be a review of potential threats, and a risk analysis a calculation of how likely the threats are to occur. There is a lack of clarity in HIPAA about the difference between a risk assessment and a risk analysis inasmuch as the risk analysis section of the Security Rule (45 CFR § 164.308(a)) states:

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate – i.e., the Rule requires an analysis of risks, but doesn´t elaborate on the analysis process.

Who can violate HIPAA?

Anyone covered by the HIPAA regulations can violate HIPAA. However, there has been some confusion – especially during the COVID-19 pandemic – about who exactly is covered by HIPAA. Entities required to comply with HIPAA are health plans, healthcare clearinghouses, and healthcare organizations that engage in qualifying electronic transactions (most now do). Business Associates and contractors with who PHI is shared can also violate HIPAA.

The requirement to comply with HIPAA regulations also applies to all workforces of a Covered Entity, Business Associate, or contractor. HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.

When potential risks and vulnerabilities are identified, what happens next?

When potential risks and vulnerabilities are identified, covered entities and business associates are required to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In order to determine what constitutes a “reasonable and appropriate level”, organizations should take into account (per 45 CFR § 164.306(b)):

  • The size, complexity, and capabilities of the organization
  • The organization´s technical infrastructure, hardware, and software security capabilities
  • The cost of reasonable and appropriate security measures
  • The probability and criticality of potential risks to the integrity of ePHI

What does the “criticality of potential risks” mean?

The term criticality of potential risks refers to the scale of injury that might be caused by a HIPAA violation. For example, a cloud storage volume – containing the payment details and Social Security numbers of thousands of patients – left open to the public Internet has the potential to cause more injury than two nurses discussing the treatment options for patient A within earshot of patient B.

What is the HIPAA Law?

The term HIPAA Law refers to all five Titles of the Healthcare Insurance Portability and Accountability Act. The relevant Title for organizations in the healthcare industry is Title II – “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform” – as this is the section which led to the HIPAA Privacy, Security, and Breach Notification Rules.

What is considered a HIPAA violation?

A HIPAA violation is considered to be non-compliance with any “required” standard or any “addressable” standard for which an equally effective substitute has not been implemented, or a documented reason exists for the standard not to be implemented. An example of non-compliance with a required standard is failing to provide security awareness training to all members of the workforce regardless of their role.

Can a non-medical person violate HIPAA?

A non-medical person can violate because HIPAA applies to covered entities and business associates, and their workforces. Therefore, if a non-medical member of the workforce (such as a member of the IT team) disclosed PHI without authorization, they would be in violation of HIPAA – although it would be their employer who would have to notify the affected individual and report the disclosure to HHS´ Office for Civil Rights.

What are HIPAA violations?

HIPAA violations (in the plural) are a series of violations often attributable to the failure of a Covered Entity to monitor compliance with policies and procedures. There have been cases in which non-compliant short-cuts have been taken by employees “to get the job done”, and when shortcuts are unchecked, they can develop into a cultural norm of non-compliance.

Who can violate HIPAA laws?

Nobody can violate HIPAA laws, although there are many exceptions to HIPAA which mean covered entities and business associates do not have to comply with HIPAA in every circumstance. For example, under the Military Command Exception, healthcare professionals in the military are allowed to disclose PHI without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

What constitutes a HIPAA violation?

What constitutes a HIPAA violation is usually defined as any violation of the Privacy, Security, or Breach Notification Rules. Some violations – such as “incidental uses and disclosures” – would not generally result in financial penalties. Members of the workforce who violate HIPAA in this way are likely to be required to undergo further training.

What are the 3 types of HIPAA violations?

The 3 types of HIPAA violations are administrative, civil, and criminal violations. Most administrative HIPAA violations are investigated by the Centers for Medicare and Medicaid Services (CMS), while civil HIPAA violations are investigated by the HHS´ Office for Civil Rights (OCR). If the Office for Civil Rights investigates a case with possible criminal motives, the case is referred to the Department of Justice for investigation.

What violates HIPAA according to CMS?

What violates HIPAA according to CMS is the failure to comply with the Administrative Requirements (Part 162 of the Administrative Simplification Regulations). The Administrative Requirements cover the code sets and identifiers Covered Entities or Business Associates acting on their behalf must use when conducting transactions for which HHS has published standards. Although CMS has the authority to issue fines for non-compliance, to date, administrative HIPAA violations have been resolved by corrective actions, not financial penalties.

What counts as a HIPAA violation according to the FTC?

Nothing counts as a HIPAA violation according to the FTC. However, while the Federal Trade Commission (FTC) is not concerned with HIPAA enforcement, the agency does enforce the Federal Trade Commission Act, which has a Health Data Breach Rule that allows the FTC to pursue financial penalties for failures to issue breach notifications by vendors of personal health records and related entities not covered by HIPAA. In 2023, the FTC imposed its first financial penalty for failing to notify individuals about the impermissible disclosure of consumers’ health data to third parties, after a vendor promised such information would be kept private.

What is not a HIPAA violation?

The list of alleged violations that are not a HIPAA violation is very long indeed. More than two-thirds of complaints received by HHS´ Office for Civil Rights (OCR) alleging HIPAA violations are rejected after review because the complaints are made against organizations that are not subject to the HIPAA Rules or do not relate to an impermissible use or disclosure of Protected Health Information.

Can HIPAA violations be criminal?

A HIPAA violation can be criminal when an individual knowingly and wrongfully uses or discloses PHI in violation of §1320d-6 of the Social Security Act. Violations of this nature are most often referred to the Department of Justice, who has the authority to impose fines of up to $250,000 and pursue custodial sentences of up to ten years.

Does HIPAA apply to everyone?

HIPAA applies to everyone who is a member of a group health plan or who is a patient of a healthcare provider that qualifies as a covered entity inasmuch as it protects the privacy of these peoples´ individually identifiable health information and ensures the confidentiality, integrity, and availability of these peoples´ electronic Protected Health Information.

With regards to complying with the HIPAA Rules, HIPAA does not apply to everyone. Only “covered entities” and “business associates” with whom Protected Health Information is shared are required to comply with the HIPAA Rules. Members of the workforce for both types of organization have to comply with the policies and procedures developed by their employers to comply with HIPAA.

Can a patient violate HIPAA?

A patient cannot violate HIPAA because they do not qualify as a HIPAA covered entity, a business associate to a covered entity, or a member of the workforce. Even if a patient is employed by the hospital at which they are a patient, they cannot violate HIPAA because an employee is only a member of a covered entity´s workforce while “in the performance of work […] under the control of such covered entity”.

How do you report a HIPAA violation?

How you report a HIPAA violation can vary depending on whether you are a patient or group plan member, or a member of a covered entity´s or business associate´s workforce. If you are a patient or group plan member, you have the options of reporting a HIPAA violation to the Privacy Office where the violation occurred, to your state Attorney General, or to HHS´ Office for Civil Rights.

If you are a member of a covered entity´s or business associate´s workforce, who you report a HIPAA violation to may be determined by the content of your employment contract (i.e., an immediate supervisor). In the event of there being no reporting policy in the employment contract, your options are the same as a patient or group plan member.

What is the penalty for a HIPAA violation?

The penalty for a HIPAA violation depends on the nature of the violation, it´s consequences, the previous compliance history of the perpetrator, and whether the perpetrator is an organization or a member of an organization´s workforce.

If an organization, a minor HIPAA violation with minimal consequences will likely be resolved by technical assistance or a corrective action plan. If the violation is more serious, impacts thousands of individuals, and is a repeat offense, the likely penalty will be a civil monetary penalty.

If you are a member of an organization´s workforce, the penalty will depend on your employer´s sanctions policy. A minor violation may result in a verbal warning, while a more serious violation may result in a written warning – or, if a repeated serious violation, termination of employment.

What are the HIPAA violation categories?

The HIPAA violation categories are administrative violations, civil violations, and criminal violations. An example of an administrative violation would be to use the wrong codes on a claims transaction, while an example of a civil HIPAA violation would be to deny a patient access to a copy of their Protected Health Information (data breaches also fall into the category of civil HIPAA violations).

A criminal HIPAA violation is when a covered entity, business associate, or a member of either´s workforce has wrongfully and knowingly accessed, obtained, or transmitted Protected Health Information without authorization for a purpose prohibited by §1320d-6 of the Social Security Act. Criminal violations of HIPAA can incur substantial fines and jail sentences.

Is a HIPAA violation a felony?

A HIPAA violation is not a felony unless it involves the knowing and willful disclosure of PHI under false pretenses and/or to sell, transfer, or use the PHI for personal gain, malicious harm, or commercial advantage. These violations were classified as felonies in an opinion published by the Attorney General´s Office of Legal Counsel in 2005.

Can a family member violate HIPAA?

A family cannot violate HIPAA because family members are not required to comply with HIPAA. However, if a family member is employed at (for example) a hospital as a member of a covered entity´s workforce; and, while performing their role as a member of a covered entity´s workforce, accesses the medical history of a patient without authorization, this is a violation of HIPAA.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation can vary depending on who you report it to. Usually there are three options – to a Privacy Officer, to a State Attorney General, or to HHS´ Office for Civil Rights. Privacy Officers and State Attorney General can set their own time limits for how long you have to report a HIPAA violation. HHS´ Office for Civil Rights only accepts reports for 180 days after the date on which the violation was discovered.

What are the consequences of violating HIPAA?

The consequences of violating HIPAA depend on the nature of the violation, the impact the violation has, the violator´s previous compliance history, and whether the violator is an organization or a member of an organization´s workforce.

If an organization violates HIPAA, the consequences can range from voluntary compliance to technical assistance, to a corrective action plan, to a fine. Comparatively few violations of HIPAA result in a fine. Most are resolved by voluntary compliance and technical assistance.

If a member of an organization´s workforce violates HIPAA, the consequences will be determined by the organization´s HIPAA sanctions policy. These can range from a verbal warning to retraining, to a written warning, to termination of employment and possible loss of license.

My HIPAA rights were violated. Who do I complain to?

If your HIPAA rights were violated, you should complain to the Privacy Officer at the organization where your rights were violated. The contact details of the Privacy Office are on the Notice of Privacy Practices given to you when you first enrolled as a patient of a healthcare provider or as a member of a group health plan.

If you fail to obtain a satisfactory explanation of why your HIPAA rights were violated and what the organization is doing to prevent a repeat, you can complain to HHS´ Office for Civil Rights via the complaints portal. However, please note you only have 180 days from the date your HIPAA rights were violated to file your complaint.

Is violating HIPAA illegal?

Violating HIPAA is not illegal unless it involves one of the three offences that qualify as a misdemeanor or felony under §1320d-6 of the Social Security Act. All three offences relate to the knowing and wrongful disclosure of PHI, and it is rare these offenses occur. Therefore, practically all violations of HIPAA are civil violations.

What are 3 common HIPAA violations?

The 3 most common HIPAA violations according to HHS´ Enforcement Highlights report are impermissible uses and disclosures of PHI, a lack of safeguards for PHI, and the lack of patient access to PHI. Strictly speaking, these are the 3 most common alleged HIPAA violations; but it is highly likely the majority of allegations in each category are justified.

What happens if a doctor violates HIPAA?

What happens if a doctor violates HIPAA depends on whether the doctor is a covered entity, a member of a covered entity´s workforce, or a business associate providing a service on behalf of a covered entity.

With regards to the doctor being a covered entity, it is important to be aware not all healthcare provides qualify as covered entities. Those that do not qualify as a covered entity are not required to comply with HIPAA unless they provide a service for a covered entity as a business associate.

If a doctor is a covered entity in their own right (i.e., a solo practitioner), if HHS´ Office for Civil Rights investigates and identifies a compliance issue, it will usually attempt to resolve the issue with voluntary compliance or technical assistance. If the violation is serious – or the doctor has a history of non-compliance – the agency may impose a corrective action plan or civil monetary penalty.

If the doctor is a member of a covered entity´s workforce, the likely consequences of a minor HIPAA violation is a verbal warning and refresher training. However, if the doctor has a history of non-compliance, the warning could be written, and – if the violation is repeated – the covered entity could terminate the doctor´s employment and refer them to a medical licensing board.

A doctor that does not qualify as a covered entity but provides a service on behalf of a covered entity will only be required to comply with some standards of the Privacy Rule (usually determined by the content of the Business Associate Agreement). If the doctor violates a HIPAA standard they are required to comply with, the incident should be reported to the covered entity, who will investigate the violation or refer it to HHS´ Office for Civil Rights.

What is the penalty for violating HIPAA laws?

The penalty for violating HIPAA laws can depend on multiple factors. These include – but are not limited to – who committed the violation, what the consequences of the violation were, and the previous compliance history of the person or organization that violated HIPAA.

If, for example, a member of a covered entity´s workforce accidently revealed more than the minimum necessary PHI with limited consequences and it was their first violation, the penalty will likely be a verbal warning and possible a session of refresher training.

At the other end of the scale, if an organization with a poor compliance history is responsible for the knowing disclosure of PHI for commercial advantage, it could face multimillion dollar fines from HHS´ Office for Civil Rights, State Attorneys General, and the Department of Justice – who could also pursue a criminal conviction against the perpetrators with a potential jail term of up to ten years.

How does a HIPAA Privacy Rule violation differ from a HIPAA Security Rule violation?

A HIPAA Privacy Rule violation differs from a HIPAA Security Rule violation inasmuch as the objectives of the Privacy Rule are to protect the privacy of individually identifiable health information and give individuals rights over their health information, while the objective of the Security Rule is to ensure the confidentiality, integrity, and confidentiality of electronic Protected Health Information – which is a subset of individually identifiable health information.

Consequently, a HIPAA Privacy Rule violation is most likely to be the violation of a standard relating to permissible uses and disclosures of Protected Health Information or the failure to allow individuals to exercise their rights, whereas a HIPAA Security Rule violation is most likely to the violation of a standard relating to an Administrative, Physical, or Technology Safeguard – for example, the failure to prevent members of the workforce sharing login credentials.

Can I get fired for an accidental HIPAA violation?

You can get fired for an accidental HIPAA violation if, as a member of a covered entity´s or business associate´s workforce – you have a previous history of accidental HIPAA violations with significant consequences. However, unless your first accidental HIPAA violation had particularly significant consequences, and your employer´s sanctions policy included being fired for a first offense, you will likely be sanctioned with a verbal or written warning and required to take refresher HIPAA training.

How long does a HIPAA violation investigation take?

How long a HIPAA violation investigation takes can depend on a number of factors. If, for example, a healthcare worker has accidently violated a Privacy Rule standard and the consequences were minimal, a HIPAA violation investigation may take less than thirty minutes. However, if an investigation into a data breach by HHS´ Office for Civil Rights uncovers non-compliance in multiple areas, a HIPAA investigation could take months to conclude.

Can you sue for a HIPAA violation?

You cannot sue for a HIPAA violation under HIPAA laws because the regulations do not provide for a private right of action. However, if you have suffered harm as the consequence of a HIPAA violation, there may be other consumer protection or privacy laws you may be able to use to sue for a HIPAA violation against a negligent covered entity or business associate. Ideally, you should seek advice from a legal expert who is familiar with the laws in your state.

Do I need an attorney to report a HIPAA violation?

You do not need an attorney to report a HIPAA violation because the process for filing a complaint via the OCR complaints portal is straightforward. However, if you wish to pursue a civil claim for a violation of your privacy rights, it may be a good idea to speak with a HIPAA violation attorney before filing your complaint as HIPAA does not provide for a private right of action.

The post What is a HIPAA Violation? appeared first on HIPAA Journal.

2018 HIPAA Changes and Enforcement Outlook

Posted by HIPAA Journal

Are there likely to be major 2018 HIPAA changes? What does this year have in store in terms of new HIPAA regulations? OCR Director Roger Severino has hinted there could be some 2018 HIPAA changes and that HIPAA enforcement in 2018 is unlikely to slowdown.

Are Major 2018 HIPAA Changes Likely?

The Trump administration has made it clear that there should be a decrease rather than an increase in regulation in the United States. In January 2017, Trump signed an executive order calling for a reduction in regulation, which was seen to be hampering America’s economic growth. At the time Trump said, “If there’s a new regulation, they have to knock out two. But it goes far beyond that, we’re cutting regulations massively for small business and for large business.”

While Trump was not specifically referring to healthcare, it is clear we are currently in a period of deregulation. Trump’s words were recently echoed by Severino at the HIMSS conference who confirmed the HSS understands deregulation in some areas is required before further regulations can be introduced.

Therefore, there are unlikely to be major 2018 HIPAA changes, at lease not in terms of increased regulation. What is more likely is an easing of the administrative burden on healthcare organizations in 2018.

OCR is currently reviewing existing HIPAA regulations to determine whether all aspects of HIPAA Rules are still relevant and if there are any areas where the administrative burden on healthcare organizations can be eased. OCR is looking at the benefit of various provisions of HIPAA and whether those benefits outweigh the costs.

The HHS has said its goals are “reducing the burden of compliance” and “streamlining its regulations,” while promoting “meaningful information sharing”.

2018 HIPAA changes could make life simpler for many healthcare organizations as the HHS attempts to minimize duplication and burdensome requirements and eliminate outdated restrictions and obsolete regulations.

HIPAA Enforcement in 2018

In 2016 there was a significant increase in HIPAA enforcement activities by OCR with more settlements reached with covered entities and business associates than any other year since the HIPAA Enforcement Rule was signed into law. In 2016 there were 12 settlements and one civil monetary penalty issued and 2017 HIPAA settlements were well above average levels, with 9 settlements and one civil monetary penalty. So, what can we expect for HIPAA enforcement in 2018?

At HIMSS 2018, Roger Severino gave a presentation on HIPAA compliance, enforcement, and policy updates from the Office for Civil Rights and made it clear OCR will continue to pursue settlements with HIPAA covered entities for egregious violations of HIPAA Rules. Severino said OCR still has the same enforcement mindset and that there will be “no slowdown in our enforcement efforts,” and “we’re still looking for big, juicy, egregious cases.” That does not necessarily mean large healthcare organizations. OCR treats potential HIPAA violations on a case by case basis, and smaller healthcare organizations may similarly be punished if they are discovered to have violated HIPAA Rules.

Severino said OCR does not want to fine healthcare organizations for violating HIPAA Rules and wants the settlements to reduce, but for that to happen, healthcare organizations must improve their compliance programs. 2018 HIPAA enforcement is likely to continue to see financial penalties issued for common HIPAA violations such as the failure to conduct regular risk assessments.  Already, 2018 has seen two settlements announced. A $100,000 penalty for Filefax, Inc., and a $3,500,000 settlement with Fresenius Medical Care North America. Time will tell if this was a blip or if that pace will be maintained throughout the year.

OCR is not the only enforcer of HIPAA Rules. State attorneys general can also issue fines for HIPAA violations, and the New York AG has been active in this area in recent weeks, fining EmblemHealth $575,000 in March and Aetna $1,150,000 in January. Further financial settlements are likely to be pursued in NY and other states to resolve HIPAA violations and privacy and security-related breaches of state laws.

The post 2018 HIPAA Changes and Enforcement Outlook appeared first on HIPAA Journal.

HIMSS Survey Reveals Top Healthcare Security Threats

Posted by HIPAA Journal

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identified the top healthcare security threats.

The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas.

36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity.

Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months

The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a recent significant security incident. 96% of those respondents were able to characterize the threat actor responsible, with the top three being online scam artists such as phishers (37.6%), negligent insiders (20.8%), and hackers (20.1%).

61.4% of respondents said email was the main initial point of compromise. In second place was ‘other’ which included compromised customer networks, web application attacks, guessed passwords, misconfigured software/cloud services, and human error. In joint third – both with 3.2% of responses – was a compromised organizational website and hardware/software pre-loaded with malware.  11.6% said they did not know how the attackers gained access to their networks/data.

In the majority of cases (68.2%), incidents were discovered internally (40.7% by security teams / 27.5% by non-security personnel). 67.7% of breaches were detected within 7 days, with 47.1% detected within 24 hours.

Healthcare Cybersecurity Is Improving

The past 12 months have seen an increase in healthcare security incidents, although the severity of data breaches has reduced year over year. This indicates cybersecurity in healthcare is improving, which was backed up by the HIMSS survey results.

84.3% of respondents said more resources are now being used to address cybersecurity with only 3.3% saying resources have decreased year over year.  60% of respondents said their organization now employs a senior information security leader.

55.8% of respondents said a dedicated or defined amount of the current budget is allocated for cybersecurity. 26.5% of respondents said there was no specific carve out for cybersecurity but money was being spent as needed or could be requested. Only 2.8% said no money is spent on cybersecurity.

HIPAA requires healthcare organizations to conduct regular risk assessments to identify potential threats to the confidentiality, integrity, and availability of protected health information. The survey revealed healthcare organizations are being proactive and are conducting risk assessments and using the results to direct their cybersecurity efforts.

45.5% said they are performing security risk assessments annually, 5.6% were conducting risk assessments every 6 months, 9% performed risk assessments once a month, and 9.6% said they performed risk assessments daily. Alarmingly, 5.1% said they do not perform risk assessments and 4.5% conducted risk assessments less frequently than once a year.

Actions Directed by Risk Assessments

Source: HIMSS

Plenty of Room for Improvement

While cybersecurity is improving, there are still multiple areas where improvements can and should be made and too little is being done to deal with the main healthcare security threats. The recent HIPAA compliance audits and penalties for HIPAA violations have prompted many healthcare organizations to concentrate on HIPAA compliance, which has been a greater priority than security.

HIMSS says compared to other industry sectors, healthcare cybersecurity programs lack maturity and that typically cybersecurity programs have only been running for five or fewer years. HIMSS suggests that even with the healthcare industry being heavily targeted by cybercriminals, “many cybersecurity professionals are still getting used to the idea that there are bad actors out there that are directly or indirectly targeting healthcare organizations.”

The main barriers for remediating and mitigating cyberattacks were a lack of appropriate personnel (52.4%) and a lack of financial resources (46.6%). Other barriers were too many application vulnerabilities (28.6%), too many endpoints (27.5%), too many new and emerging threats (27%) not enough cyber security intelligence (23.3%) and a network infrastructure that was too complex to secure (20.6%).

13.3% said they had no cybersecurity staff and 43.2% said their ratio of cybersecurity staff to IT users was greater than 1:500.

The majority of organizations are spending 6% or less of their IT budgets on cybersecurity, 16.9% of organizations had not adopted a cybersecurity framework, and 37.1% of organizations only conducted penetration tests annually. Even though the threat from within is significant, 24.2% of healthcare organizations did not have an insider threat management program and 27% said they had such a program but it was informal.

Phishing and email attacks are major concerns and are behind the majority of healthcare security breaches and OCR has also made it clear that phishing and security awareness training should be an ongoing process, yet 51.8% of healthcare organizations are still only conducting security awareness training annually. Only 32.9% said they test their employees phishing awareness with phishing simulations.

Top Healthcare Security Threats

There are many healthcare security threats, although some are perceived to pose more of a threat than others. There was little to choose between the three main threats to network and data security. Data breaches and data leakage were ranked as top healthcare security threats by 11.8% of respondents, ransomware was in second place rated as a top cybersecurity threat by 11.3% of respondents, with credential stealing malware in third place on 11%. Malicious insiders were seen as a major threat by 10.1% of respondents and wiper malware was rated as a serious threat by 10% of respodents.

When asked about future cybersecurity priorities the top areas were incident response (11.9%), risk assessment and management (11.9%), business continuity and disaster recovery (11.8%), awareness training programs (11.6%), cloud security (11.2%), website security (10.8%), physical security (10.7%), and information sharing (10.4%).

The full results of the HIMSS 2018 Cybersecurity survey can be viewed here.

The post HIMSS Survey Reveals Top Healthcare Security Threats appeared first on HIPAA Journal.