Lessons Learned from Real HIPAA Violation Cases: How to Avoid Making the Same Mistakes
Patient privacy is a big deal, and it’s a crucial component of healthcare. The protection of the patient information is being regulated heavily by the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA requires healthcare providers, business associates, and all the other related parties to protect Personal Health Information (PHI) and maintain the integrity, confidentiality, and availability of this data. For any entity that handles this information and does not comply with HIPAA regulations, there will be hefty penalties, legal actions, and reputational damage.
In this article, we will examine real HIPAA violation cases to learn valuable lessons and avoid making the same mistakes. We hope that exploring several examples of HIPAA violations and understanding the consequences will greatly benefit healthcare providers to protect their businesses. Keep reading to find out more about the importance of safeguarding personal health information.
The Consequences of HIPAA Violations
Before listing the real-world cases, let’s talk about the consequences of HIPAA violations in general a bit. Failure to comply with HIPAA usually have severe and far-reaching consequences. In addition to the harm done to the patients who have their PHI compromised, organizations also face significant monetary penalties and damage to their businesses.
Fines and Penalties
Fines and penalties resulting from HIPAA violations are definitely substantial, and have the capability of affecting a business to an extent that is hard to recover. The main authority to impose financial penalties related to HIPAA is HHS Office for Civil Rights (OCR). Although their penalties depend on the severity the violation, the maximum amount can reach to $1.5 million per violation. In some cases, the violation is so severe that criminal charges may follow these financial penalties.
When we look at the real world cases where penalties have been imposed, one of the most important ones would be Rochester Medical Center case. In 2019, Rochester Medical Center settled on $3 million as a result of a data breach that exposed the PHI of over 100,000 patients.
Although it is far smaller when compared to the Rochester case, another healthcare provider in Florida paid $500,000 to settle as they failed to provide timely breach notifications to the patients and the OCR. So, one thing we can get from this example is that data breach is not the only thing that results in penalties, failure to report that breach is also considered as a HIPAA violation.
HIPAA violations also affect the reputation of a healthcare provider drastically. These violations are required to be notified to OCR and in some cases, to the media. There will be a significant social media presence of a potential violation as well since the patients will talk about it. Once the word is out, patients and partners of that healthcare business may lose trust in the organization.
Negative publicity and the potential media coverage can further damage their reputation and lead to a loss of business in the future. One example to this is the 2015 HIPAA violation of Anthem Inc. (which we’ll go into detail in a bit); the breach reached a widespread media coverage and the company experienced a very significant loss of business.
Real-World Examples of HIPAA Violations
Examining a case list of HIPAA violations where companies failed to comply with this regulation is critical to understand their mistakes and learn lessons to not do the same things.
Anthem Inc., 2015
In 2015, Anthem Inc., who was one of the largest healthcare insurance companies in the US at the time, suffered what is possibly the worst HIPAA violation in the history. Their networks was compromised and this single breach exposed the PHI of nearly 80 million people. The hackers used stolen credentials to get into the networks of Anthem Inc. The compromised PHIs included the names, dates of birth, addresses, and even the Social Security numbers of the patients.
OCR fined Anthem $16 million for the breach and the compromised PHI. OCR also stated that Anthem Inc. failed to do their regular enterprise-wide risk analysis and use the proper measures (which are emphasized in HIPAA) to protect PHI. The breach also draw a lot of media attention which plummeted the brand name of Anthem Inc.
Cottage Health System, 2013 - 2015
Cottage Health System, a California healthcare provider, experienced two data breaches that harm their patients’ PHI. The first data breach happened back in 2013, and the second one in 2015. In total, the PHI of 62,000 patients was compromised. The reason for this data breach was much simpler; they happened after unencrypted e-PHIs were mistakenly published on a public website by a third-party vendor.
The company was fined $3 million by the HHS OCR after these breaches. OCR argued that Cottage Health System failed to do accurate risk analysis, implement measures to fix vulnerabilities related to electronic PHI, and work with their third-party vendor under a HIPAA-compliant business associate agreement.
Aetna, a major health insurer, sent letters to 12,000 HIV patients in 2017. The envelopes of these letters had large and clear windows that showed the HIV status of the patients. In comparison to other violations, this did not result from a cyberattack, but merely as a consequence of Aetna’s lack of physical safeguards.
OCR fined Aetna $1.5 million for HIPAA violations related to failure to implement administrative and physical measures to protect the PHI of their patients. HHS also stated that Aetna caused a significant harm and distress to the affected customers.
Lessons Learned and How to Avoid Making the Same Mistakes
The cases we mentioned above can help other organizations to avoid making the same mistakes and stay compliant to HIPAA standards. Below, you’ll find some key lessons learned from the examples provided:
1-) Conduct an enterprise-wide risk analysis
As we seen on Anthem Inc. and Cottage Health System cases, organizations must conduct an enterprise-wide risk analysis to detect their vulnerabilities including their partners and third-party vendors. They also need to implement safeguards according to the findings of their analysis.
2-) Implement appropriate administrative, physical, and technical safeguards
The most important lesson we learned from the Aetna case is that technical side is not the only important aspect of a healthcare company’s measures. They also need to adopt proper administrative and physical measures.
3-) Enter into a HIPAA-compliant business associate agreement
Organizations will always need thirdy-party assistance, or have business partners. In the healthcare industry, they may have to exchange some information between them to conduct their operations. The important thing here is entering into a HIPAA-compliant business associate agreement with the vendors who handle PHI.
4-) Train employees on HIPAA compliance
Employees are the first line of defense, but they are also a significant liability. Organizations must provide adequate training to their employees and emphasize the importance of protection PHI. They need to know how to properly handle and safeguard health information.