With fines for HIPAA violations reaching as high as $50,000 per occurrence, medical practices need to ensure that they are always HIPAA compliant.
Since HIPAA regulations are complex and can change from year to year, it can be difficult to stay updated on the latest rules and the most common violations. Ensuring that your personnel are well-trained in HIPAA compliance and understand which violations occur often, can help protect your practice from violations.
Here are some of the most common HIPAA violations.
Hacking is a serious threat that can happen to anyone. In 2020 alone, more than 300 hacking incidents are being assessed for HIPAA violations.
You might wonder what hackers could do with the Protected Health Information (PHI) they obtain. There are two possible reasons for these incidents.
Below are several best practices that you can follow to protect your practice from hacking:
One of the most common HIPAA violation examples is when employees access data they are not authorized for.
Even if they do it out of curiosity, this is still a violation and can result in both an information breach and a fine. It is even worse when your own staff sells PHIs for personal gain.
Based on the HIPAA Security Rule, covered entities, as well as their business associates, should limit access to electronic PHI (ePHI) only to authorized individuals.
Setting up an authorization system is one way to ensure employees can only access data that is relevant to their case.
Encrypting PHI is one of the best methods to prevent data leaks from happening in your practice. If encrypted PHI is breached, it isn’t a reportable security incident unless the key to access the encrypted data is stolen as well.
Although encryption is not mandatory based on HIPAA rules, it provides clear security benefits. If your practice decides not to use encryption, you need to have an equivalent security measure in place instead.
A common HIPAA violation is losing company devices that contain PHI.
In 2017, Lifespan Health System ACE suffered a HIPAA breach and a $1,040,000 HIPAA penalty after the theft of an unencrypted laptop. An employee had left the laptop in their vehicle, which was broken into. The laptop contained more than 20,000 personal details. To make matters worse, the device itself was not password-protected.
Although Lifespan ACE tried to remedy the situation, they could not stop the information from being misused.
While theft cannot be prevented at all times, adding encryption to company devices helps prevent information leaks and safeguards patient data even if the device gets stolen.
All confidential data, PHI included, should be on a need-to-know basis. Although it appears harmless to discuss details with colleagues, it can easily cause information leaks which result in lawsuits.
Social engineering is a prevalent hacking method nowadays. Hackers trick employees to provide information so they can gain access to data they can exploit.
To prevent the spread of personal information, ensure that sensitive information is shared securely and only with authorized staff. Even talking about patient information with loved ones is a HIPAA violation.
It is vital that your employees securely store or dispose of PHI that is no longer needed, such as digital and physical documents.
Forgetting to secure documents can lead to these files falling in the wrong hands, and thus resulting in a violation.
The best advice is to keep the information in a secure place or get rid of the document itself so it can no longer be accessed.
Many clinicians are used to working after-hours and gain access to PHI from their personal computers. Although this may appear harmless, it can have significant consequences.
For example, a family member using a physician’s computer can easily stumble upon confidential documents especially when unsecured. They may also accidentally introduce malware to hackers stealing PHI.
To prevent this, the best practice is to simply have a dedicated computer for any confidential information and only access the device from secure locations.
Although sending patient information through text may seem quick and effective, it provides hackers with a way to get their hands on such data. You are not allowed to put patient information in a text message because it is not an encrypted form of communication.
Getting caught doing so can result in a violation and fine. You are also legally obliged to report such violations.
There are messaging apps available that encrypt data for more secure communication, but often they do not fulfill the technical safeguards to meet HIPAA requirements, and personal devices may be lost or stolen.
You can use a reliable electronic medical record (EMR) software to share information with colleagues efficiently.
According to the HIPAA Privacy Rule, patients have the right to access their medical data and acquire copies of records upon request.
Denying your patients access to health records, overcharging them for copies, or simply failing to supply their data within 30 days are grounds for a HIPAA violation.
Your practice must enter in a HIPAA-compliant Business Associate Agreement with any vendor that has access to PHI. This contract specifies each party’s responsibilities with PHI and clarifies how they expect each other to secure data.
Even with a Business Associate Agreement, a vendor may still be out of HIPAA compliance. This is especially true if the agreement has not been revised after the Omnibus Final Rule or other updates to HIPAA regulations.
According to the HIPAA Breach Notification Rule, covered entities are required to issue notifications to relevant parties regarding breaches without unnecessary delay. They should provide notification no later than 60 days after discovering the data breach.
Disclosing protected health data includes potential disclosures after the loss or theft of unencrypted laptop computers, disclosing PHI to the employer of the patient, unnecessarily disclosure of PHI, failing to adhere to the minimum necessary standard, and disclosing of PHI after authorization from a patient has expired.
Without patient consent, healthcare providers may not release PHI for purposes other than the payment for healthcare, treatment, or for healthcare operations. Patients must fill out an authorization form before entities can legally disclose their PHI to a third party.
To prevent unauthorized disclosure, healthcare workers must ensure the proper authorization has been given. An authorization form is valid only if they have been signed by the patient or their representative.
It is not easy for healthcare IT personnel to monitor all devices connected to their network. Making sure that these connected devices are secured is a major task, but is a requirement to be HIPAA compliant.
Employees need to be aware that security and privacy risks are associated when they download ePHI to unauthorized electronic devices. Unauthorized devices not only increase the risk of accidentally disclosing ePHI in case the device is lost or stolen, it can also be seen as theft and a HIPAA violation.
Even if a patient has provided an authorization form, healthcare employees need to be careful with the types of data released to third parties. Each authorization form should include what types of data have been authorized by the patient to be released.
Any details that have not been listed under the authorization form should remain confidential and private.
HIPAA violations are common and can seriously harm your practice’s finances and reputation. To protect your practice and your patients, ensure your practice meets HIPAA requirements.