The HIPAA laws and regulations exist for a reason. Protected health information, or PHI, needs to be actively protected. This includes physical paper documents and digital records as well.
So what could happen during a HIPAA violation?
The legal consequences depend on the severity of the situation and how many affected patients there are.
Someone who accesses PHI for malicious reasons can face some serious consequences.
Especially when someone accesses PHI or ePHI for their personal gain. Someone who violates HIPAA in this way can face as much as 10 years in jail and a $500,000 fine.
Snooping can also involve fines. Snooping happens when someone accesses PHI or ePHI without malicious intent. Maybe someone was curious and wasn’t going to do anything with the information. It doesn’t matter. HIPAA was still violated and the courts can still impose a fine and/or jail time for snooping.
Breaches and compromised ePHI on a large scale can send entire organizations down the rabbit hole of fines and court dates. If an organization doesn’t take action to monitor and maintain the confidentiality of its databases, the courts can find an organization guilty of violating HIPAA.
Let's look at some real-world examples of some HIPAA violation horror stories. These are worst-case scenarios that played out and lead to serious consequences.
Table of Contents
Media Gone Wrong
NYP
In January 2013, an individual filed a complaint about the filming of patients in NYP. NYP allowed a film crew from the ABC medical reality TV show “NY Med” to film two patients without their consent.
One of the patients even died in the emergency room during the filming.
OCR’s investigation found that NYP had allowed ABC to have way too much access to the hospital. The situation created an environment where PHI was not protected.
As a result, NYP agreed to pay a $2.2 million settlement to OCR and entered into a Corrective Action Plan to ensure that the incident would not repeat.
Onslow Memorial Hospital
Olivia O’Leary, employed at Onslow Memorial Hospital, found herself in a sticky situation in 2017. A patient, Autumn Sharp, and the patient’s two children were in a car crash that killed Sharp.
O’Leary, a medical technician, commented on Facebook articles about the crash that the patient should have worn a seatbelt.
Some individuals felt that this comment was a violation of HIPAA. O’Leary disagreed, claiming that the information about the lack of seatbelts and where the children sought treatment was already public information.
Either way, O’Leary was no longer employed within the week. The hospital would not comment on how the employee left the workplace.
Jail Time
UCLA Health
In 2013, a surgeon received a sentence of four months in jail along with a $2,000 fine.
According to the Federal Bureau of Investigation, a former UCLA Healthcare System employee, named Huping Zhou, illegally read the ePHI of high-profile patients like celebrities.
He also read the medical records of the supervisor that fired him along with his coworkers. He accessed ePHI illegally over 320 times. Zhou, who was a licensed surgeon in China, knowingly obtained the PHI without a medical reason or other valid reason.
The UCLA Healthcare System, the UCLA School of Medicine, and the UCLA Medical Group fully cooperated in the FBI investigation of this case.
East Texas Hospital
In 2014, Joshua Hippler went to court for the wrongful disclosure of PHI.
Allegedly, he accessed an untold number of documents to sell the information for personal gain.
Hippler pleaded guilty to the offenses that took place at an unnamed East Texas hospital between December 1, 2012, and January 14, 2013. His sentence involved 18 months in jail but could have had a maximum of 10 years and a $500,000 fine.
Getting Fired for Snooping
Carilion Clinc
Accessing records without a legitimate reason for patient care is a violation of HIPAA.
A total of 14 employees at Carilion Clinic accessed medical records for high-profile patients in 2015.
All employees who violated HIPAA in this incident were terminated. It’s unclear as to who the high-profile patient was, which is actually how these stories should always break.
California Pacific Medical Center
California Pacific Medical Center had an instance of a snooping pharmacist in 2014. The pharmacist snooped into 844 patient records between October 2013 and October 2014.
The accessed PHI included patient demographics, diagnoses, prescription data, and clinical notes. Due to the severity of the situation, the employer terminated the pharmacist.
California Pacific Medical Center notified their employees that if they violate HIPAA like this too, they’ll receive similar consequences.
Lawsuits Over Breaches
Springhill Medical Center
On July 16, 2019, Springhill Medical Center released a statement regarding a ransomware attack it experienced earlier that month. The organization assured the public that the cybersecurity incident didn’t have an impact on patient care.
However, the reality of the attack was that it disabled the healthcare facility’s computer system for eight days. During that time, PHI that the facility deals with was inaccessible.
Fast-forward to October 2021 and the facility now faces a lawsuit due to the ransomware. The lawsuit claims that her daughter died due to diminished care that resulted from the 2019 cyber attack.
It goes on to state that since the healthcare facility’s computer systems were down, so was its fetal tracing information. The infant suffered profound brain damage after birth, leading to months in the hospital and eventually death.
UC San Diego Health
In July of 2021, UC San Diego Health disclosed a cybersecurity incident where a hacker had unauthorized access to certain employee email accounts due to a successful phishing attempt. The incident took place from December 2, 2020, to April 8 2021 and affected around half a million patients.
The organization began notifying affected patients starting on September 7. Just a few weeks later a cancer patient from El Cajon filed a lawsuit against the organization. They accused UC San Diego of…
Breach of contract
Negligence
Violating California consumer privacy and medical confidentiality laws
Excellus Health Plan
In 2015, Excellus Health Plan discovered an unauthorized user in the database between December 2013 and May 2015. In this breach, nearly 9.4 million individuals had compromised information.
The information accessed by the hackers included names, contact information, dates of birth, and Social Security numbers. It also involved health plan ID numbers, claims data, financial account information, and clinical treatment information.
OCR investigated the situation in 2016 and uncovered multiple potential violations of the HIPAA Rules. This includes a risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access.
Excellus Health Plan agreed to a settlement with no admission of liability or wrongdoing. The settlement involved a $5.1 million fine.
Premera Blue Cross
Mountlake Terrace discovered compromised computer systems in May 2014.
This breach lasted for nearly nine months and involved spear-phishing emails that installed malware. The attack affected 10.5 million individuals and their ePHI.
The information included names, addresses, and dates of birth. It also included email addresses, Social Security numbers, bank account information, and health plan clinical information.
OCR investigated and found multiple potential HIPAA violations such as the failure to implement sufficient hardware and software systems, reduce risks and vulnerabilities of the systems containing ePHI to an appropriate degree, and conduct risk assessments to identify the integrity and availability of ePHI.
OCR determined a financial penalty was appropriate. Premera Blue Cross agreed to settle the HIPAA violation case with no admission of liability. They agreed to settle a $10 million lawsuit and a $74 million lawsuit on behalf of those affected in the breach.
Conclusion
As you can see, the courts take HIPAA violations very seriously.
Whether intentions are malicious or not, violations that result in the exposure of PHI can have serious legal consequences.
Fines, penalties, and jail time can occur for snooping or accessing PHI without a valid reason, permission from the patient, or medical help.
The penalties are more severe if the actions have malicious intentions. Jail time will be longer if someone accesses the PHI or ePHI to blackmail the patient, “out them” to an employer, or sell the information for monetary gain. Fines are also larger if there is a large number of patients affected by the incident.
The best way to protect yourself, your coworkers, and your organization is to make sure you track the systems that store ePHI. You also need to make sure your employees receive the proper HIPAA training. You should also watch the digital activity of your systems.
In this blog post we explore if HIPAA laws apply to employers and how.