Common HIPAA Violations
Failure to adhere to the authorization expiration date - Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.
Failure to promptly release information to patients - According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.
Improper disposal of patient records - Shredding is necessary before disposing of patient’s record.
Insider snooping - This refers to family members or co-workers looking into a person’s medical records without authorization. This can be avoided with password protection, tracking systems and clearance levels.
Missing patient signature - Any HIPAA forms without the patient’s signature is invalid, so releasing information would be a violation.
Releasing information to an undesignated party - Only the exact person listed on the authorization form may receive patient information.
Releasing unauthorized health information - This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
Releasing wrong patient's information - Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
Right to revoke clause - Any forms a patient signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
Unprotected Storage of Private Health Information - A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.
Unencrypted Email of Private Health Information - An example is sending email sent without authorized unencrypted email permission signed and store in patient emr chart. See HIPAA Forms.
Scenarios that Violate HIPAA
Telling friends or relatives about patients in the hospital
Discussing private health information in public areas of the hospital, including the lobby of a hospital, an elevator or the cafeteria
Discussing private health information over the phone in a public area
Not logging off your computer or a computer system that contains private health information
HIPAA regulations for "need to know" include: The security guard in a healthcare institution needs to know the name and room number of patients to guide visitors. This is allowed; but, any other information, such as diagnosis or treatment, is not to be disclosed.
HIPAA regulations for "need to know" include: A nurse needs access to private health information for the patients in his/her unit but not for any patients that are not in that unit.
HIPAA regulations for "minimum necessary" include: A health insurance company will need information about the number of visits the customer had; but, isn’t allowed to view the entire patient history.
Allowing members of the media to interview a patient in a substance abuse facility
Including private health information in an email sent over the Internet -
Releasing information about minors without the consent of a parent or guardian
When is a violation of HIPAA criminal.
In short, a person that knowingly and in violation of the HIPAA rules commits one or more of the following puts their self in jeopardy of criminal prosecution under HIPAA:
Use or cause to be used a unique health identifier,
Obtain individually identifiable health information relating to an individual, or
Disclose individually identifiable health information to another person.
If convicted, the level of punishment depends on the seriousness of the offense:
Fine of up to $50,000 and/or imprisonment for up to a year for a simple violation
Fine up to $100,000 and/or imprisonment up to five years if the offense is committed under false pretenses
A fine of up to $250,000 and/or imprisonment up to ten years for offenses committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.