Violation Of HIPAA Security Policy: Causes And Consequences

How important is it for you to stay out of jail? If you are hard working citizen then going to jail is not even an option in your mind, just like it is not for me. However, you will be surprised, how easy it is to end up in a 2×4 cell for something as simple as viewing confidential information outside of law. Maybe you heard that in 2010 former employee of UCLA Medical Center in LA – Huping Zhou – was prosecuted and sentenced to 4 months incarceration as well as fined $2,000. After he was let go he continued to search the medical office database for patients’ confidential information illegally. Besides that, he even looked up information on celebrities like Arnold Schwarzenegger, Tom Hanks, Drew Barrymore and Leonardo DiCaprio.

Yes, I know, you don’t want to know how healthy or unhealthy Hollywood stars are, but be careful – Office for Civil Rights never sleeps! They conduct multiple investigations and penalize violators yearly. Watch out! You and I may become their next target, if not acting in accordance with HIPAA!

Violation of HIPAA fines standards

There are certain standards for calculation HIPAA fines. The amount can range from $100 to $50,000 per violation. At the same time, the penalty amount may increase to $1,500,000 for each violation per year.

The penalty extent is regulated by tiers. There are four tiers:

  • An entity does not know and has no reasonable information about breach – $100 – $50,000 per incident;
  • An entity knew of the violation, but did not act with its intentional breach – $1,000 – $50,000 per incident;
  • An entity acted with a deliberate breach, but fixed the problem within 30 days of lapses – $10,000 to $50,000 per incident;
  • An entity acted with a deliberate breach and did not make a timely correction of the problem – $50,000 per incident.

Once again, we emphasize that, in special cases, the level of the fine may increase to $1,500,000 for each breach per year.

Thus, the level of responsibility for breaches is very high. Because of this, patient personal information is confidential and must be kept well secured, and consequently their interests must be protected.

Examples of company penalties

Despite the legality of compliance with the act, it was repeatedly violated by various companies. Here are the examples of the violation fines for HIPAA in 2017:

  • Memorial Healthcare Systems – $ 5,500,000 for accessing confidential information of 115,143 patients
  • Children’s Medical Center of Dallas – $ 3,200,000 for failing to protect patients’ personal data and not complying with OCR’s policy
  • CardioNet – $ 2,500,000 for potential non-compliance with HIPAA Privacy and Security Rules
  • Memorial Hermann Health System (MHHS) – $ 2,400,000 for failure to timely resolve possible HIPAA violations

If only medical companies paid more attention to ensuring data security and confidential interaction with patients, fines could easily be avoided. Unfortunately, the mentioned institutions did not show any initiative and paid substantial fines for this.

Practical steps to avoid penalties

All Healthcare company owners want to avoid the loss and illegal use of patients’ information as it is punishable by act. It is important not just dodge these fines, but to  eliminate the probability of their occurrence altogether.

So, what needs to be done? The answer is obvious – to make sure that the patient’s’ personal data is completely safe and processed correctly in the timely manner. The following questions need to be answered to analyze the current state of affairs within the given company’s internal processes:

  • Where and how is the information is stored?
  • How is this information used?
  • Who is responsible for the use of information?
  • Are there any risks of violation of patients’ personal data safety?

Given the modern technologies, information, for the most part, is stored on electronic devices. However, it is important to understand that E-stored information must be kept protected from hacking – external and internal. External hacking implies the possibility of stealing personal information and illegal entry into the databases, and internal – implies the same by any unqualified employee. With regard to paper files, they must also be kept in a secure place.

The patients personal information can be used exclusively for the intended purpose – to care for them. This may seem absolutely obvious, but it is important to mention. Any non-targeted action with customer data is unacceptable. All company operations, if possible, should be recorded by automated systems.

The obligation for storing and using personal data of patients should be distributed evenly, between a supervisor and an employee. In case of violation or loss of data, the responsibility will be absorbed by both parties. Such policies will ensure safety and, furthermore, will be in the best interest of all staff.

It is essential the assessment of potential risks of violation of patients’ rights. Risk assessment can be done by comparing the degree of compliance of employees’ work with HIPAA standards. You need to review all the requirements of this act and check whether it is complied with? It’s fairly simple.


To sum it all up, the loss and illegal use of patients personal data is unacceptable point-blank. That HIPAA act was adopted in 1996 to prevent the above mentioned cases.

Complying with this act will not only avoid penalties, but also enhance the reputation of the company. All violators of this act will have a negative reputation as a company. As you know, customers prefer reliable and stable companies.

Compliance with this act is not problematic. Its rules are absolute and clear – all that is required from the owners of the company is to bring their work activity in line with these requirements. Even if some spending is needed, it is necessary.

From our experience to prevent such violations the use of specific software solutions are a must. The use of 2-step authentication, anti-phishing addons, protocol analyzers are perfect examples of these solutions. And this is the list of information that needs to stay confidential:

  • Patient personal data
  • Custom reporting
  • Electronic signatures
  • General accounting

Our main goal is to create a solution that will not only help you obey HIPAA act, but also the following:

Furthermore, the use of our solutions significantly improves the working process of any company, which certainly affects customers satisfaction.

So, HIPAA violations present how conscious and responsible Healthcare organizations conduct all confidential activities for their patients. Precautions are essentially paid for themselves, and you can take not costs for them as useless!