Violation Of HIPAA Security Policy: Causes And Consequences

How important is it for you to stay out of jail? If you are a hard working citizen then going to jail is not even an option, just like it is not for me. However, you will be surprised, how easy it is to end up in a 2×4 cell for something as simple as viewing confidential information and dealing with violation of HIPAA. Maybe you heard that in 2010 former employee of UCLA Medical Center in LA – Huping Zhou – was prosecuted and sentenced to 4 months as well as fined $2,000. After he was let go he continued to search the medical office database for patients’ confidential information illegally. Besides that, he even looked up information on celebrities like Arnold Schwarzenegger, Tom Hanks, Drew Barrymore and Leonardo DiCaprio.

Yes, I know, you don’t care how healthy or unhealthy Hollywood stars are, but be careful – Office for Civil Rights never sleeps! They conduct multiple investigations and penalize violators on a regular basis. Watch out! You and I may become their next target, if not acting in accordance with HIPAA!

Violation of HIPAA fines standards

There are certain standards for calculating HIPAA fines. The amount can range from $100 to $50,000 per violation. At the same time, the penalty amount may increase to $1,500,000.

The penalty extent is regulated by tiers. There are four of them:

  • An entity does not know and has no reasonable information about breach – $100 – $50,000 per incident;
  • An entity knew of the violation, but did not act with its intentional breach – $1,000 – $50,000 per incident;
  • An entity acted with a deliberate breach, but fixed the problem within 30 days of lapses – $10,000 to $50,000 per incident;
  • An entity acted with a deliberate breach and did not make a timely correction of the problem – $50,000 per incident.

Once again, we emphasize that, in special cases, the level of the fine may increase to $1,500,000 for each breach per year.

Thus, the level of responsibility for breaches is very high. Because of this, patient personal information is confidential and must be kept well secured, and consequently their interests must be protected.

Examples of company penalties

Despite the seriousness of the act compliance, it was repeatedly violated by various companies. Here are the examples of the violation fines for HIPAA in 2017:

  • Memorial Healthcare Systems – $ 5,500,000 for accessing confidential information of 115,143 patients
  • Children’s Medical Center of Dallas – $ 3,200,000 for failing to protect patients’ personal data and not complying with OCR’s policy
  • CardioNet – $ 2,500,000 for potential non-compliance with HIPAA Privacy and Security Rules
  • Memorial Hermann Health System (MHHS) – $ 2,400,000 for failure to timely resolve possible HIPAA violations

If only medical companies paid more attention to ensuring data security and confidential interaction with patients, fines could easily be avoided. Unfortunately, businesses that don’t take the issue seriously finish up paying substantial fines.

Practical steps to avoid penalties

All Healthcare company owners want to avoid the loss and illegal use of patients’ information. It is important not just to dodge these fines, but to  eliminate the probability of their occurrence altogether.

So, what needs to be done? The answer is obvious – to make sure that the patients’ personal data is completely safe and processed correctly in the timely manner. The following questions need to be answered to analyze the current state of affairs within the given company’s internal processes:

  • Where and how the information is stored?
  • How is this information used?
  • Who is responsible for the use of information?
  • Are there any risks of violating patients’ personal data safety?

Given the modern technologies, information, for most part, is stored on electronic devices. However, it is important to understand that E-stored information must be kept protected from hacking – external and internal. External hacking implies the possibility of stealing personal information and illegal entry into the databases, and internal – implies the same by any tricky employee. With regard to paper files, they must also be kept in a secure place.

The personal information of patients can be used exclusively for the intended purpose – to care for them. This may seem absolutely obvious, but it is important to mention. Any non-targeted action with customer data is unacceptable. All company operations, if possible, should be recorded by automated systems.

The obligation for storing and using personal data of patients should be distributed evenly, between a supervisor and an employee. In case of violation or loss of data, the responsibility will be absorbed by both parties. Such policies will ensure safety and, furthermore, will be in the best interest of the staff.

It is essential to assess potential risks of violating patients’ rights. Risk assessment can be done by comparing the degree of compliance of employees’ work with HIPAA standards. You need to review all the requirements of this act and have a proper check. It’s fairly simple.


To sum it all up, the loss and illegal use of patients personal data is unacceptable point-blank. That HIPAA act was adopted in 1996 to prevent the above mentioned cases.

Complying with this act will not only avoid penalties, but also enhance the reputation of the company. All violators of this act will have a negative reputation as a company. As you know, customers prefer reliable and stable companies.

Compliance with this act is not problematic. Its rules are absolute and clear – all that is required from the owners of the company is to bring their work activity in line with these requirements. Even if some spending is needed, it is necessary.

From our experience to prevent such violations the use of specific software solutions are a must. The use of 2-step authentication, anti-phishing addons, protocol analyzers are perfect examples of these solutions. And this is the list of information that needs to stay confidential:

  • Patient personal data
  • Custom reporting
  • Electronic signatures
  • General accounting

Our main goal is to create a solution that will not only help you obey HIPAA act, but also the following:

Furthermore, the use of our solutions significantly improves the working process of any company, which certainly affects customers satisfaction.

So, HIPAA violations present how conscious and responsible Healthcare organizations conduct all confidential activities for their patients. Precautions are essentially paid for themselves, and you can take not costs for them as useless!