Learning from Mistakes: Key Takeaways from Major HIPAA Violation Cases

IN THIS ARTICLE

Everybody knows that HIPAA violations can be costly, with penalties that can include seven-digit fines and jail time. Even worse, the combined text of the current HIPAA regulations stretches to 115 pages and more than 60,000 words. It’s little wonder, then, that most healthcare providers are scared they might be missing something that could ruin them financially or put their practice in jeopardy.

Luckily, the Office of Civil Rights (OCR), which enforces HIPAA, makes data available on its investigations and enforcement actions. We can see exactly how many complaints they field each year (about 10 to 20 thousand), how many of these result in “corrective actions” (about 2 to 3%), and most importantly, what types of HIPAA violations most commonly result in corrective actions. “Corrective action,” by the way, is the OCR way of saying that you’re likely settling (paying the government) or paying a fine (also paying the government) in addition to agreeing to a plan to rectify and then monitor your areas of violation, which will also cost money and time to carry out.

Let’s dig into some mistakes that have been made in the past year and what we can learn from them.

How Often Do HIPAA Violations Actually Occur?

As mentioned above, HIPAA violations occur with some frequency. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. From March 2021 to February 2022, there were 723 reported data breaches involving 500 or more records, which is a record number within a 12-month period. The Office for Civil Rights (OCR) received more than 28,000 complaints of possible HIPAA violations in 2019, resulting in investigations and fines totaling over $15 million.

But interestingly, the same seven common HIPAA violations account for the majority of breaches nationwide every year. Those include failing to secure and encrypt data, device theft, employee misconduct, improper records disposal, non-compliant partnership agreements, failure to perform an organization-wide risk analysis, and inadequate staff training. The total number of individuals affected by healthcare data breaches from 2005 to 2019 was reported to be 249.09 million. It is important to note that these statistics provide an overview of reported incidents and may not capture all HIPAA violations that occur.

What Causes Most HIPAA Breaches?

HIPAA breaches can occur for a variety of reasons, including employee misconduct, inadequate training, and cyber attacks. Here is a roundup of some of the most common reasons for HIPAA violations.

Lack of Employee Training

Given that staff training prevents nearly every other item on this list, it will come as no surprise that inadequate training is one of the most common HIPAA violations each year. There is simply no substitute for getting your staff properly HIPAA trained and verifying that they fully understand the rules and how they apply.

Improper or Irregular Disposal of Patient Information

This can occur when healthcare providers fail to properly dispose of paper records or electronic devices containing sensitive information. Items such as hard drives and USB drives may also continue to hold PHI until they are wiped or destroyed. If they are not accounted for and stored under lock and key between the end of their use and when they are wiped of PHI, they can constitute or lead to a violation. To protect your organization, you need strong and clear policies on document and device handling. You also need to train staff on best practices and possible HIPAA violations in this area.

Unauthorized Access/Disclosure

This is still one of the top causes of HIPAA breaches, according to the U.S. Department of Health and Human Services. Standing in as the “catch all” category of the Department’s notice, snooping, accidental third-party disclosure, and human error fall into the group of unauthorized access/disclosure. And, employees who comb through protected records for personal information they are not authorized to access for any reason are a huge HIPAA liability for a healthcare company. The government does not take snooping lightly either, with some offenders being sentenced to hard time.

Lack of Patient Consent

​​Lack of patient consent can be a potential HIPAA violation, but it is important to note that HIPAA regulations generally allow for the sharing of patient information without explicit consent for treatment, payment, and business operations reasons. However, there are certain situations where patient consent is required, and the lack of documented permission from the patient can pose challenges in defending against potential legal claims. Here are some key points regarding patient consent and HIPAA violations:

  1. Informed consent: If there is a violation of the duty to provide informed consent, and it results in harm to the patient with sustained damages, it can be considered a violation of HIPAA.
  2. Sharing information with family members or others: In certain cases, healthcare providers may ask for the patient’s permission to share relevant information with family members or others.
  3. Civil penalties: Crossing the lines established by HIPAA can result in civil penalties ranging from $100 for an “unknowing” violation to $1.5 million for “willful neglect”.

While lack of patient consent can potentially lead to HIPAA violations, it is important to consider the specific circumstances and requirements outlined by HIPAA regulations. Healthcare providers should ensure they have proper consent processes in place and adhere to the guidelines to avoid any potential violations. We’ve actually written another article specifically on the subject called The Single Best Way to Increase Patient Satisfaction and Prevent HIPAA Violations.

What are Some Famous Data Breaches and HIPAA Violations From the Previous Year?

While this isn’t the kind of fame most of us seek out, there are important learnings to glean from the following examples of companies that failed their customers.

OneTouchPoint

OneTouchPoint, a mailing and printing vendor that serves numerous healthcare systems and providers, was involved in a high profile data breach incident on April 27, 2022. OneTouchPoint experienced a ransomware attack during which data was exfiltrated and its files were encrypted. The attack compromised personally identifiable information (PII) stored on its systems. The number of individuals affected by the ransomware attack was reported to be 2.65 million, however, it is worth noting that the number of impacted individuals may be larger, as the breach impacted over 30 healthcare providers and health insurance carriers.

OneTouchPoint is facing at least one lawsuit over the breach, alleging that the company failed to safeguard the information of its customers. They are working with customers to identify the individuals whose information might have been impacted and have sent out data breach notifications on behalf of impacted customers. The OneTouchPoint data breach is significant due to the large number of individuals affected and the potential exposure of sensitive healthcare information. It highlights the importance of robust cybersecurity measures and the need for healthcare organizations to carefully vet and monitor their business associates to ensure the protection of patient data.

Eye Care Leaders

Eye Care Leaders, an EMR vendor that provides patient management software solutions for ophthalmology and optometry practices, experienced a data breach in December 2021. The breach was a result of a ransomware attack on their myCare Integrity system. The breach has affected millions of patients, with over 2 million people impacted in total. The intruder accessed compromised information, including names, addresses, phone numbers, health insurance information, and medical information related to eye care services.

Texas Tech University Health Science Center was the hardest-hit provider, with 1.3 million patients affected.
Eye Care Leaders took down the compromised systems within 24 hours of breach detection and terminated unauthorized access. It is important to note that the breach was the result of a cyberattack on Eye Care Leaders’ systems, rather than a violation committed by the company itself. The breach also highlights the need for robust cybersecurity measures and the importance of protecting patient data in the healthcare industry.

Shields Health Care Group

Shields Health Care Group, a Massachusetts-based healthcare group that provides MRI, PET/CT, and ambulatory surgical services to patients across New England at more than 30 locations, reported a healthcare cyberattack to HHS impacting 2 million individuals. The company discovered suspicious activity on its network on March 28, 2022, and immediately launched an investigation and took steps to contain the incident.

The investigation revealed that an unknown actor gained access to certain Shields systems from March 7 to March 21, 2022, and
acquired certain data from the systems. The data that was involved in the incident included full names, Social Security numbers, provider information, diagnoses, billing information, medical record numbers, patient IDs, dates of birth, addresses, and treatment information.

As a result of the breach, a class-action lawsuit was filed against Shields Health Care Group seeking monetary relief, actual and punitive damages, litigation fees, adequate credit monitoring, and identity protection services. Shields Health Care Group is offering impacted individuals information on how to place a fraud alert and security freeze on their credit file.

Professional Finance Company

Professional Finance Company (PFC) is an accounts receivable management company based in Greeley, Colorado. On February 26, 2022, PFC discovered that it had experienced a ransomware attack in which the sensitive personal identifiable information and protected health information in its system may have been accessed. The attack impacted 660 healthcare organizations and 657 HIPAA-covered entities. Some PFC systems were disabled and data on those systems was accessed. On May 5, 2022, PFC reportedly notified more than 650 clients who are HIPAA-covered entities of the ransomware attack and is providing breach notifications to patients of 657 covered entities. The breach potentially exposed the data of almost 2 million patients.

Advocate Aurora Health 

Advocate Aurora Health, a non-profit health system with dual headquarters in Downers Grove, IL, and Milwaukee, WI, has been involved in several HIPAA violations. In 2016, Advocate Health Care (now Advocate Aurora Health) settled potential HIPAA penalties for $5.55 million and adopted a corrective action plan after a data breach.

In October 2022, Advocate Aurora Health announced that patient data may have been impermissibly passed to Meta (Facebook) as a result of the inclusion of Meta tracking code on its website. Patients’ protected health information was impermissibly disclosed to Meta/Facebook or others when there was no business associate agreement in place, and consent had not been obtained from patients prior to their data being shared with Meta/Facebook and other third parties. Also in October 2022, Advocate Aurora Health gave notice to patients that protected health data may have been exposed to Google, Meta, and other third parties.

Connexin Software    

Connexin Software, which does business as Office Practicum, a provider of electronic health record (EHR) software for pediatric practices, has found itself in hot water more than once. In November 2022, it was discovered that an unauthorized third party was able to gain access to an internal computer network, resulting in a data breach that involved sensitive personal identifiable information and protected health information belonging to an undetermined number of individuals. As a HIPAA-regulated entity, Connexin is required to implement safeguards to ensure the privacy of protected health information.

The breach affected 119 pediatric practices and over
2.2 million patients. Several lawsuits have been filed against Connexin Software over the breach, and they keep coming in.  Connexin offered affected individuals a 12-month membership to an identity theft protection service; however, the lawsuit claims this is inadequate, as the plaintiff and class members will be required to pay for identity theft protection for years to come to ensure their personal and protected health information is not misused.

The lawsuit claims the plaintiff and class members now face a substantial risk of being targeted in future phishing, data intrusion, and other illegal schemes, will incur out-of-pocket expenses protecting themselves against identity theft and fraud, and have or will suffer actual injury as a direct result of the data breach.

How Are HIPAA Violations Usually Discovered?

HIPAA violations can be discovered in several ways, including self-reporting by employees or via third-party investigations.

Audits

HIPAA-covered organizations conduct internal audits and report any violations they uncover. Employees also self-report HIPAA violations they or their coworkers commit. HIPAA’s Breach Notification Rule requires organizations to provide individual notifications without unreasonable delay and no later than 60 days following the discovery of a breach.  

HIPAA violations can continue for many months or even years before they are discovered, and the longer they persist, the greater the penalty will be when they are eventually discovered. Therefore, it is important for HIPAA-covered entities to conduct regular HIPAA compliance reviews to ensure HIPAA violations are discovered and corrected before they are identified by regulators.                    

Patient Complaints

A HIPAA violation can be discovered from a patient complaint through various means. A patient may file a complaint regarding a potential HIPAA violation by submitting a complaint form or contacting the HIPAA privacy officer at a given practice. The HIPAA privacy officer or designated person(s) initiates an investigation into the complaint and reviews internal policies and procedures to determine if there was a violation. This involves gathering information and evidence related to the alleged violation and may include reviewing access logs, interviewing relevant personnel, and examining relevant documents.

Based on the findings of the investigation, the HIPAA privacy officer determines if there was a violation of the HIPAA Privacy or Security Rule, and if a violation is confirmed, the covered entity is required to report the violation to the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS). The OCR is responsible for enforcing HIPAA and investigates complaints, and depending on the nature of the violation, the harm caused, and the covered entity’s cooperation, can enforce corrective action plans or financial penalties

Whistleblower Reports 

HIPAA violations can be reported by whistleblowers who understand HIPAA and its rules. There are several ways to report HIPAA violations, including filing a complaint directly with the entity or organization that committed the violation, filing a complaint with the Department of Health and Human Services (HHS), or reporting the violation to the Office of Inspector General (OIG). The Whistleblower Exception allows an individual to disclose concerns about issues such as billing fraud or compliance issues by using Protected Health Information (PHI) to report the violation.

This exception permits employees covered by HIPAA to legally disclose PHI if the whistleblower believes that the entity has engaged in unlawful activity.
Whistleblowers who report specific wrongdoing are protected from retaliation under the Whistleblower Protection Act of 1989 and Presidential Policy Directive 19 (PPD-19). Additionally, members of the U.S. Public Health Service Commissioned Corps are protected from retaliation for making public disclosures under the Military Whistleblower Protection Act. Suspected HIPAA violations should be reported within 180 days of discovery.       

Data Breach Reports

HIPAA violations can be discovered in several ways during data breach investigations. First off, when a data breach occurs, the Office for Civil Rights (OCR) or state attorneys general may investigate the incident to determine if any HIPAA violations occurred. Then there are investigations into complaints about covered entities and business associates. As covered above, individuals can file complaints with OCR if they believe that a covered entity or business associate has violated HIPAA. And then there are HIPAA compliance audits.

The OCR conducts compliance audits to ensure that covered entities and business associates are following HIPAA rules.
When a data breach occurs, OCR investigates the incident to determine if any HIPAA violations occurred. OCR tends to investigate every large breach, or those breaches affecting 500 or more individuals. OCR requires notice of both paper and electronic data breaches, and many US states are beginning to expand their data breach notification laws to include paper. Significant breaches are investigated by OCR, and penalties may be imposed for failure. 

Ways in Which HIPAA Risk Analysis Can Help in Preventing Violations

HIPAA risk analysis is an essential element of HIPAA compliance that can help identify areas of vulnerability and weakness to prevent data breaches. Here are some ways in which HIPAA risk analysis can help in preventing violations:

  1. Identify potential risks and vulnerabilities: Conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) can help identify areas that need improvement.
  2. Develop a risk management plan: After identifying potential risks and vulnerabilities, a risk management plan can be developed to address them. This plan should include policies and procedures to safeguard the privacy and security of PHI.
  3. Educate employees: Educating and continually informing employees on HIPAA regulations is critical in preventing violations. Employees should be trained on how to handle PHI and what constitutes a violation.
  4. Implement safeguards: Implementing appropriate safeguards, such as access controls, audit controls, and encryption, can help prevent unauthorized access to PHI.
  5. Regularly review and update risk analysis: Regularly reviewing and updating the risk analysis can help ensure that the organization is aware of any new risks or vulnerabilities and can take appropriate action to address them.

By conducting a HIPAA risk analysis, covered entities and business associates can identify and address potential risks and vulnerabilities to PHI, develop a risk management plan, educate employees, implement safeguards, and regularly review and update the risk analysis to prevent violations.

The Key Conclusions We Can Take From Famous HIPAA Violations

HIPAA violations can occur in various ways, including unauthorized sharing of information, snooping on healthcare records, failure to perform an organization-wide risk analysis, and failure to encrypt digital devices containing PHI. These violations can result in significant consequences, including financial penalties, disciplinary action against the employee responsible, and harm to the patient(s) involved. To help prevent some of the most common HIPAA violations, healthcare organizations should invest in technology, encrypt all digital devices containing PHI, digitize patients’ medical records, regularly back up data, and perform an organization-wide risk analysis.

Final Thoughts

HIPAA violations can have severe consequences for both patients and healthcare organizations. It is essential to understand the HIPAA requirements and take appropriate measures to protect PHI to avoid violations. By remaining vigilant, healthcare organizations can prevent HIPAA violations and protect patient privacy. Here is an easy checklist to refer back to when you have questions. And, this white paper delves into greater detail about how to use Spruce in a HIPAA-compliant way.

Related Articles

Discover more about the Mental Health Access Improvement Act, which allows LPCs and MFTs to enroll a...