What are HIPAA Violations
The Health Insurance Portability and Accountability act (HIPAA) was passed in 1996 to set the guidelines for how to safeguard a patient’s individual health information. This law is full of requirements and expectations that companies need to follow in order to be considered compliant with HIPAA. The difficult and complex steps that need to be taken for compliance can often lead to intentional and unintentional violations of pieces of HIPAA. Here we’ll discuss the most common HIPAA violations and what you can do to avoid them and their costly consequences.
There have been multiple updates to the act over the following decades to help improve the security and privacy standards set in place to ensure the sanctity of patient information, including the Privacy Rule, Security Rule, HITECH act, and Breach notification rule. Each of these rules contain many provisions, that if broken would result in a violation of HIPAA.
Violations of HIPAA can look different depending on the type of healthcare business that is being operated. However, the bottom line is that whenever a violation occurs it can only mean that protected health information (PHI), was not guarded properly. PHI refers to any type of personally identifiable health information pertaining to a patient that must be carefully protected and encrypted before it is transmitted in any way. Whether it was unintentional or due to deliberate lack of proper compliance, HIPAA violations are common, but they are also extremely costly.
Penalties for HIPAA Violations
Not only do HIPAA violations risk PHI ending up in the wrong hands, but they can also lead to costly civil or criminal penalties. The penalties for violating aspects of HIPAA are on different levels depending on the amount of negligence on the part of the organization. The department of health and human services can levy fines that can range from $100 to $50,000 for an individual violation, with the maximum yearly amount being $1.5 million for total violations. In some cases, individuals held responsible can serve jail time for their involvement.
The cost of noncompliance to HIPAA can be crippling to an organization. The penalties for HIPAA noncompliance are based on the perceived level of negligence and can range from $100 to $50,000 per individual violation, with a max penalty of $1.5 million per calendar year for violations. Additionally, violations can also result in jail time for the individuals responsible.
How are HIPAA Violations discovered?
Violations of HIPAA can fly under the radar for months or even years until they are discovered. The longer a violation exists, the steeper the penalty will be when it is finally discovered. Therefore, it is critical that each organization that falls under the purview of HIPAA conduct regular risk assessments to ensure that violations are discovered and corrected before they are uncovered by regulators. Failure to conduct a risk assessment and then take corrective action can open your organization to higher tier penalties.
Outside of self-reporting a violation, the two main ways that a state attorney or the Office of Civil Rights will investigate an organization is if there is a report of a breach from a third party or if there are complaints about a covered entity or business associate.
There are countless ways that the provisions of HIPAA can be broken, but here are five of the most common types of HIPAA violations and some steps to avoid them in your own organization:
Unsecured/Unencrypted Patient Records
Patient records contain all types of identifiable protected health information that under the HIPAA regulation, must be safeguarded and carefully encrypted when stored electronically. The failure to protect these records properly is one of the most common mistakes that can lead to HIPAA violations. Whether patient records are kept electronically or in a physical copy, staff needs to be aware of where the files are placed even if it's just for a moment. Leaving a patient's record out on a counter or pulled up on an unattended computer leaves that PHI exposed for unauthorized access from anyone who is nearby.
HIPAA requires that all records and information are kept in secure locations, not accessible to unapproved employees, family members or any other person that might pass by. It is important to train employees to lock all paper files in secure file cabinets and to ensure that all digital records are encrypted and password protected. Electronic protected health information (ePHI) can be easily accessible to criminals if it is not properly encrypted and only accessed on approved devices.
Lack of Employee Training
Since healthcare employees regularly handle and discuss identifiable health information, their misuse of this important information has been a common cause of breaches of PHI. Whether that happens through conversations about a patient in a public location or discussing any type of PHI on social media, employees must be aware of these risks.
Improper disclosure of PHI on Social Media is a particularly common way that employees have caused violations of the law and breaches of PHI. There are advantages to using social media in the healthcare industry, but there are also considerable risks. All employees with access to patients or PHI should be clearly trained and briefed about what actions of theirs would constitute a PHI breach through social media.
Employee training is extremely important when it comes to preventing employees from misusing or disclosing PHI in any improper ways. From their initial hire date and with regular upkeep, healthcare employees need to be carefully trained on all the procedures and safeguards to protect PHI from any possible risk. Not only is employee training a good idea to prevent HIPAA violations, but it is also required in order to be fully HIPAA compliant!
Improper disposal of PHI
In addition to storing and sharing protected health information in a safe and secure way, healthcare organizations must also be careful to dispose of any unneeded PHI in properly Whether they have been kept in a physical or electronic form, documents need to be permanently destroyed and disposed of so that it cannot end up in the wrong hands.
In order to fully comply with HIPAA rules, physical copies of PHI should be shredded and burned when they are no longer needed. Disposing of electronic protected health information (ePHI) means fully wiping the information from the device or even entirely destroying the devices or hard drives where the ePHI was stored. It is best to set up clear standards for how to dispose of these forms of information within your practice so that it is guaranteed that each time information becomes unneeded, that it is permanently destroyed.
Lack of Organizational Risk Assessments
Since HIPAA consists of many rules that require a great level of understanding ensuring full compliance, healthcare organizations should regularly conduct organization-wide risk assessments of their handling of PHI. A risk analysis should reveal any weaknesses in the way the organization is currently handling, protecting or sharing protected health information. Once vulnerabilities have been identified, organizations can then take steps to improve their HIPAA compliance and guarantee better protection of PHI moving forward.
As technology advances, there are bound to be additions or changes to HIPAA compliance that require additional steps to be taken. Conducting regular risk analyses will make sure that healthcare providers are able to implement any new policies or safeguards into place as needed. If you’re looking to start identifying the risks in your organization, try our free Risk Analysis and see where you might need better safeguards!
Loss or Theft of Devices
A very common cause of a HIPAA violation is the loss or theft of a company’s technology that contains PHI. Employees that need to access identifiable health information in order to do their jobs must be extremely careful with guarding their devices from loss or theft. It is not possible to entirely protect your technology from being stolen, it is possible to encrypt and safeguard all the information that is held on the device. This ensures that even in the unfortunate event of a loss or stolen device, the person who takes it would not be able to access the information and therefore not be able to accomplish their potentially harmful agenda.
Don’t Violate HIPAA. Be Compliant Instead
Although it is easy and common to violate HIPAA in one of these common ways, it can also be easy to understand the rules of HIPAA and implement proper training for employees, all it takes is a little help! That is why Accountable was created. We are here with an easy software platform that gives you all the resources to keep your employees trained, identify risks in your organization and manage any vendors you may work with. Plus, it’s free to get started today!