Personally, I’ll never forget when I first learned about HIPAA. My father had been battling cancer for years, and I had been very active in his care regimen. Then suddenly, sometime in late 1996, I called his primary care physician to discuss some concerns – as I’d done many times before. Yet this time, rather than having a meaningful conversation, I was met with the following:
“I’m sorry, Jen, I can’t discuss your dad’s health with you due to HIPAA.”
What? Even though I was in law school at the time, I had no idea what she was talking about. Now, nearly 30 years later, most of us – including me – can’t even imagine a world before the Health Insurance Portability and Accountability Act.
So, what is this law exactly? Who does it seek to protect? And how is this now-ubiquitous federal mandate violated? We’ll break it all down in this article.
What is HIPAA and who does it protect?
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) primarily to address two growing concerns:
- Ensuring that employees could maintain health insurance coverage when changing jobs.
- Protecting the privacy and security of sensitive medical information.
Over time, the focus on privacy became one of HIPAA’s most defining features. Before HIPAA, there was no uniform federal law preventing the unauthorized sharing of a patient’s medical records. Hospitals, doctors, and insurers often had their own policies, leading to inconsistent and sometimes troubling breaches of patient privacy. HIPAA changed that.
The key components of HIPAA
HIPAA is broad and incredibly complex, but four key rules govern how it applies to healthcare entities:
- Privacy Rule: This rule defines how Protected Health Information (PHI) can be accessed, used, and disclosed.
- Security Rule: This rule establishes safeguards to protect electronic PHI (ePHI) from unauthorized access.
- Breach Notification Rule: This rule requires entities to notify individuals when their PHI has been exposed in a data breach.
- Enforcement Rule: This rule outlines how HIPAA violations are investigated and penalized.
Who must comply with HIPAA?
HIPAA is a wide-reaching statutory scheme. That said, it most directly applies to two broad categories:
Covered entities:
These include:
- Healthcare providers (hospitals, clinics, doctors, pharmacies, etc.).
- Health plans (insurers, HMOs, Medicare/Medicaid).
- Healthcare clearinghouses (entities that process medical billing data).
Business associates:
HIPAA also covers third parties that handle PHI on behalf of covered entities, including:
- Law firms assisting with medical-related legal matters.
- IT vendors managing electronic health records.
- Billing companies and cloud storage providers.
Generally speaking, a HIPAA violation occurs when any of these entities fail to properly protect PHI or disclose it without authorization.
What constitutes a HIPAA violation?
HIPAA violations can take many forms, but they all share a common theme: the misuse or improper disclosure of protected health information.
Here are some of the most common ways these violations occur:
Unauthorized access to patient records
HIPAA violations aren’t always massive data breaches – sometimes, they happen on a small scale, even because of poor data management policies, like curious employees snooping on patient records.
For example, in 2011, the UCLA Health System paid out $865,500 as part of a settlement with federal regulators after two celebrity patients alleged that hospital employees broke the law and reviewed their medical records without authorization.
Failure to secure physical or electronic records
HIPAA requires both physical and digital safeguards for patient data. Among other things, that means that medical files can’t be left unattended in public areas, PHI must be stored securely (e.g., encrypted files, password-protected systems), and healthcare organizations must have access controls to prevent unauthorized viewing.
Failure to maintain these protocols can result in massive data breaches and massive penalties.
For example, in 2015, Anthem Inc., suffered one of the worst healthcare data breaches in history when hackers stole 79 million patient records, including Social Security numbers. As a result, Anthem eventually agreed to pay $16 million to settle HIPAA violations.
Improper disclosure of PHI
Perhaps surprisingly, even discussing patient information in public spaces – such as hospital lobbies, elevators, or social media – is an easy way to violate HIPAA. In fact, even casual conversations among staff members can lead to compliance issues.
For instance, a dental office in Dallas was required to pay a $10,000 settlement after a dentist responded to online patient reviews by including specific details about their treatment, violating HIPAA’s Privacy Rule.
Failure to obtain patient authorization
Importantly, HIPAA requires that healthcare entities obtain written consent before sharing PHI with third parties – this includes family members (as I discovered), employers, and media outlets. Even well-intended disclosures can result in violations.
In 2017, for example, a Tennessee hospital was sued for $2.5 million after revealing a patient’s HIV status to his employer without consent.
Delayed breach notification
Under HIPAA’s Breach Notification Rule, covered entities must, among other things, report data breaches within 60 days of discovery. Failing to do so can lead to harsh penalties and damage to the entity’s reputation.
Official penalties
HIPAA violations aren’t just a civil litigation concern – they come with other serious financial and legal consequences. The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Department of Justice (DOJ) enforce these penalties, depending on the severity of the violation. Here’s a run-down of the most serious consequences for violating HIPAA:
Civil penalties: OCR enforcement
The OCR can impose civil fines based on the level of negligence involved in the HIPAA violation. The penalty structure follows a tiered approach, with escalating fines depending on intent and corrective action:
| TIER | LEVEL OF VIOLATION | PENALTY PER VIOLATION | ANNUAL CAP |
| 1 | Unintentional; unaware of violation | $137 – $68,928 | $2,067,813 |
| 2 | Reasonable cause; not willful neglect | $1,379 – $68,928 | $2,067,813 |
| 3 | Willful neglect but corrected within 30 days | $13,785 | $2,067,813 |
| 4 | Willful neglect, not corrected | $68,928 | $2,067,813 |
Criminal penalties: DOJ enforcement
While civil penalties are steep, criminal penalties for HIPAA violations can be even worse. The Department of Justice (DOJ) prosecutes cases where individuals intentionally misuse PHI, such as selling medical records or using them for personal gain.
| TIER | LEVEL OF VIOLATION | MAXIMUM PENALTY |
| 1 | Wrongful disclosure of PHI | $50,000, 1 year of prison, or both |
| 2 | Wrongful disclosure of PHI under false pretenses | $100,000, 5 years of prison, or both |
| 3 | Wrongful disclosure of PHI under false pretenses with malicious intent | $250,000, 10 years of prison, or both |
How lawyers can help healthcare clients avoid HIPAA violations
Given that enforcement agencies can impose hefty penalties for HIPAA violations, lawyers play a crucial role in helping healthcare clients stay compliant. Attorneys advising healthcare providers, insurers, or business associates should focus on risk mitigation strategies to prevent violations before they occur. Here’s how:
Conduct HIPAA risk assessments
One of the biggest reasons for HIPAA fines is failing to assess risks properly. Lawyers should help clients:
- Identify vulnerabilities in physical and digital security measures.
- Develop a corrective action plan to address weaknesses.
- Regularly review policies and procedures to align with HIPAA updates.
Develop and update HIPAA compliance policies
HIPAA regulations are complex and ever-evolving. This makes it critical for healthcare entities to have clear, up-to-date policies. To facilitate this, lawyers can:
- Draft and revise HIPAA-compliant patient privacy policies.
- Ensure internal procedures align with OCR guidance.
- Develop data retention and disposal policies for medical records.
Provide employee training on HIPAA compliance
Many HIPAA violations result from employee mistakes, such as:
- Leaving patient records unattended.
- Clicking on phishing emails that lead to data breaches.
- Discussing patient details in public spaces.
Lawyers can assist healthcare clients by:
- Offering annual HIPAA training for employees.
- Educating staff on real-life case studies to prevent mistakes.
- Implementing incident response plans for handling breaches.
Respond to breaches effectively
If a breach does occur, lawyers must guide clients on:
- Investigating what went wrong.
- Notifying affected patients within 60 days (as required by HIPAA).
- Mitigating legal exposure to avoid maximum penalties.
Negotiate vendor agreements
Many HIPAA violations happen because of third-party vendors, such as billing companies or IT firms. To mitigate this problem, attorneys can help draft and negotiate business associate contracts. These specialized agreements:
- Are HIPAA-compliant contracts that hold vendors accountable?
- Ensure encryption and security standards are met.
- Review vendor agreements before a breach occurs.
Conclusion
Back in 1996, when my father’s doctor first mentioned HIPAA, I had no idea how critical it was for her to protect my dad’s medical information – nor how important this law would eventually become to our society.
Today, HIPAA violations aren’t just minor infractions – they come with steep fines, lawsuits, and even criminal charges. And in a world where all computerized data can be shared with the click of a mouse, this is a really good thing for health consumers.
What lawyers need to understand, ultimately, is that HIPAA isn’t just about red tape – it’s about protecting the most sensitive personal information in the healthcare industry. For attorneys advising clients on compliance, proactive legal guidance can mean the difference between a minor issue and a multi-million-dollar penalty.
