Horrifying HIPAA Violations – Learn How to Avoid Legal Nightmares

Editor’s Note: This post, originally written in October 2015 and updated in November 2018, October 2019 and now in October 2021, continues to share some of the worst tales of what can go wrong.

HIPAA compliance doesn’t have to be a nightmare—but it’s no walk in the park either. Compliance requires storing your physical and digital files securely. You’ll also have to make sure that personal files are not easily accessible by anyone in your office.

Additionally, here’s a new twist for the age of COVID-19: you’ll need to take special care with your employees’ individual vaccine statuses. Because while it’s OK to ask them if they’ve received the jab, it’s definitely a violation if you release their status with their name, as one Oregon agency accidentally did. Of course, if you slip up, there are big fines involved—and you may need to bring your company’s reputation back from the dead. In other words, while proper document management and data protection are always important, it’s even more so if you want to avoid frightening your staff and customers with a HIPAA violation horror story like the ones below.

Stolen Identities

The culprits: We’ve written about ways that you can reduce your risk of identity theft. But many people don’t realize that something as simple as the improper disposal of paper documents—such as leaving them in the recycling bin or trash rather than utilizing paper shredding services — can put your company at risk of identity theft and a HIPAA violation. A dumpster diver cost an Illinois firm a $100,000 fine, for example… After the business had already ceased operations. The consequence: Every two seconds, an identity is stolen in America. Medical identity theft is on the rise: In 2020, more than 45,000 cases of medical identity theft were reported to the FTC. Scary news when you consider that even a single HIPAA violation can cost your business up to $50,000.

Data Breaches

The culprits: Protecting your business from data leaks is more critical than ever. In 2020, there were a terrifying 642 data breaches of more than 500 records reported by healthcare providers, health plans, healthcare clearinghouses, and other businesses. That’s a 25% increase compared to 2019, which itself was a record-breaking year. The consequence: Fines for data leaks are usually $50,000 per HIPAA violation, with an annual maximum of $1.5 million. Data breaches compromise the security of your patients, cost your business hundreds of thousands of dollars, if not more, and irreparably damage your reputation. For example, Trinity Health, the victim of the largest breach of 2020—3.3 million records—now faces a class-action lawsuit. (Even worse, Trinity Health was caught in another breach in 2021!)

Information Leaks

The culprits: Surprisingly, insiders are often the ones doing the snooping—for example, when someone looks at medical records without authorization, or an authorized employee shares private information with unauthorized coworkers. (Yes, insider snooping still happens.) The consequence: If employers violate employee privacy, the same fines that are applicable to having a data leak of your client information are applicable to leaking information about your employees. Additionally, fines can be imposed against individuals and the company that discloses confidential information.

Reputation Damage

The culprits: If your company is found guilty of a HIPAA violation, by law you must disclose this information to anyone affected. That’s bad enough news, but it gets worse—news outlets love this type of story… Which means there’s a good chance of you making the headlines. That negative publicity could cause irreparable damage to your reputation (and even your stock price.) The consequence: When businesses receive bad publicity, this affects consumer confidence and can result in loss of revenue and jobs. The truth about data breaches is that 88% of customers will cut off business with companies that have committed a breach of privacy, and 75% of your remaining customers will consider leaving.

Patient Lawsuits

The culprits: Patients have the right under California law to access complete information, whenever they want it, about their medical condition and the care provided to them. If you don’t promptly release information to your patients, this is considered a HIPAA violation. The consequence: A patient can bring action against anyone who illegally denies them access to their own medical records. You and your company can then be charged and found guilty of a misdemeanor under California state law, and damages can be rewarded to the patient. Corodata’s HIPAA compliant online records center allows you to grant patients access to their medical records online.