12 examples of unintentional HIPAA violations

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 with the goal of keeping individuals’ health information, known as protected health information (PHI), private.

According to the Centers for Disease Control and Prevention (CDC), the law created “national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” Patient data that’s included in digital information and paper documents, as well as conversations about PHI, must be kept confidential.

Since the law was established, there have been hundreds of thousands of registered complaints about HIPAA violations, and while it’s hard to know how many of these violations have been accidental, unintentional HIPAA violations can nevertheless carry serious penalties.

This article will

• Define what an accidental HIPAA violation is
• Share the most common examples of unintentional HIPAA violations
• Consider strategies and best practices for preventing unintentional HIPAA violations
• Discuss how your organization can use Jotform’s healthcare templates and data-collection tools to keep patient information secure and confidential

What is an accidental HIPAA violation?

An accidental HIPAA violation occurs when a patient’s protected health information (PHI) is accessed or disclosed unintentionally, compromising the patient’s privacy. PHI includes medical records, test results, prescriptions, and any other identifiable information related to a person’s treatment, health condition, or status.

It also includes social security numbers, email addresses, phone numbers, names, birth dates, health plan beneficiary numbers, and so on. If health data includes identifiable information related to a patient, it falls under the definition of PHI.

What are some examples of unintentional HIPAA violations?

The most common accidental HIPAA violations occur as a result of inadvertently sharing PHI and violating HIPAA rules due to a lack of proper training.

Here are a few unintentional HIPAA violations to watch out for:

1. Improperly disposing of PHI

Identifiable patient information placed in trash receptacles or recycle bins can lead to unauthorized disclosure. Instead, PHI should be placed in secure containers to be shredded or otherwise destroyed. This also applies to electronic devices, which must be securely wiped if they’re destined for disposal.

2. Accidentally sharing PHI via email or social media

This is a common HIPAA violation that often occurs when a healthcare provider or staff member shares patient information on a social media platform that may seem innocent but can nevertheless violate HIPAA rules.

For example, if a healthcare practitioner shares a photo of a patient on Facebook with a caption about the patient’s successful treatment or shares a photo of staff that includes a computer screen displaying patient information, they’ve violated HIPAA rules. Sharing this kind of information via email, even if the intent is good, may also be considered a HIPAA violation.

However, a healthcare provider or organization may share PHI in this manner if they have obtained written permission from the patient to do so.

3. Sending emails containing PHI to the wrong address

Accidentally emailing patient information to the wrong person is a violation. This is considered unauthorized access to protected patient data if the email recipient isn’t authorized to view the patient’s information.

4. Sending physical mail to the wrong address

As with email, sending hard copies of patient records, billing statements, or other PHI to the wrong address can be a HIPAA violation.

5. Faxing sensitive patient information in error

Similar to sending information to the wrong email or physical address, accidentally faxing PHI to the wrong fax number can violate HIPAA. This is also the case if unauthorized individuals at the correct fax number see the information.

6. Losing control of unencrypted devices containing PHI

Stolen or lost laptops, smartphones, and any other unencrypted devices that contain identifiable patient information can lead to accidental disclosure of PHI to unauthorized individuals. This often happens as a result of healthcare organizations allowing staff members to use their personal devices at work.

7. Employees accessing information without authorization out of curiosity or by mistake

When practitioners or staff access protected patient information without a valid medical reason, whether out of curiosity or by mistake, they violate patient privacy and confidentiality.

8. Overlooking the minimum necessary information standard

The minimum necessary information standard requires that the use and disclosure of PHI be restricted to “the minimum amount necessary to achieve the purpose for which it is being used, requested, or disclosed.” For example, a healthcare provider may need access to a patient’s medical records, but they don’t need their Social Security number or other similar details. When these details are accidentally disclosed, the minimum necessary information standard has been violated.

9. Not securing patient information

PHI that’s not securely stored can result in a violation — for example, accidentally leaving protected patient information in a public location like the hospital cafeteria or any other place where an unauthorized individual could access it. This also applies to transmitting PHI over an unsecured Wi-Fi network, using unencrypted personal devices or USB drives to download patient information, and sharing PHI through text messaging.

10. Not logging out of computers

An unlocked computer screen, or one that someone hasn’t properly logged out of before stepping away from a workstation, can result in unauthorized access to PHI and an unintentional HIPAA violation.

11. Not providing adequate employee training

HIPAA compliance requirements include training healthcare employees about the proper privacy, security, and confidentiality practices regarding PHI. Lack of such training often results in unintentional violations because employees are unaware of appropriate HIPAA rules and regulations.

12. Accidentally disclosing PHI in conversation

Sharing protected health information in public areas where others may overhear can result in an unintended violation. For example, in a room where other patients are present, in a hospital cafeteria, in the lobby of a physician’s practice, and so on.

Other unintentional HIPAA violations include but aren’t limited to

• Failing to provide a notice of privacy practices
• Neglecting to obtain business associate agreements (BAAs) for entities that provide services to healthcare providers, such as X-ray technicians, pharmacy benefits managers, medical transcriptionists, and so on
• Adding clients to newsletter lists (such as a therapy practice) without their consent

What happens if you accidentally violate HIPAA?

Although the violations above are accidental, they may still carry penalties, depending on their severity and other factors. Unintentional HIPAA violations can result in fines, sanctions, and employment termination, as well as reputational harm and loss of patient trust.

According to The HIPAA Journal, violations are typically classified into four tiers (the dollar amounts are as of the time of this writing):

• Tier 1: The violation occurred unknowingly, and the person responsible would have acted differently if they had known it was a violation. The minimum penalty per violation is $137.
• Tier 2: The violation occurred as a result of reasonable cause, but it didn’t constitute “willful neglect” of HIPAA rules. The minimum penalty per violation is $1,379.
• Tier 3: The violation occurred due to willful neglect of HIPAA rules, but it was ultimately corrected. The minimum penalty per violation is $13,785.
• Tier 4:The violation occurred due to willful neglect, and it wasn’t corrected within 30 days. The minimum penalty per violation is $68,928.

What are some strategies and best practices for preventing unintentional HIPAA violations?

Organizations can prevent unintentional HIPAA violations. One of the best strategies is to implement robust security awareness and training about HIPAA rules and regulations. It’s important to provide training to contractors and volunteers, in addition to employees.

In addition to regular staff training, you should also consider the following:

• Implementing strict access controls
• Using encryption
• Performing a comprehensive risk analysis at least once a year
• Confirming that any third party you disclose PHI to is also equipped to protect patient data
• Creating unambiguous policies about technology and social media use and sharing them in a public, easily accessible place
• Assigning a privacy and compliance officer who can answer questions, provide training, and conduct risk assessments
• Establishing clear protocols for handling and sharing PHI, such as
  • Not using personal devices for work
  • Not leaving computers, other devices, or physical files unattended
  • Not sharing login credentials or passwords
  • Not texting patient information
  • Not connecting with or following caregivers or patients on social media
  • Being careful about where patient care or information is discussed so unauthorized individuals can’t accidentally overhear PHI

Frequently asked questions (FAQs)

• What happens if you violate HIPAA accidentally and nobody notices?

  Because a HIPAA violation can cause harm, even if it’s unintentional and no one notices, it should still be reported to the Privacy Officer at your healthcare organization. This person should determine what actions need to be taken. Reporting the violation can flag circumstances that need to be addressed and help keep further violations from occurring.

• What consequences can result from unintentional HIPAA violations?

  As previously mentioned, unintentional HIPAA violations may result in fines, sanctions, and other penalties for both employee and employer, depending on the severity of the violation. If an employee doesn’t have a history of HIPAA violations, they may not lose their job.

• Are verbal disclosures considered unintentional HIPAA violations?

  According to The HIPAA Journal, “an incidental disclosure is not considered to be a violation of HIPAA by OCR if the disclosure could not reasonably be prevented, if it was limited in nature, and if it occurs as a result of a disclosure permitted by the Privacy Rule.” That said, verbal disclosures during which healthcare practitioners discuss PHI and that unauthorized individuals can overhear are considered unintentional HIPAA violations.

How can Jotform’s HIPAA-friendly tools help?

Jotform’s healthcare templates and data-collection tools are designed with security and compliance in mind, which makes them ideal for assisting healthcare providers in avoiding HIPAA violations.

For example, Jotform’s HIPAA-friendly forms help ensure that your organization can collect, store, and manage personal health information securely. They also can help you to adhere to the requirements of healthcare regulations.The data collected is stored on secure servers that comply with HIPAA security standards, which ensures protection of patient information against unauthorized access and breaches.

Healthcare organizations on Jotform’s Enterprise plan can manage and control access to sensitive data by configuring user permissions within Jotform. This helps prevent unauthorized personnel from accessing patient information, reducing the risk of accidental disclosures.

Our HIPAA forms are loaded with powerful features to help you collect and manage sensitive patient information. Learn more about our HIPAA-friendly form features.

Need healthcare templates? We offer a collection of online healthcare form templates that make it easier to register new patients and gather information about their medical history. Our online Form Builder provides healthcare practitioners with a variety of widgets, applications, and themes to enhance patient engagement and enable better communication between patient and provider.

Our healthcare table templates allow you to track patient progress, schedule medication times, log blood sugar levels, and more. Simply choose the template that best suits your needs, customize it, and enter patient or medication information directly into the table. You can also have patients fill out the form attached to your table. Submissions will appear in your table automatically.

Our free healthcare app templates allow your employees to collect data seamlessly. Each app can be downloaded onto any desktop or mobile device, so your team can easily collect patient medical history, consent forms, e-signatures, appointments, and more directly from an office smartphone, tablet, or computer. You can customize the design of your app with our drag-and-drop builder by adding your logo, updating the background image or app icon, adding or removing forms, or making other changes in seconds.

You can also automate your healthcare organization’s approval process with our free approval templates for healthcare. When you receive a submission through your online medical forms, it will be forwarded to the first person in your approval flow, who can then approve, deny, or forward the request. You can customize your chosen template by adding approvers, merging branches, setting up notifications, personalizing emails, and more.

Finally, we know that healthcare providers require additional security to protect confidential patient information, so we created Jotform Enterprise’s HIPAA solutions.* Build online forms that collect and keep sensitive patient information private — the easy way.

*HIPAA features are available only on Jotform’s Gold and Enterprise plans.

The info in this article is offered for your convenience and information. It does not constitute legal advice.

Photo by Andrea Piacquadio