What is a HIPAA Violation?
If you’re reading this blog, you know that if a company handles protected health information that they are required to be compliant with the Health Insurance Portability and Accountability Act. For Covered Entities, compliance can be even more challenging because their HIPAA compliance efforts are not only dependent on their own actions, but they are responsible for their seeing that their vendors are compliant as well.
Ensuring that each one of your business associates are compliant can be time-consuming and costly. Even the signing of business associate agreements with your vendors is no guarantee that they will protect the protected health information (phi) that they may come into contact with. Regardless of whether BAAs are in place, 45% of healthcare providers have experienced a third party breach of PHI from their vendors. Because of the risk, HIPAA requires that vendors do more than simply sign an agreement. Vendors must comply with the security rule, which requires that business associates conduct risk analyses of their systems and address potential security risks. When breaches do occur, business associates are obligated under law to disclose the details of the breaches.
The Breach Notification Rule of HIPAA requires that business associates notify covered entities of a breach of protected health information in a timely manner. The goal of these regulations is that covered entities and their business associates are proactive in regard to the security of PHI. However, many business associates and even covered entities don’t assess the risk of their systems regularly, leading to breaches and fines. Without regular and formal risk assessments, many business associates do not identify threats as well as the potential legal and financial impact of fines due to noncompliance with HIPAA.
How are HIPAA Violations discovered?
Violations of HIPAA can fly under the radar for months or even years until they are discovered. The longer a violation exists, the steeper the penalty will be when it is finally discovered. Therefore, it is critical that each organization that falls under the purview of HIPAA conduct regular risk assessments to ensure that violations are discovered and corrected before they are uncovered by regulators. Failure to conduct a risk assessment and then take corrective action can open your organization to higher tier penalties.
Outside self-reporting a violation, the two main ways that a state attorney or the Office of Civil Rights will investigate an organization is if there is a report of a breach from a third party or if there are complaints about a covered entity or business associate.
There are countless ways that the provisions of HIPAA can be broken, but here are five of the most common HIPAA violations and some steps to avoid them in your own organization:
Unsecured/Unencrypted Patient Records
Patient records contain all types of identifiable protected health information that, under the privacy rule, must be safeguarded and carefully encrypted when stored electronically. The failure to protect these records properly is one of the most common mistakes that can lead to HIPAA violations. Whether patient records are kept electronically or in a physical copy, staff needs to be aware of where the files are placed, even if it's just for a moment. Leaving a patient's record out on a counter or pulled up on an unattended computer leaves that PHI exposed for unauthorized access from anyone who is nearby.
HIPAA requires that all records and information are kept in secure locations, not accessible to unapproved employees, family members or any other person that might pass by. It is important to train employees to lock all paper files in secure file cabinets and to ensure that all digital records are encrypted and password protected. Electronic protected health information (ePHI) can be easily accessible to criminals if it is not properly encrypted and only accessed on approved devices.
Lack of Employee Training
Since healthcare employees regularly handle and discuss identifiable health information, their misuse of this important information has been a common cause of breaches of PHI. Whether that happens through conversations about a patient in a public location or discussing any type of PHI on social media, employees must be aware of these risks.
Improper disclosure of PHI on Social Media is a particularly common way that employees have caused violations of the law and breaches of PHI. There are advantages to using social media in the healthcare industry, but there are also considerable risks. All employees with access to patients or PHI should be clearly trained and briefed about what actions of theirs would constitute a PHI breach through social media.
Employee HIPAA training is extremely important when it comes to preventing employees from misusing or disclosing PHI in any improper ways. From their initial hire date and with regular upkeep, healthcare employees need to be carefully trained on all the procedures and safeguards to protect PHI from any possible risk. Not only is employee training a good idea to prevent HIPAA violations, but it is also required in order to be fully HIPAA-compliant!
Improper disposal of PHI
In addition to storing and sharing protected health information in a safe and secure way, healthcare organizations must also be careful to dispose of any unneeded medical records in properly Whether they have been kept in a physical or electronic form, documents need to be permanently destroyed and disposed of so that it cannot end up in the wrong hands.
In order to fully comply with HIPAA rules, physical copies of patient information should be shredded and burned when they are no longer needed. Disposing of electronic protected health information (ePHI) means fully wiping the information from the device or even entirely destroying the devices or hard drives where the ePHI was stored. It is best to set up clear standards for how to dispose of these forms of information within your practice so that it is guaranteed that each time information becomes unneeded, that it is permanently destroyed.
Lack of Organizational Risk Assessments
Since HIPAA consists of many rules that require a great level of understanding ensuring full compliance, healthcare organizations should regularly conduct organization-wide risk assessments of their handling of PHI. A risk analysis should reveal any weaknesses in the way the organization is currently handling, protecting or sharing protected health information. Once vulnerabilities have been identified, organizations can then take steps to improve their HIPAA compliance and guarantee better protection of PHI moving forward.
As technology advances, there are bound to be additions or changes to HIPAA compliance that require additional steps to be taken. Conducting regular risk analyses will make sure that healthcare providers are able to implement any new policies or safeguards into place as needed. If you’re looking to start identifying the risks in your organization, try our free Risk Analysis and see where you might need better safeguards!
Loss or Theft of Devices
A very common cause of a HIPAA violation is the loss or theft of a company’s technology that contains PHI. Employees that need to access identifiable health information in order to do their jobs must be extremely careful with guarding their devices from loss or theft. It is not possible to entirely protect your technology from being stolen, it is possible to encrypt and safeguard all the information that is held on the device. This ensures that even in the unfortunate event of a loss or stolen device, the person who takes it would not be able to access the information and therefore not be able to accomplish their potentially harmful agenda.
How much do HIPAA Violations Cost?
The cost of noncompliance to HIPAA can be crippling to an organization. The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.
HIPAA breaks the penalties for violations into four tiers:
- First Tier: The covered entity did not know and could not reasonably known of the breach. Generally, these range to $1000 to $50,000 per incident up to $1.5 million in penalties.
- Second Tier: The covered entity knew or by exercising reasonable diligence would have known of the violation, though they did not act with willful neglect. Fines for the second tier can range up to $1,000 to $50,000 per incident up to $1.5 million.
- Third Tier: The covered entity “Acted with willful neglect” and corrected the problems with a 30 day period of the breach. Penalties for the third tier can range from $10,000 - $50,000 per incident up to $1.5 million.
- Fourth Tier: The covered entity acted with willful neglect and failed to make a timely correction. Fines start at $50,000 per incident up to $1.5 Million.
If the HHS decides that there was deliberate malicious intent, the Department of Justice can step in and assign criminal penalties to egregious violators. As with civil penalties for noncompliance, there are multiple tiers of penalties for violations that are considered criminal. To make sure that your organization is compliant, consult our HIPAA Compliance checklist.
Prevent HIPAA Violations with Accountable
It’s important to remember that as easy as it is to violate HIPAA, implementing hipaa training and policies to safeguard PHI and your organization is easier. That is why we created Accountable: an all in one cloud-based platform to help you achieve and maintain HIPAA Compliance. We give you the tools you need to train your employees, manage your vendors, and identify risk within your organization.
Oh, and it’s free to get started.