What Is A HIPAA Violation?
With fines of up to $50,000 per HIPAA violation and a maximum annual penalty of $1.5 million per violation, medical practices must always comply with HIPAA. And while all potential HIPAA violations should be considered possible threats to your clinical practice, some are more common than others.
Because HIPAA rules are complicated and always changing, keeping up with the latest changes and the most common ways they’re broken is hard. By ensuring your staff is well-trained in HIPAA compliance and knows which violations happen most often, your practice can better protect itself from violations.
We’ve made a list of the ten most prevalent HIPAA violations so that your practice can take steps to stop them. Here are the most common HIPAA violations and some tips on how to avoid them.
What is a HIPAA Violation?
Simply put, a HIPAA violation is any action or event that goes against the rules or standards in the Act. Events or actions that break the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, or the HIPAA Final Omnibus Rule are included in this definition.
Even though the full text of all HIPAA rules is well over a hundred pages long, and numerous things could be HIPAA violations, some of these are seen repeatedly.
Most HIPAA rules are broken when:
Keeping records that are not safe
As part of their training, all your staff should be told to keep PHI-containing documents safe. Physical files with PHI should be trapped in a desk, filing cabinet, or office. Digital files should be encrypted whenever possible and need secure passwords to open them.
Not encrypted data
There are clear risks to leaving PHI data open without encryption. If a device with PHI is lost or stolen, encrypting the data is an extra safety measure. It adds an extra layer of security in case a password-protected gadget is hacked or broken into in some other way. Even though it’s not a strict HIPAA rule, it’s strongly suggested. You should also know about the HIPAA rules in your state because many states have enacted laws that say ePHI and PII must be encrypted.
Hacking is dangerous to medical ePHI, even though we’d want to think it would never occur. Some people would like to use this information for bad things, so medical practices must protect themselves from hacking as much as possible.
A great place to start is by making sure that all devices with ePHI have active and up-to-date antivirus software. Using firewalls is another way to keep your computer safe. Creating unique passwords that are hard to remember and changing them often is another important step to stop hackers.
Devices that get lost or stolen
In June of 2016, a case was settled in which a stolen iPhone with a lot of ePHI, such as social security numbers, treatment as well as diagnosis information, medicines, and more, was found to have been taken. Also, the iPhone wasn’t protected by a password or encrypted, so anyone with the phone could access all ePHI.
The wrongdoing happened at Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The data breach affected 412 people, including those living in the nursing home and their family members. The hospital was fined $650,000.
Unfortunately, devices with ePHI can be lost or stolen if they are not always kept in a safe place. If the information on these devices is not encrypted or protected by a password, losing or having them stolen is an even bigger problem.
Lack of training for employees
When training employees on HIPAA rules and compliance, every employee who works with PHI must be well informed. The HIPAA law requires that all employees get HIPAA training. This is more than just a suggestion. All your staff must be well-trained in the law and the policies and procedures for your practice.
PHI Spying / Sharing
Even though small talk around the water cooler could be harmless, PHI should never be discussed. There is no reason to speak about PHI with co-workers. Also, there is a big fine for doing it.
Medical practice employees with access to PHI about patients must be careful about what they tell others. People should always be aware of who might be listening when they talk about PHI. Talking about PHI should only happen behind closed doors and with the right office staff.
When an employee tries to look at protected health information (PHI) that they are not allowed to see, HIPAA is broken. This is not always done on purpose. Most of the time, it’s just out of curiosity. However, the punishment is always the same. This HIPAA violation can be avoided with thorough training, clear rules about who can access what, and a clear explanation of what will happen if the rules are broken.
Misuse of records
The most important thing to train your staff about HIPAA rules is how to get rid of PHI records correctly. Staff members should know that any information that contains PHI, like social security numbers, surgical treatments, diagnoses, etc., should be shredded, destructed, wiped from the hard drive, etc.
If any of this data is left out in the open, like in a trash can or a computer’s recent files folder, it could fall into the wrong hands, which is a serious HIPAA violation. You can stop this from happening by giving your employees the right training and having a compliance officer or other staff make sure they follow the rules.
Unauthorized Sharing of Information
This privacy breach often happens when media members reveal PHI about public figures and celebrities. It can also happen when the medical staff gives PHI to family members who shouldn’t have it. Only a family member’s dependents and people with a Power of Attorney can see their PHI.
Disclosure of PHI to a Third Party
When discussing PHI, only those who need to know, such as the patient, their doctor(s), and the person(s) charging for the procedure, medicine, or other associated services, should be permitted access. When you have access to PHI and talk about it with someone who doesn’t have the right to see it, you are breaking HIPAA. But it does happen quite often.
Again, you can stop most data leaks caused by this violation by teaching all staff members who have access to PHI about HIPAA rules. Another instance of 3rd party disclosure would occur if a staff member accidentally gave out information about the wrong patient. In this case, the Act could have been done by accident, but the repercussions would be the same as if it had been done on purpose.
Keep your medical staff up-to-date on HIPAA rules, and ensure your policies and procedures align with the most recent rules. Teach them to be cautious with PHI records and only share PHI with people who can see it. You could get a big fine or even jail if you don’t.