Common HIPAA Violations and How to Avoid Them
Keeping up with HIPAA regulations is essential for any medical practice. Failure to comply can be costly, with HIPAA violation fines ranging from $100 to over $4 million – according to a recent article from inspired eLearning. Violations occur when the acquisition, access, use or disclosure of Protected Health Information (PHI) is carried out in a way that results in a significant personal risk to the patient, resulting in the loss of privacy and vulnerability to identity theft or worse. There are two types of HIPAA violations – civil or criminal. Each type of violation has a different penalty structure:
Civil HIPAA Penalty Civil penalties are given out if individuals committing the violation did so without any malicious intent. I.e. they were either neglectful or unaware that their actions were wrong. The penalties in such cases, then to be lower, ranging from $100 to $50,000 per violations, depending upon how the violations came about and was handled.
Criminal HIPAA Penalty Criminal violations result from a person or organization acting with malicious intent. Criminal penalties, which are significantly harsher, range from $50,000 to $250,00 and typically involve prison time.
Most Common HIPAA Violation Examples
1) Lack of Encryption To ensure that your PHI doesn’t fall into the right hands, you need to make sure that the data is encrypted. This adds an additional layer of cyber security on top of all the other best practices – even if there’s a breach and PHI data gets stolen; the hackers won’t be able to access it without the private key.
2) Getting Hacked No one really expects to be a victim of hacking. You hear about security breaches & hacking incidents all over the TV, but you don’t think someone would go after you, specifically. Hacking, however, is a very legitimate threat. In 2018 alone, there have been over 25 hacking incidents that are currently being investigated for HIPAA violations. In many cases, the hackers are using ransomware. Meaning, they take over the data & threaten to delete everything unless they get paid.
3) Unauthorized Access Employees accessing data they’re not authorized for is a very common HIPAA violation. Even if simply accessing the information out of curiosity, it’s still a violation and can result in both a fine & and information breach. Worst case scenario, your own employees might be selling PHIs for personal gain. To make sure this doesn’t happen, you should establish an authorization system, only giving access to employees who need this data to perform their job function.
4) Loss or Theft of Devices One of the most common HIPAA violations is a result of lost company devices. In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. The device was not password-protected, and the personal information of over 20,000 patients wasn’t encrypted. The company did its best to fix the situation post-incident. There was, however, nothing they could do to prevent the information from being potentially misused. While it’s impossible to prevent your devices being stolen with a 100% certainty, it’s simple enough to avoid the information leak by using encryption to safeguard the data. So even if the device gets stolen, the thieves won’t be able to access the PHI.
5) Sharing Information All confidential information should be shared on a need-to-know basis. While it might seem harmless to discuss cases with colleagues, it might end up in resulting in information leaks or lawsuits. One of the most common hacking methods employed is called social engineering. Rather than directly hacking into computers, hackers try to trick relevant employees into give out information. This can be information used to gain access to computer systems, or simply get a hold of PHI.
6) Disposal of PHI It’s important for your employees to properly dispose of any unneeded PHI information. This can apply to both physical documents and digital files. The best practice here is to store the information in a secure location and to delete/shred it if the document itself is of no more use.
7) Accessing PHI from Unsecured Location A lot of clinicians work after-hours and use their personal computer to access PHI. While this might seem innocent at a glance, it can have disastrous consequences. A family member could inadvertently download malware on the computer, thereby giving hackers access to ePHI . And that’s just a start of potential problems. The best practice is to have a dedicated laptop for anything to do with patient information & access it from a secure location.
How to Avoid HIPAA Violations
The real cause of all the HIPAA violation examples we’ve mentioned so far is the lack of employee training. An employee who knows how regulations works (and how to stay compliant) is far less likely to make any of the mistakes outlined.
Training is key – and isn’t simply a recommendation. It is mandatory. All workforce members are required to learn about HIPAA compliance requirements. Regulations state that this should happen in 3 cases: when a new employee is hired, when there are changes to the regulations, and periodically, to make sure everyone has the right know-how.
If you’re looking to get your employees up to speed on HIPAA compliance, but don’t know how to begin, contact HIPAAcraticRx. While implementing a compliance program may seem overwhelming, HIPAAcraticRx helps navigate the ambiguity with its 5-tier path to compliance. Each tier builds upon the one before it, to forge a solid foundation of trust and integrity. Take the stress out of HIPAA compliance by enlisting HIPAAcraticRx, as your ongoing partner in ePHI privacy and security.