Is there a difference between a HIPAA violation and a HIPAA breach?

The short answer is yes, there is a difference between a HIPAA violation and a HIPAA breach. Knowing what qualifies as a violation versus a breach enables providers to better safeguard patients’ sensitive information. Moreover, understanding these vulnerabilities helps healthcare organizations be HIPAA compliant, lower legal risks, and focus more on patient care.

The HIPAA Act sets out the rules and regulations surrounding the use and disclosure of protected health information (PHI). Healthcare organizations and their business associates are subject to HIPAA and should understand the two terms and the nuances involved.

Learn more: HIPAA compliant email: The definitive guide

What is a HIPAA violation?

A HIPAA violation is any failure to comply with a HIPAA regulation, such as the HIPAA Privacy, Security, or Breach Notification rules. Compliance is about avoiding problems and reducing the risk of an issue to an appropriate and acceptable level. Common examples of violations include:

• Sharing PHI with anyone unauthorized
• Neglecting to secure PHI against unnecessary use and disclosure
• Lacking data encryption during storage and transit
• Failing to conduct risk analyses
• Allowing hacking/IT incidents or theft
• Improperly disposing of medical records

HIPAA violations can be intentional or unintentional due to negligence or from an accident. If a violation does occur, depending on the outcome of an Office for Civil Rights (OCR) investigation, healthcare organizations can face fines, criminal charges, and possible jail time.

What is a HIPAA breach?

A HIPAA breach is a type of violation that entails the unauthorized access, use, or disclosure of PHI. In fact, a violation could lead to a breach that compromises the safety and privacy of patients. This, in turn, could lead to legal, financial, and reputational consequences for an organization. Common examples of breaches that result in exposed PHI include:

• Unauthorized employee access
• Lost or stolen devices
• Hacking incidents
• Phishing or ransomware attacks
• Improper PHI disposal
• Data transmission errors
• Insider threats
• Physical security breaches

The severity of a HIPAA breach depends on various factors, including the nature and extent of the breach, the type of PHI compromised, the number of individuals affected, and the organization's response to the breach. Like HIPAA violations, after-effects may be severe.

Consequences of HIPAA violations and breaches

Both breaches and violations can result in civil or criminal penalties. The severity of the consequences varies depending on the nature and extent of noncompliance and exposure. Civil monetary penalties can range from $100 to $50,000 per violation. There is a maximum annual penalty of $1.5 million for all violations of an identical provision.

Additionally, HIPAA fines can be higher for cases involving willful neglect. Certain breaches might entail significant financial and criminal consequences compared to violations. They can include criminal charges, which may result in fines up to $250,000 and imprisonment for up to 10 years for the most severe issues.

Another consequence may be a corrective action plan (CAP) to identify and fix underlying security issues within an organization. The idea is to implement certain measures and procedures to ensure that a violation or breach does not happen again. Finally, organizations more than likely will end up on OCR’s Wall of Shame or Breach Portal, used to list known issues from the last 24 months that affected 500 individuals or more.

Discover: HITECH Act Enforcement Interim Final Rule

Avoiding both HIPAA violations and breaches

A highly penalized issue was that of Anthem, Inc., after a 2015 incident involving the stolen PHI of 79 million people. OCR penalized the company over $15 million and included a robust CAP in its settlement. Moreover, several lawsuits against Anthem increased its total penalties to about $50 million.

Performing comprehensive risk assessments helps organizations stay on top of their healthcare organizations HIPAA compliance. Generally, such assessments encourage organizations to stay secure and on top of possible issues. Here's a list of what healthcare organizations can do to avoid penalties and focus on compliance.

1. Establish up-to-date policies and procedures
2. Implement a program to identify vulnerabilities
3. Use continuous employee awareness training
4. Ensure proper technological safeguards
5. Utilize strong access controls
6. Keep communication channels secure
7. Choose vendors (i.e., business associates) that are HIPAA compliant themselves
8. Create data backup and disaster recovery plans in case of an incident
9. Regularly audit and monitor systems
10. Have an incident response plan ready in case it is needed

Finally, providers must be diligent in understanding all HIPAA provisions and amendments.

FAQs

What is the most common violation of HIPAA?

HHS (the U.S. Department of Health and Human Services) and state attorney generals cite “failure to implement proper access controls” for protecting patient information as one of the most common HIPAA violations by healthcare services.

How can you identify a breach?

Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Monitoring access logs, conducting regular security assessments, and promptly investigating any suspicious incidents are essential steps in identifying potential breaches. Early detection enables prompt action to mitigate harm and fulfill reporting requirements under HIPAA regulations.

What steps should be taken in the event of a HIPAA breach?

Organizations should promptly investigate the breach, mitigate any harm to affected individuals, notify affected individuals and relevant authorities as required by law, and take steps to prevent future breaches. This may involve implementing additional security measures, conducting staff training, and revising policies and procedures.

What should individuals do if they believe their PHI has been breached?

Individuals who believe their PHI has been breached should promptly report the incident to the covered entity or business associate responsible for the breach. They should also monitor their financial accounts and medical records for any signs of fraudulent activity.