2023 Top Ten HIPAA Cybersecurity Violations

Since 1996, healthcare facilities of all sizes and types have had to conform to HIPAA generated guidelines pertaining to privacy and security, with sometimes FUZZY or VAGUE guidelines for any size facility to adhere to. Any of these “Covered Entities” under HIPAA decide at their peril not to follow these. Rural health care facilities face unique challenges.

SOME BACKGROUND ON HIPAA

HIPAA regulations in 45 CFR
Title 45 of the Code of Federal Regulations (45 CFR) contains the regulations that implement the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Specifically, the HIPAA regulations are found in 45 CFR Part 160 and Part 164. HIPAA is a federal law enacted in 1996 with the primary goals of protecting individuals' health information privacy and security, as well as ensuring the efficient electronic exchange of health information. The law applies to healthcare providers, health plans, and healthcare clearinghouses, as well as to their business associates who handle protected health information (PHI) on their behalf.

The HIPAA regulations in 45 CFR address several key areas:
- Privacy Rule (45 CFR Part 160 and Part 164, Subpart E): This rule establishes national standards for the protection of individuals' medical records and other personal health information. It outlines how covered entities (healthcare providers, health plans, and healthcare clearinghouses) can use and disclose PHI and individuals' rights regarding their health information.
- Security Rule (45 CFR Part 160 and Part 164, Subpart C): The Security Rule establishes security standards to protect electronic protected health information (ePHI) against unauthorized access, use, and disclosure. It mandates safeguards to ensure the confidentiality, integrity, and availability of ePHI.
- Breach Notification Rule (45 CFR Part 160 and Part 164, Subpart D): This rule requires covered entities and their business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media if a breach of unsecured PHI occurs.
- Enforcement Rule (45 CFR Part 160, Subpart I): This rule outlines the procedures for investigating complaints and violations of HIPAA rules and establishes penalties for non-compliance.

It's important to note that HIPAA regulations have been instrumental in safeguarding patient privacy and security in the healthcare industry. Covered entities and their business associates are required to comply with these regulations to ensure the proper handling and protection of individuals' health information. Violations of HIPAA can result in significant financial penalties and reputational damage.


HIPAA Security Rule
The HIPAA Security Rule is a set of regulations established under the Health Insurance Portability and Accountability Act (HIPAA) that outlines the security standards that covered entities and their business associates must adhere to in order to safeguard electronic protected health information (ePHI). The Security Rule focuses specifically on the protection of ePHI, which includes any individually identifiable health information that is electronically transmitted, stored, or maintained.

The HIPAA Security Rule is found in 45 CFR Part 160 and Part 164, Subpart C. It requires covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates (entities that handle ePHI on behalf of covered entities) to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. These safeguards are designed to protect ePHI against unauthorized access, use, and disclosure.

Key elements of the HIPAA Security Rule include:

• Administrative Safeguards: These are policies and procedures that establish how an organization will manage and implement security measures. Examples include risk assessments, workforce training, security management processes, and ongoing security evaluations.
• Physical Safeguards: These refer to physical measures that protect the physical infrastructure of systems containing ePHI. This includes access controls, facility security, and secure disposal of hardware.
• Technical Safeguards: These involve using technology to protect ePHI. Examples include access controls, encryption, audit controls, and integrity controls.
• Organizational Requirements: Covered entities must have contracts or other arrangements in place with business associates that stipulate the security measures each party must implement to protect ePHI.
• Policies and Procedures: Covered entities and business associates must develop and implement policies and procedures to address the requirements of the Security Rule. These documents guide employees on how to handle ePHI securely.
• Security Incidents and Response: Covered entities and business associates must have procedures in place to detect, respond to, and mitigate security incidents, including breaches of ePHI.
  

The HIPAA Security Rule is essential for ensuring the secure handling of electronic health information, which has become increasingly important as healthcare systems transition to electronic records and digital communication. Compliance with the Security Rule helps protect patient privacy and maintain the integrity of healthcare data. Non-compliance with the Security Rule can lead to significant penalties and legal consequences.

VIOLATION #1: POOR ACCESS CONTROL POLICIES

Under the HIPAA Security Rule, all third-party business associates and healthcare providers must have restricted access controls for protecting and storing ePHI. This way, only authorized personnel has access to the sensitive data. To avoid the risks of unauthorized parties (cybercriminals or insider threats) gaining unauthorized access to ePHI, healthcare organizations must; 

• Implement security risk control measures such as a zero-trust model 
• Ensure continuous activity monitoring that tracks all devices and systems 
• Use two-factor 2FA or multi-factor authentication MFA 
• Use temporary authorization codes to ensure the right parties are accessing only the information they need
• Decide which security measure is both the most HIPAA-compliant and most efficient without slowing down workflow

Violation #2: Failure to Encrypt and Secure Data - Addressable vs. Mandatory Implementation 

There are two standards in the HIPAA Security Rule that cover information access management and access control. 

Addressable implementation specifications must also be implemented unless an alternative, appropriate measure is implemented in its place that provides an equivalent level of protection.

In cases where an alternative is implemented, the reasoning behind that decision must be documented.

VIOLATION #3: DEVICE THEFT

Did you know that…

• 68% of healthcare data breaches were due to the loss or theft of mobile devices or files
• 48% of data lost was on a laptop, desktop computer, or mobile device
• Only 23% of the breaches resulted from hacking not connected directly to the loss or theft of a mobile device

Healthcare organizations (HCOs) and their business partners need to do a much better job of protecting PHI on mobile devices if they want to achieve HIPAA compliance and avoid a healthcare data breach, or a HIPAA breach. They should ensure that PHI is always encrypted, whether in transit or in storage, and that IT administrators can remotely wipe data on lost or stolen devices. Information security policies and training should be extended to cover use of mobile devices.

Healthcare data breaches occur when unauthorized individuals gain access to sensitive information about patients, doctors, or other medical professionals. This information can include medical records, personally identifiable information or protected health information (PII/PHI), and financial information.

The consequences of these breaches can be serious, including identity theft, financial loss, and damage to a patient’s reputation. In addition, healthcare organizations and their business associates can face legal and financial repercussions if they fail to properly safeguard patient data.

There are several common causes of healthcare data breaches, including insider threats, hacking, and accidental exposure. Healthcare organizations can take steps to prevent these breaches by implementing robust cybersecurity measures, training staff on proper data handling procedures, and conducting regular assessments of their systems and processes.

In summary, safeguard your devices. Patient information can be kept on computers, USB drives, phones, etc. and those devices must be protected.

VIOLATION #4: IMPROPER DISPOSAL OF PHI & MEDICAL DATA

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited uses and disclosures of PHI. This includes in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. It also requires covered entities to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).

In summary, shred physical records before taking them to the trash. With digital files, learn how to delete patient records entirely from hard drives and erase electronic devices before getting rid of them.

VIOLATION #5: Impermissible PHI Disclosure and Employee Misconduct

HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.

A physician must take an active role in evaluating the severity of improper use or disclosure of PHI by assessing whether the use or disclosure meets HIPAA’s “low probability of compromise” threshold. To do so, physicians must use a 4-factor test:

• The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
• The unauthorized person (or people) who used the PHI or to whom the disclosure was made
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated

In the absence of an exception or a demonstration of a low probability of compromise, physicians must notify patients and the U.S. Department of Health & Human Services (HHS) in the event of an impermissible use or disclosure of PHI. If, after evaluating whether the PHI has been compromised, a covered entity or business associate reasonably determines that the probability of such compromise is low, breach notification is not required.

Covered entities are under no obligation to perform the entire 4-factor risk assessment if the PHI is obviously compromised. Covered entities may always begin the breach notification process without conducting a formal risk assessment.

VIOLATION #6: Failure to Enter Business Associate Agreements BAA with Third-Party Contractors

The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.

The HIPAA Omnibus Rule changed how BAs and Business Associate Subcontractors (BAS) can be held liable for potential HIPAA violations. Therefore, it is in the Covered Entity’s and the BA’s best interest to maintain a thorough understanding of their relationship and how they expect one another to secure patient, client, or employee data.

A Business Associate Contract, or Business Associate Agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI. HIPAA requires Covered Entities to only work with Business Associates who ensure complete protection of PHI. These assurances have to be in writing in the form of a contract or other agreement between the Covered Entity and the BA.

HHS can audit BAs and Subcontractors for HIPAA compliance, not just Covered Entities. This means that organizations must have a Business Associate Agreement (BAA) for all three levels in order to meet the requirements of HIPAA. It’s in both of your best interests to have an agreement since all three classifications are responsible for protecting PHI.

The Business Associate/Subcontractor Agreement must include the following information, according to HHS:

• Describe the permitted and required PHI uses by the Business Associate/Subcontractor
• Provide that the Business Associate/Subcontractor will not use or further disclose PHI other than as permitted or required by the contract or as required by law
• Require the Business Associate/Subcontractor to use appropriate safeguards to prevent inappropriate PHI use or disclosure

Potential Business Associates are people or companies like;

• Accounting or consulting firms
• Cloud vendors
• Consultants hired to conduct audits, perform coding reviews, etc.
• Lawyers
• Medical equipment service companies handling equipment that holds PHI
• Translator services
• Shredding services
• File sharing vendors
• Information Technology vendors

According to HHS, Covered Entities may only disclose PHI to an entity to help carry out its healthcare functions, not for the Business Associate’s independent use or purposes. For example, a Business Associate/Subcontractor cannot use the PHI from the Covered Entity for its own email campaign.

VIOLATION #7: Failure to conduct an organization-wide risk analysis

The foundational element of the HIPAA Security Rule is the risk analysis required to achieve compliance.

Let’s take a look at the requirement as outlined by the Department of Health and Human Services (HHS), which is responsible for regulating HIPAA compliance.

“The Security Management Process standard in the Security Rule requires organizations to “[i]implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  Section 164.308(a)(1)(ii)(A) states;

RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

So, what exactly is a risk analysis? Get detailed information about your organization’s vulnerabilities. It is used to help your organization identify any areas within your organization that could affect the confidentiality, integrity, and availability of ePHI, or in other words, any areas that put protected health information (PHI) at risk. 

Saturn Partners can help find where you could be vulnerable. Learn more >>

Some important things to note:

There is no one-size-fits-all method for addressing the risk analysis requirement.

All organizations have unique characteristics and environments. The methodology for organizations may vary depending on their “size, complexity, and capabilities”, as stated by HHS.

There is no specified time period for performing a risk analysis.

As you can see outlined in the requirement above, the Security Rule does not say “you only need to perform one risk analysis”, and likewise, it doesn’t tell us that we need to perform three per year. So, how do we know when to perform one? Risk analysis should be an ongoing process. HIPAA Secure Now! recommends conducting a risk analysis on an annual basis as well as anytime the organization introduces new technology, changes practices, or suffers a security incident. Saturn Partners offers and advocates for quarterly testing and analysis. Learn more about how we can help >>

Once your organization has conducted a risk analysis, that doesn’t mean the work is done. The outcome of the analysis will show you where there are vulnerabilities in your organization that could pose a risk to ePHI – and then it’s up to your organization to fix them. HIPAA Secure Now! recommends working with a vendor who offers a remediation plan as part of your risk analysis, so your organization knows where to focus their efforts first – on the most critical risks. 

VIOLATION #8: Failure to Report a Data Breach

Failure to comply with HIPAA can also result in civil and criminal penalties. If a complaint describes an action that could be a violation of the criminal provision of HIPAA, The Department of Health and Human Services Office for Civil Rights (OCR) may refer the complaint to the Department of Justice (DOJ) for investigation.

Civil violations

In cases of noncompliance where the covered entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties (CMPs) on the covered entity.

CMPs for HIPAA violations are determined based on a tiered civil penalty structure. The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The secretary is prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended at HHS’ discretion).

Penalties for civil violations

• HIPAA violation: Unknowing Penalty range: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations
• HIPAA violation: Reasonable Cause Penalty range: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations
• HIPAA violation: Willful neglect but violation is corrected within the required time period Penalty range: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations
• HIPAA violation: Willful neglect and is not corrected within required time period Penalty range: $50,000 per violation, with an annual maximum of $1.5 million

Criminal penalties

Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.

Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, can face a fine of up to $50,000, as well as imprisonment up to 1 year.

Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.

Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.

VIOLATION #9: Denying or Delaying Patient Access to Health Records

Providing individuals with easy access to their health information empowers them to be more in control of decisions regarding their health and well-being.  For example, individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and fix errors in their health records, track progress in wellness or disease management programs, and directly contribute their information to research. With the increasing use of and continued advances in health information technology, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Putting individuals "in the driver's seat" with respect to their health also is a key component of health reform and the movement to a more patient-centered health care system.

The regulations under the HIPPA act of 1996, have always recognized the importance of providing individuals with the ability to access and obtain a copy of their health information. With limited exceptions, the HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.

General Right

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more "designated record sets" maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual's choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

Information Included in the Right of Access covered entity that meets the below criteria: The "Designated Record Set"

Individuals have a right to access PHI in a "designated record set." A "designated record set" is defined at 45 CFR 164.501 as a group of records maintained by or for a covered entity that comprises the:

• Medical records and billing records about individuals maintained by or for a covered health care provider
• Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan
• Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access

The term "record" means any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a covered entity.

Thus, individuals have a right to a broad array of health information about themselves maintained by or for covered entities, including: medical records; billing and payment records; insurance information; clinical laboratory test results; medical images, such as X-rays; wellness and disease management program files; and clinical case notes; among other information used to make decisions about individuals. In responding to a request for access, a covered entity is not, however, required to create new information, such as explanatory materials or analyses, that does not already exist in the designated record set.

VIOLATION #10: Lack of HIPAA Certified Employee Training

The transition of protected health information (PHI) and personal health information, or consumer health information, to the cloud has made healthcare providers an increasingly popular target for cyber attacks. Over 40 million individuals had their medical records appear in data breaches in 2021! Although most people think of hacking as criminals forcing their way through security systems, research from Stanford found that 88% of data breaches happen as a result of human error. 

The nature of healthcare data makes it extremely sensitive information. Since most breaches happen because of internal mistakes, one would expect that healthcare worker cybersecurity training is assigned to every employee with access to health data, but that is not the case. Data from Osterman Research found that a whopping 24% of healthcare workers were not offered security awareness training at their workplace!

Untrained Healthcare Employees Represent Significant Risk

These low training rates mean that nearly a quarter of healthcare employees may not be aware of what constitutes risky behavior that increases the likelihood of a breach. In today's connected world, all staff members should be aware of data protection and cybersecurity best practices.

The survey covered 1,000 employees from multiple industries and revealed a shocking lack of cybersecurity awareness in the healthcare industry. Many healthcare workers were completely unaware of modern security threats that allow unauthorized access to private data. Only 16% of healthcare workers reported understanding social engineering threats such as phishing “very well”. This is a huge risk for anyone with personal health information stored online. Just one untrained employee at a healthcare organization can ruin security for everyone.

This Lack of Training Affects Healthcare Organizations' HIPAA Compliance

One of the most disturbing implications of these findings is that many healthcare organizations are most likely violating HIPAA. The HIPAA security rule mandates that healthcare professionals who come into contact with protected health information undergo security awareness training. Healthcare organizations that do not mandate training are putting all of their patient information at risk.

The Department of Health and Human Services Office for Civil Rights (OCR) can impose penalties specifically for not training employees. Training is an administrative requirement under the security rule. New employees must be trained within 10 days of hire, so any healthcare organizations that do not immediately offer security awareness training could be subject to OCR penalties in the event a breach occurs.

Another scary revelation from the Osterman survey is that many employees were unaware of their responsibility to comply with various laws that regulate their industry. For example, only 61% of those surveyed were aware their organization had to comply with HIPAA. 20% knew their workplace did not need to comply, but the remaining 21% of respondents were unsure whether their employer had to abide by HIPAA regulations. That 21% of employees are a serious risk since being unsure of HIPAA status means they may not follow private health information disclosure requirements. An effective training program should make it clear to employees what regulations apply to them and the importance of staying compliant.