Violations of patients’ privacy — whether intentional or not — can have serious liability implications for healthcare professionals. And while most of us could never imagine actively doing something unethical to the people we care for, accidents do happen. In fact, between April 2003 and May 2019, there were 38,722 HIPAA-related complaints — and 70 percent of those cases had corrective action taken.
Despite these eye-opening statistics, it’s easy to feel like you’d never find yourself in this position. After all, you chose to work in healthcare because you wanted to take care of people, not violate their trust. But as you’ll see, it’s a whole lot easier to breach patients’ privacy than you might think. In this article, we’ll refresh your memory of what a HIPAA violation is and what the consequences are if you commit one. We’ll also provide you with six real-life case studies to help put it all into context for you.
Refresher: What’s HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. Passed by Congress in 1996, it’s a federal law that requires healthcare providers and organizations (and their business associates) to develop and follow procedures that ensure the confidentiality and security of patients’ protected health information (PHI). That means protecting everything from the mere fact that a patient goes to a specific doctor to what medications they take.
What Counts as Protected Health Information Under HIPAA?
The HIPAA Journal provides the following definition of PHI:
“Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations (PHI healthcare business uses).”
In other words, HIPAA laws protect a patient’s past, present, and even future health information, such as diagnoses, treatment plans, medical test results, prescriptions, and identification information (e.g., birth dates, demographics, emergency contact information). It’s important to note, though, that information can only be designated as PHI if someone could be directly identified by it. If specific identifiers are removed from the data, the information in question isn’t considered to be PHI.
What Is a HIPAA Violation?
In plain terms, a HIPAA violation is any action — deliberate or not — that exposes a patient’s PHI to anyone who isn’t directly involved in their care. This could be anything from accessing the records of a patient you’re not caring for (e.g., looking up your family member’s test results) to posting a work selfie on social media and not realizing a patient’s spouse is in the background (thereby making it public knowledge that the patient is receiving care at your hospital). It could also occur if a care provider makes any records or data available for unauthorized individuals to access (e.g., logging into a computer system and then walking away without logging out).
The 10 Most Common HIPAA Violations
Unfortunately, there are countless ways in which a provider could violate a patient’s privacy. The following is a list of the 10 most common types of HIPAA violations:
- Impermissible disclosures of PHI
- Unauthorized accessing of PHI and healthcare records
- Improper disposal of PHI
- Failure to conduct an organization-wide risk analysis
- Failure to manage security risks
- Failure to implement appropriate security measures in portable devices to protect PHI
- Failure to provide patients with access to their health records in a timely manner
- Failure to enter into a HIPAA-compliant business associate agreement with vendors prior to giving access to PHI
- Failure to issue data breach notifications within 60 days after discovery of the incident
- Failure to implement access controls to limit who can view PHI and ePHI
What Happens When You Violate HIPAA?
At a high level, these are the kinds of consequences you may face if you violate HIPAA:
- You could be disciplined by your employer
- You could be fired
- Your professional governing board could rule on your license or future ability to work
- You could be issued a penalty (e.g., financial, civil, criminal)
- You could be sued for monetary damages by the patients whose PHI you accessed.
Ultimately, the consequences you face will depend on the specifics and severity of the violation. When determining the appropriate punishment, the relevant authorities will examine your actions, the motivations behind those actions, what harm (if any) occurred as a result of the violation, and whether criminal charges are necessary.
Types of Penalties for HIPAA Violations
Both the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general have the authority to issue penalties for HIPAA violations. Violations are classified into four tiered categories, and these tiers determine the severity of the penalties given. For the sake of accuracy, we pulled the definitions for each penalty tier directly from the HIPAA Journal:
Tier 1: “A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.”
Tier 2: “A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of ‘willful neglect’ of HIPAA Rules).”
Tier 3: “A violation suffered as a direct result of ‘willful neglect’ of HIPAA Rules, in cases where an attempt has been made to correct the violation.”
Tier 4: “A violation of HIPAA Rules constituting ‘willful neglect,’ where no attempt has been made to correct the violation.”
HIPAA Financial Penalties
The level of HIPAA fines and punishments for each tier are as follows:
Table of Financial Penalties for HIPAA Violations
|“Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA Rules had been violated.”
|$100 - $50,000 per violation; Maximum $25,000 per year
|“Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.”
|$1,000 - $50,000 per violation; Maximum $100,000 per year
|“Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery.”
|$10,000 - $50,000 per violation; Maximum $250,000 per year
|“Willful neglect of HIPAA Rules and no effort made to correct the violation within 30 days of discovery.”
|$50,000 per violation; Maximum $1.5 million per year
Source: HIPAA Journal. “What Are the Penalties for HIPAA Violations?” (2015)
HIPAA Criminal Penalties
The Department of Justice is responsible for prosecuting criminal HIPAA violations, as well as determining the amount of jail time and fines the offender will get.
This is the three-tiered structure for criminal penalties:
Table of Criminal Penalties for HIPAA Violations
|“Reasonable cause or no knowledge of violation.”
|Up to 1 year in jail
|“Obtaining PHI under false pretenses.”
|Up to 5 years in jail
|“Obtaining PHI for personal gain or with malicious intent.”
|Up to 10 years in jail
Source: HIPAA Journal. “What Are the Penalties for HIPAA Violations?” (2015)
6 Real-Life HIPAA Violation Cases You Should Know About
No matter your profession, specialty, or work setting, any information you learn about a patient while they’re under your care is privileged and confidential, and therefore should absolutely never be shared with anyone.
To give you a better idea of what this can look like in real life, we’ll walk you through six examples of real-life case studies of HIPAA violations that were committed by healthcare providers.
3 Examples of HIPAA Violation Cases
Example #1: When it comes to HIPAA, curiosity can kill the cat — or your career. This was the case in 2019, when a number of healthcare professionals accessed a particular actor’s medical records after the actor was part of a potential hoax hate-crime, which became headline news. Because these providers weren’t involved in the actor’s care, this was a violation of the patient’s privacy, and the hospital fired them all on the spot.
Example #2: In 2010, a cardiothoracic surgeon in California was sentenced to four months in federal prison for accessing the confidential medical records of his supervisors and coworkers, as well as those of celebrity patients, when he had no legitimate reason to do so. In addition to prison time, he was also required to pay a $2,000 fine.
Example #3: A New York nurse found herself in a tricky situation when her sister-in-law’s boyfriend visited the clinic where she worked to receive treatment for an STD. When she learned of the boyfriend’s condition, the nurse texted her sister-in-law six times to warn her of the diagnosis. The patient found out what the nurse had done and submitted a complaint to — and later sued — the clinic where she worked. The nurse lost her job as a result of violating the patient’s privacy.
3 Examples of HIPAA Violations via Social Media
Perhaps unsurprisingly, social media is rife with opportunities for healthcare professionals to inadvertently violate HIPAA. But the truth is, anything you post on social media is public. It doesn’t matter if you don’t post things while you’re at work, if you feel like you’re being careful, or if you delete the post after the fact. Here are a few real-life examples of healthcare professionals who learned this the hard way.
Example #4: In 2018, a Texas nurse was fired after she published a post on her personal Facebook account about a case of a young boy who was battling measles at her hospital. Although she didn’t actually name the patient, she did provide descriptive information about the boy, and her Facebook profile listed her job title and the name of the hospital where she worked. Additionally, there had not been many cases of measles in this particular city — in fact, there’d been fewer than 10 cases in 10 years. For this reason, hospital administrators were concerned that the boy could be identified from the nurse’s posts. As a result, the hospital suspended her, launched an investigation into her actions, and then fired her four days later.
Example #5: You also can’t trust anyone with a patient’s information or assume it won’t get linked back to you. In fact, anything you text can be made public. For example, a New Jersey nursing assistant took a lewd photo of a nursing home resident and texted it to a friend. Unbeknownst to the provider, the friend then posted the image to Facebook. Although the nursing assistant was not the one who posted the photo on Facebook, she did take the image and distribute it. For this reason, she was fired from her job and charged with invasion of privacy and conspiracy, which carry penalties of up to five years in prison and fines up to $15,000.
Example #6: Snapchat videos may disappear, but they can still get providers into serious trouble. Take the case of a Wisconsin nursing assistant who posted a video of an elderly Alzheimer’s patient who was almost completely undressed. One of the nursing assistant’s Snapchat contacts reported her to the nursing home, and they promptly fired her. On top of losing her job, she was also charged with a felony for taking a nude image without the patient’s consent. A conviction could result in up to three and a half years in jail.
While privacy might seem like a no-brainer, you must be extremely careful when it comes to protecting the confidentiality of the patients in your facility, even if they’re no longer under your care. It’s important that your entire team — as well as any visiting consultants — understand and diligently follow HIPAA laws. This is particularly true now that smartphones are always in-hand and society is getting more desensitized to personal information shared on social media. And if you need extra information, the U.S. Health and Human Services provides online HIPAA courses and resources to help you stay compliant.