It’s all too common knowledge that HIPAA violations are still a problem, and these problems continue to build every year! In this blog, we will be going over some of the most common HIPAA violations as it relates to Protected Health Information (PHI).
According to Verizon’s Data Breach Investigations Report, employees caused 39% of healthcare breaches in 2021. This is in comparison to the 18% in other industries. The Health Insurance Portability and Accountability Act (HIPAA) is a topic we go over quite regularly in this blog.
This standardized set of rules and regulations has been going on for more than 25 years now. You might think that the United States Department of Health and Human Services (HHS) doesn’t see too many violations anymore. Well, you would be wrong.
It’s all too common knowledge that HIPAA violations are still a problem, and these problems continue to build every year! In this blog, we will be going over some of the most common HIPAA violations as it relates to Protected Health Information (PHI).
HIPAA sets the standard for both streamlining and protecting private health information across the United States. That means that whenever you go to the doctor, you know that your medical records and data are secure and known only to you and your provider. That is unless you authorize someone else to access them, but we will get into that here in a bit.
HIPAA aims to:
Every healthcare worker, covered entity, and business associate must protect this information. Failing to do so can result in a HIPAA violation which may include the termination of an employee, a hefty fine, or even jail time.
We compiled 13 of the most common HIPAA violations so you don’t have to find out about them the hard way!
Unfortunately, many of these violations are the result of simple misunderstandings. Regardless, when misunderstandings go unchecked, significant harm may affect patients and employers alike. That is why you should include these violations in your yearly HIPAA compliance training.
Let’s go over them now.
This first violation gives the impression of someone in spy gear hanging from a ceiling and rummaging through files… or is that just me? Anyway, snooping through protected health information doesn’t actually take that much effort and is more common than many of us would like to believe.
“Snooping” consists of accessing patient health records for purposes other than those accepted by the HIPAA Privacy Rule.
This includes looking through records of:
A HIPAA violation that regularly results in a financial penalty is the failure to perform risk analysis. The importance of performing this regularly is due to the fact that potential threats are always evolving.
If this is not done regularly, organizations will have a difficult time determining whether there are any vulnerabilities to the integrity and confidentiality of PHI that exist. They may overlook threats that leave the door wide open for potential data breaches that are otherwise preventable.
Performing a risk analysis is one thing, but what if you do this just to check a box for your compliance team and nothing more? Surely you’ve done your job and are doing everything in your power to avoid a violation, right? Hate to break it to you, but you’re still at risk.
Any risks identified must run through a risk management process. Not only this, but organizations must apply this process in a reasonable time frame to avoid HIPAA violations. Ignoring this important step means possible penalization.
This might seem obvious but any disclosure of PHI which is not permitted under the HIPAA Privacy Rule is a direct violation. These slip-ups, whether intentional or not, often attract financial penalties.
This includes:
Patients have the right to access their medical records, such as diagnoses and test results, as well as obtain copies on request. Thanks to the HIPAA Privacy Rule, this is a well-known fact… but can be easily overlooked.
Employees may have the best intentions to send a patient’s information after receiving a request, but they may forget to do so on a particularly hectic day at the office.
Failing to provide records, overcharging for copies of records, or flat-out denying patients access to records will likely land you in very hot water. The HIPAA Privacy Rule requires the response time to be no more than 15 days from the date of the request.
When disclosing PHI to a third party, an authorization form must be present before sending. A patient must fill out this form to authorize the sharing of any information that is not permitted under the HIPAA Privacy Rule.
Examples of permitted information include:
Healthcare employees must make sure that PHI is not disclosed to any individual that is not included in the authorization paperwork. Note that these forms are valid only if signed from the patient or a nominated representative.
Similarly, employees must be cautious of the types of information released to third parties. This is true even when an authorization form is present. Any information shared that isn’t specifically outlined in the authorization form is a HIPAA violation.
When disclosing PHI/records, if not collected in person by the patient, any third party involved must receive authorization by the patient. Employees must verify the identity of whoever is collecting these records and ensure the authorized records release only to this authorized individual.
So you have the authorization form with every intention of sending the PHI to the approved individual or organization. Great! Just make sure to fulfill the request on time to avoid a HIPAA violation. As I mentioned earlier, too many times employees are simply bogged down by their day-to-day responsibilities that an authorization request may go unnoticed. This is how unauthorized access to PHI happens after its expiration date.
If a request is past the expiration date, an employee must complete a new authorization form.
These forms must include:
Failing to enter into a HIPAA-compliant Business Associate Agreement (BAA) with vendors that have access to PHI is another big HIPAA violation to look out for. Even when BAAs hold for all of your vendors, they might not necessarily be viable. Make sure that these agreements follow the Omnibus Final Rule.
Side note here, the HIPAA Omnibus Rule requires healthcare providers to:
Here is an easy way to avoid a data breach, and consequently a large fine: encrypt your PHI. Unless the key to decrypt data is readily available, a breach of PHI is not a reportable security incident.
While encryptions are not mandatory under HIPAA, you should not overlook them. If encryption is not an option, organizations must look into equivalent security measures to avoid leaked data.
Just like there is a time frame that employees must follow in regard to providing patient’s their records, there is a timeline for issuing breach notifications.
The HIPAA Breach Notification Rule requires covered entities to alert the appropriate individuals and organizations following the discovery of a data breach. Organizations must do this no later than 60 days after uncovering the breach.
Both physical PHI and electronic PHI (ePHI) are risks if left unattended. When these forms of data are no longer required, disposing of them properly and permanently is your number one priority.
For paper records, this might look like shredding. For ePHI you can securely wipe devices, degauss hard drives, or destroy electronic devices.
Last, but certainly not least, we have the risk of a lost or stolen device that holds sensitive health information. That’s right, misplacing your work computer can get you in deep trouble and earn you a HIPAA violation.
The risk doesn’t end with computers.
The device in question might be a tablet, phone, etc. No matter the device, if it holds patient information and has the possibility of landing in the wrong hands, it’s a problem.
Obviously, we all want to be HIPAA compliant. Imagine being the employee that costs your employer millions of dollars in (avoidable) fines.
Here are some fundamental elements that you can apply to your HIPAA compliance training program:
Common HIPAA violations have the potential to harm the reputation and workflow of any organization. Not to mention damaging to the privacy of the patient affected.
Healthcare employees should never let their guard down, as even the smallest mistakes can result in a fine or termination… or even jail time.
Making sure your staff consistently meets HIPAA compliance is a great way to be proactive in avoiding violations.
In nec dictum adipiscing pharetra enim etiam scelerisque dolor purus ipsum egestas cursus vulputate arcu egestas ut eu sed mollis consectetur mattis pharetra curabitur et maecenas in mattis fames consectetur ipsum quis risus mauris aliquam ornare nisl purus at ipsum nulla accumsan consectetur vestibulum suspendisse aliquam condimentum scelerisque lacinia pellentesque vestibulum condimentum turpis ligula pharetra dictum sapien facilisis sapien at sagittis et cursus congue.
Convallis pellentesque ullamcorper sapien sed tristique fermentum proin amet quam tincidunt feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Feugiat vitae neque quisque odio ut pellentesque ac mauris eget lectus. Pretium arcu turpis lacus sapien sit at eu sapien duis magna nunc nibh nam non ut nibh ultrices ultrices elementum egestas enim nisl sed cursus pellentesque sit dignissim enim euismod sit et convallis sed pelis viverra quam at nisl sit pharetra enim nisl nec vestibulum posuere in volutpat sed blandit neque risus.
Vel etiam vel amet aenean eget in habitasse nunc duis tellus sem turpis risus aliquam ac volutpat tellus eu faucibus ullamcorper.
Sed pretium id nibh id sit felis vitae volutpat volutpat adipiscing at sodales neque lectus mi phasellus commodo at elit suspendisse ornare faucibus lectus purus viverra in nec aliquet commodo et sed sed nisi tempor mi pellentesque arcu viverra pretium duis enim vulputate dignissim etiam ultrices vitae neque urna proin nibh diam turpis augue lacus.