Some of the Most Common HIPAA ViolationsFebruary 28th, 2017 | By
Five Steps to Protect Your Practice Against the Most Common HIPAA Violations
The Health Insurance Portability and Accountability Act (HIPAA), has been in effect for 21 years and was initially enacted to improve the efficiency and effectiveness of the American health care system. Today, HIPAA primarily focuses on safeguarding the confidentiality of protected health information (PHI), while the Office of Civil Rights (OCR) acts as the main oversight entity for enforcing HIPAA compliance by conducting routine audits and investigating reports of data breaches to ensure adherence by the medical community.
Ignoring HIPAA requirements is defined as “willful negligence” and subject to extreme penalties including fines as high as $50,000 per instance and criminal charges punishable by prison time. Unfortunately, HIPAA violations are all too common, usually committed without any malicious intent. Large or small, all medical organizations must have a firm grasp of HIPAA’s privacy, security, and breach notification rules.
The Eight Most Common HIPAA Violations
1. Unprotected Lost, Stolen, or Lease Return Devices
Any device your entity uses to access confidential patient data is subject to scrutiny if lost or stolen. This includes desktops, laptops, mobile devices, and home computers with access to patient information. This HIPAA violation can happen in a snap, especially mobile devices due to their small size. If your office leases copiers or anything with a hard drive, make sure it’s wiped completely clean before release; this responsibility falls on your practice not the lease agent. The single best protection is data encryption so even if the machine falls into the wrong hands the patient’s data can’t be read, this is looked upon very favorably by OCR. As evidenced by the $3.2 million fine charged to The Children’s Medical Center of Dallas for failure to encrypt data on stolen devices. Lastly, verify all devices with data are password protected and include robust user login authentication protocols.
2. Employee Snooping and Blabbing
HIPAA violations come in two categories: negligent and intentional. Snooping is considered an intentional HIPAA violation even if the employee didn’t know it was out of compliance. Employees are not allowed to view patient information if not necessary to provide care. Perusing medical files about a family member, local politician, or celebrity without a medical reason is strictly prohibited. Both in the office and out, employees are not allowed to discuss patients with other employees if not medically necessary, speak in public where other patients may overhear, or share PHI with their family, friends, or on social media.
3. Hacker Attacks
Hacker attacks are increasingly sophisticated and organized with higher stakes. No longer the rinky-dink virus focused on shutting computers down or defacing a website; now, attackers are stealing and selling valuable data in crimes that will do more than just embarrass a practice — they can completely destroy it. The two most common paths for hackers are employees and sloppy computer maintenance allowing malware to find security system holes. In defense of employees, hackers are ingenious at creating realistic-looking emails to trick staff into clicking through links or downloading files that wreak havoc on your network. Texas-based Integrity Transitional Hospital reported data for 30,000 patients was compromised when lab results stored with PHI was hacked and downloaded. Integrity’s security logs identified the breach and they took immediate action to alert affected patients, but are still liable for the HIPAA violation.
4. Texting Patient Information
Although a quick and easy way to transmit test results and other patient data between healthcare professionals, texting PHI without encryption on both ends, is a HIPAA violation. While there are apps that successfully encrypts text data, the tool is required on both devices to be in compliance. This model, with multiple devices, can be quite complicated, so many organizations choose to add a managed service provider with HIPAA compliance expertise to their team, either as primary source or to supplement their internal IT staff.
5. Unauthorized Access of Patient Files
Patient record mishandling, another big-ticket HIPAA violation in both the electronic and paper realm, happens every day. Paper charts must be kept locked. accessible only to care providers, and can’t be left anywhere accessible to other patients. Electronic data is trickier. It starts with employees being required to access PHI via a robust user login authentication and password protocol. The organization is responsible for constant monitoring to verify employees aren’t accessing data they shouldn’t, don’t share login data, and above all that outsiders (hackers) haven’t made attempts to break in. Ex-employees will come back to haunt you, in the case of Memorial Healthcare System’s $5.5 million HIPAA violation login credentials of a former employee had continued to be used daily to access patient data for over a year. The term regulators use for securing patient data is access control and it’s a biggie. Horizon BCBS was recently fined $1.1 million by OCR for stolen equipment without encryption, and even worse, no access control offering PHI to anyone with device access.
6. Employee Social Media
Social media, that awesome connector, is Pandora’s box in the HIPAA world. Why? Employees don’t think before acting. Posting patient photos on social media, with or without names, is a firm HIPAA violation. A seemingly innocent mistake is common, employee selfies where either a patient or some type of confidential data is in the background, making the cutesy pic a big violation once posted to social media. Raise awareness, share this avoiding HIPAA violations social media checklist at your next staff meeting.
7. Home Computer or Mobile Device Access Breaches
With our transient workforce it’s expected that healthcare professionals will need to access patient data from home or via their mobile device leading to yet another security level required. Unauthorized users can catch a glimpse of PHI data via home laptop or mobile device. Support of virtual devices extends safeguards required against hacker attacks, if used to access PHI they are within the security scope of the medical practice and must be within compliance.
8. Lack of Employee Training
It’s estimated that 43% of HIPAA violations are caused by insiders making your employees one of the greatest compliance risks. Conducting HIPAA compliance training once is not enough, for best results make it an ongoing affair. The spectrum of mistakes employees make is like the Grand Canyon, a few examples that will blow your mind: Anthem Healthcare reported 3,500 Medicare members were compromised when an employee sent PHI data to his personal email address to track his commissions and my personal favorite, a physician running for Senator in VA sent letters to her patient base asking their support in the upcoming election.
Avoiding HIPAA violations through stringent compliance practices is no easy task. If it feels like a lot, that’s because it is. Learn ways to protect your practice and remember it’s likely easier to hire a managed service provider with compliance experience to quickly get on the right track.