The Health Insurance Portability and Accountability Act (HIPAA) is a US law designed to protect patient privacy and secure medical information. It establishes standards for the confidentiality, integrity, and availability of health data to ensure patients' personal health information is safeguarded.
According to the HHS Breach Portal, in 2024 alone, over 500 reported breaches have affected over 170 million individuals.
As data breaches and cyberattacks continue to rise, understanding common HIPAA violations and implementing preventive measures can mean the difference between compliance and costly penalties.
One of the most common and costly HIPAA violations is the failure to perform organization-wide risk assessments. Failure to perform organization-wide risk assessments has led to breaches by leaving vulnerabilities in systems and processes unaddressed, which unauthorized parties can exploit. A notable example is the case of Anthem Inc., which experienced a massive data breach in 2015 affecting nearly 79 million individuals. The breach was attributed, in part, to Anthem's failure to conduct an enterprise-wide risk analysis, which could have identified security gaps and led to the implementation of stronger safeguards. As a result, Anthem agreed to a settlement of $16 million with the HHS, marking the largest HIPAA settlement at the time.
A study about the causes and impacts of breaches found that unencrypted devices containing Protected Health Information (PHI) have led to significant breaches. Encrypting all electronic devices that store or access PHI is essential to protect data in case of theft or loss. This encryption includes disk, file/folder, and database password protection for data at rest and secure messaging protocols like the Paubox Secure Messaging Center, VPNs, and AES encryption for data in transit. Without encryption, data remains in a readable format, making it vulnerable to interception or theft during transmission or when stored on devices.
An example is the breach experienced by the University of California, Los Angeles (UCLA) Health in 2015. Hackers accessed a network containing the personal and medical information of 4.5 million individuals. The breach was exacerbated because the data was not encrypted, allowing the attackers to easily access sensitive information.
Go Deeper: Developing secure messaging protocols
Unauthorized access to patient records, often due to inadequate access controls, has resulted in hefty fines. When access controls are insufficient, employees or external parties can gain unauthorized access to sensitive patient information, violating HIPAA regulations.
A prominent example is the case of New York-Presbyterian Hospital and Columbia University, which faced a combined fine of $4.8 million in 2014. This penalty was imposed after a data breach exposed the electronic protected health information (ePHI) of 6,800 patients. The breach occurred because a physician attempted to deactivate a personally owned computer server on the network, which was not properly secured, leading to unauthorized access to patient records. Implementing strict access controls and conducting regular audits of access logs can help prevent such violations.
Improper disposal of paper records containing PHI has led to breaches by allowing unauthorized individuals to access sensitive information that was not securely destroyed. When paper records are discarded without proper shredding, they can be retrieved from trash bins or recycling centers, leading to potential identity theft, privacy violations, and non-compliance with HIPAA regulations.
In 2012, the Cornell Prescription Pharmacy improperly disposed of 71 boxes of patient records in a publicly accessible dumpster without following secure disposal protocols. These records contained sensitive information, including names, addresses, dates of birth, and prescription details. The breach resulted in a settlement with the HHS, where the pharmacy agreed to pay $125,000 and implement a corrective action plan.
Not notifying affected individuals and the HHS of a data breach within the required timeframe has resulted in fines because it exacerbates the impact of a breach by delaying the response and mitigation efforts.
The Change Healthcare data breach was detected on February 21, 2024, but notifications to impacted healthcare organizations and affected individuals were significantly delayed. Monument Health, for instance, reported being informed of the breach by Change Healthcare on December 16, 2024—almost 10 months after the initial detection of the incident.
Related: What happens when you fail to send a breach notification
Many HIPAA violations can be traced back to human error or insufficient training. Regular employee training on HIPAA compliance and cybersecurity best practices is essential to prevent breaches.
Devices containing PHI should be secured when not in use to prevent unauthorized access. According to a study about the causes and impacts of PHI breaches, When devices such as laptops, smartphones, or tablets lack proper security measures like strong passwords, encryption, or biometric locks, they become vulnerable to theft or unauthorized use. This can result in the exposure of sensitive data, including personal and financial information, especially if the devices contain or have access to electronic protected health information ePHI or other confidential data. Additionally, unsecured devices can serve as entry points for malware or hacking attempts, further compromising the security of the organization's network and data.
In 2006, Aetna faced a data breach when a laptop containing the personal information of approximately 38,000 members was stolen from an employee's car. The exposed data included financial and medical records, raising concerns about the company's data protection measures. Aetna acknowledged that the information on the laptop was not encrypted, though it was protected by strong password authentication. In response, Aetna offered affected members one year of credit monitoring services and emphasized its commitment to reviewing and enhancing its IT security policies to prevent future incidents.
Business associates and third-party vendors must also comply with HIPAA regulations. Business Associate Agreements (BAAs) legally bind vendors to adhere to HIPAA's privacy and security rules. These agreements outline the responsibilities of the business associate in safeguarding PHI and specify the security measures they must implement.
Business associates and third-party vendor oversights can lead to data breaches when these external partners fail to implement adequate security measures to protect sensitive information. Here are some ways this can happen:
The Quest Diagnostics data breach in 2019 serves as an example of the risks associated with vendor oversight. The breach occurred due to inadequate security measures at American Medical Collection Agency (AMCA), a third-party billing collections vendor for Quest Diagnostics. AMCA's systems were compromised, leading to the exposure of personal and financial information of approximately 11.9 million patients.
Organizations can enhance their incident response plans by regularly updating them, ensuring clear communication channels, involving key stakeholders, and conducting regular drills to test the effectiveness of the plans.
Organizations should conduct due diligence by vetting vendors' security practices, requiring BAAs, and regularly auditing vendors' compliance with HIPAA standards. Clear communication and collaboration with vendors are also essential to ensure ongoing compliance.
Organizations should conduct risk assessments at least annually and whenever there are significant changes to their operations, such as new technology implementations or changes in business processes. Regular assessments help identify new vulnerabilities and ensure that existing security measures are effective.