3 HIPAA Violation Consequences That Are Often Overlooked

The three HIPAA violation consequences most often overlooked affect individuals, healthcare organizations, and the timeliness of care in ways not often considered.

HIPAA violations occur more often than many people are aware of because the only public source of information about HIPAA violations is HHS’ Office for Civil Rights (OCR). Complaints made directly to healthcare organizations and sanctions imposed on members of the workforce for HIPAA violations are rarely made public unless they are escalated to OCR.

Furthermore, because some articles only rely on OCR’s breach report for their source of information, the number of HIPAA violations each year is often underreported. In fact, in 2021 (the most recent data available), OCR received 34,077 complaints alleging HIPAA violations and 64,180 notifications of data breaches – affecting more than 37,500,000 members of the public.

The statistics relating to members of the public affected by HIPAA violations is more important than the HIPAA violations themselves. This is because members of the public can become victims of medical identity theft, can lose trust in healthcare providers, or experience HIPAA violation consequences such as treatment delays – even when their own data has not been breached.

The Consequences of Medical Identity Theft

In 2013, the Ponemon Institute conducted a survey into medical identity theft. From the responses received to the survey, the Institute calculated that ~1.8 million Americans are victims of medical identity theft each year. Although not all medical identity theft is attributable to a HIPAA violation consequences included:

Medical Consequences Financial Consequences
Lost trust and confidence in healthcare provider Diminished credit score
Misdiagnosis of illness because of inaccuracies in medical records Lost time and productivity trying to fix inaccuracies in credit report
Delay in receiving treatment because of inaccuracies in medical records Financial Identity theft such as fraudulent bills or credit card accounts
Mistreatment of illness because of inaccuracies in health records Employment-related difficulties due to inaccuracies in credit or medical records
Wrong pharmaceuticals prescribed Incurred legal fees

Of the respondents to the survey that were victims of medical identity theft, 36% spent money to resolve the consequences – either to reimburse healthcare providers for services provided to imposters, to pay for identity protection services, credit monitoring, and legal advice, or to pay for medical services and medications due to a lapse in coverage attributable to identity theft.

The Consequences of Lost Trust and Confidence

Of the HIPAA violation consequences listed above, more than half of respondents that were victims of identity theft said they lost trust and confidence in their healthcare provider. The loss of trust and confidence can result in patients being less willing to discuss personal health issues with providers, leading to incorrect diagnoses and treatments based on incomplete facts.

As well as the lack of adequate communication being harmful to patients, healthcare providers can also suffer. Incorrect diagnoses and treatments that result in patient readmissions can lead to a loss of income under the Hospital Readmissions Reduction Program, the loss of Joint Commission accreditation, or – in the worst cases – the loss of an operating license.

Poor patient outcomes can also affect workforce morale and job satisfaction. Although poor patient outcomes are not the only contributory factors to poor workforce morale and job satisfaction, they are proven to play a part in decisions to leave healthcare – costing healthcare organizations time and money in recruitment and HIPAA training.

It Is Not Only Victims Who Suffer Treatment Delays

It was mentioned in the table above that victims of medical identity fraud can experience delays in receiving treatment because of inaccuracies in their medical records. However, patients who have not been the victims of medical identity fraud can also suffer treatment delays due to one of the least discussed HIPAA violation consequences – violation remediation efforts.

Many HIPAA violations are not intentional or due to a lack of care and often occur due to shortcuts being taken “to get the job done”. When the shortcuts are allowed to continue and become a “cultural norm”, it can take a significant effort to reverse the culture of non-compliance – often creating operational delays that affects all patients, whether their data has been breached or not.

In 2019, a team of researchers studied the effect of HIPAA violation remediation efforts on the quality of hospital care. They found that violation remediation efforts were associated with a deterioration in the timeliness of care and with patient outcomes. The report concluded that hospitals should evaluate remedial efforts to avoid these HIPAA violation consequences.

How to Mitigate HIPAA Violation Consequences

It was previously mentioned that not all medical identity theft is attributable to HIPAA violations. However, with more than 37.5 million records being exposed in data breaches in 2021, there is a high likelihood that many of those records will be used to obtain healthcare, prescription drugs, and credit cards at somebody else’s expense.

Healthcare organizations can mitigate HIPAA violation consequences by training members of the workforce to be more careful with PHI, to build trust with patients and their families, and to not take shortcuts with compliance. It can also be beneficial for healthcare organizations to implement an anonymous tip line so workforce members can report HIPAA violations when they see them.

Healthcare organizations can also mitigate HIPAA violation consequences by ensuring security safeguards are up to date and that user activity is monitored – with additional security awareness training provided as required. It may also be necessary to review business associate compliance where appropriate. Healthcare organizations requiring advice on measures to mitigate HIPAA violation consequences should speak with a HIPAA compliance professional.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA