The most common HIPAA violations that have resulted in financial penalties are:
1. The failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI);
2. The failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI;
3. Delayed breach notifications;
4. Failure to safeguard PHI.
The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules.
This section covers 10 of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years.
Are Data Breaches HIPAA Violations?
Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that organizations are being targeted by cyber criminals and that it is not possible to implement impregnable security defenses.
Being HIPAA compliant is not about making sure that data breaches never happen. HIPAA compliance is about reducing risk to an appropriate and acceptable level. Just because an organization experiences a data breach, it does not mean the breach was the result of a HIPAA violation.
Many data breaches are investigated by OCR and are found not to involve any violations of HIPAA Rules. Consequently, the investigations are closed without any action being taken.