HIPAA violation examples in the workplace

12 of February, 2021

In the United States, you are subject to HIPAA compliance at the workplace. HIPAA (Health Insurance Portability and Accountability Act) is about protecting patient employee or customer privacy and sensitive medial record information known as Protected Health Information. In this article, we take you through the implications both as an administrative worker in the medical profession but also as an employer to learn about HIPAA violation examples.

Who does HIPAA apply to

The HIPAA Act clearly states which parties are subject to the HIPAA Act’s rules on protecting sensitive medical information. The parties are the following:

• Healthcare providers and services, such as doctors, psychologists, physiotherapists, pharmacies, dentists, etc.
• Organizations that relate to healthcare insurance, including the actual healthcare insurance providers, HMOs as well as private businesses who have their own health insurance scheme.
• Government healthcare organizations.
• Healthcare clearinghouses, which act as middle men between insurance companies and healthcare organizations.
• Business associates of these covered entities.

HIPAA violation examples

• Releasing the medical information of a patient or employee in a public statement without consent is a violation of the Act. Companies, including non-medical ones, have received fines ranging in the millions for this violation.
• Denying access to patients who request information about their health records is also a violation of the HIPAA Right of Access section. This access must be granted to the patient or employee within 30 days or you will be in violation of the deadline,

The types of information that are protected include :

• Medical test results, including a Covid-19 or other pandemic-related test.
• Any individual’s treatment history or history of medical absences (information relating to the diagnosis)
• Any information in relation to prescribed drugs taken
• All the Health insurance provider’s retained information relating to the patient or employee’s medical history.

A difficult question as sometimes organizations simply violate the HIPAA without noticing and thus some clemency comes into play. This is where legal concepts such as “reasonable cause” or “willful neglect” can enter into the legal discussion. Overall though there are 4 tiers of violations you need to know:

• Tier 1 Violations: your business or health organization was unaware of the HIPAA violation. Through the concept of due diligence you can reasonably argue that you could not have known that HIPAA was violated. With this you can risk a fine of up to $50,000 per violation but a maximum fine of $25,000 dollars per year.
• Tier 2 Violations: You have reasonable cause to have known about the violation
• Tier 3 Violations : You willfully neglected as a business to follow HIPAA Rules but you corrected the problem within 30 days of discovery. You can be fined from $10.000 to $50.000 per violation and maximum $250.000 a year.
• Tier 4 Violations : You willfully neglected the HIPAA rules and then made no effort to correct this when discovered. You can incur the maximum penalty: a $1.5 million dollar fine over the whole year.