What are the most common HIPAA violations?

m.metzger@thomsonreuters.com  /  March 19, 2021

Scholars believe the Hippocratic Oath was penned in Ionic Greek sometime between the third and fifth centuries B.C. Its principles are still in effect today, including: treat the sick to the best of your ability, teach medicine to the next generation and preserve patient privacy.

Patient privacy continues to be a foundation of medicine today. It’s central in the American Medical Association’s Code of Ethics and the Health Insurance Portability and Accountability Act (HIPAA).

Civil penalties

The AMA describes HIPAA as “guardrails for the sharing and use of patient health information” between health care providers. Going over or around those boundaries can result in a wide range of civil penalties, however, from $100 for an “unknowing” violation all the way to $1.5 million for “willful neglect.”

The OCR also refers alleged criminal violations to the Department of Justice for investigation.

Criminal penalties

According to the AMA, entities that unlawfully obtain or disclose identifiable health information can face a fine of up to $50,000 and up to a year in federal prison.

The possible penalties for violations committed under false pretenses are even harsher: a fine of up to $100,000 and up to five years behind bars.

The sale, transfer or use of “individually identifiable health information for commercial advantage, personal gain or malicious harm,” can mean a $250,000 fine and up to 10 years in prison.

Most common violations

The federal government’s Department of Health and Human Services’ Office for Civil Rights (OCR) enforces HIPAA privacy rules compliance. The OCR says the most common compliance issues in HIPAA complaints are the following:

  • Impermissible use and disclosure of protected health information
  • Lack of safeguards for protected information (including in digital form)
  • Lack of patient access to their own protected health information
  • Use or disclosure of more than the minimum necessary of protected information

The OCR says hospitals are the most frequent violators of HIPAA privacy regulations, followed by physicians and private practices and then outpatient facilities, pharmacies and insurers.