September 4, 2020
Even with everything else going on in the world today, HIPAA violations are still making headlines. While these news stories reinforce that the Office for Civil Rights (OCR) hasn’t let up on HIPAA enforcement, they also provide great examples of what not to do when it comes to your own practice. Based on these violations and recent OCR investigation data, we’ve compiled the top four types of violations investigated by the OCR:
1. Impermissible Uses & Disclosures
The reigning champion of HIPAA violations over the past 5 years – impermissible uses or disclosures – covers any access, use, or sharing of protected health information (PHI) that is done in a manner not permitted under HIPAA and compromises the security or privacy of a patient’s sensitive information. Common culprits include:
- Social media disclosures
- Careless handling of PHI (often involving theft or loss of unencrypted devices).
- Improperly releasing PHI to the press (for example, Memorial Hermann Health System’s $2.4 million settlement resulting from their disclosure of a patient’s PHI in a media press release in 2015).
Having the right policies in place outlining the proper ways staff may use and disclose PHI is key to ensuring your practice doesn’t join the growing list of improper use violators.
2. Missing Physical, Technical and Administrative Safeguards
HIPAA law requires practices to implement safeguards to ensure PHI is protected and secured. These safeguards include:
- Administrative: the policies and procedures that determine your organization’s processes, roles, and responsibilities.
- Physical: the safeguards in place to physically protect your practice and your PHI. This includes anything from locks on your practice doors to security systems.
- Technical: safeguards that secure your data from unauthorized access, for example, anti-malware software, encryption, and computer passwords.
Failing to implement key safeguards is what gets practice’s into trouble, which is why it is essential to perform in-depth as well as ongoing Security Risk Analyses in order to properly identify which safeguards are missing
3. Improper Access
Your data library shouldn’t be fair game to every employee regardless of their role. Even if just glancing at a patient’s information, any access to patient information that is not necessary to complete a specific job function is a violation of HIPAA. With remote work becoming more and more common, we can expect improper access violations to rise as employees use data in less secure environments and with less supervision than there would be in a typical practice setting. Appropriate access is featured heavily in HIPAA, and it’s important to limit and document your access roles.
It’s not just internal access to PHI that can get your practice into trouble. There are specific guidelines for providing patients with medical records as well, and while this may seem straightforward 51% of providers fail to comply with HIPAA Right of Access laws. Understanding what Patient Right of Access laws entail is important to keeping your patients happy and avoiding a problem with the OCR.
4. Violations of Minimum Necessary Requirement
Less is more when it comes to sensitive health information. Only the minimum information necessary should be provided when PHI is requested, accessed, or disclosed. Violations of this requirement could include providing additional information such as previous medical conditions that may not pertain to the actual purpose of the task at hand. Having proper training and documented policies in place that define what information is considered necessary is an essential piece to protecting your patient’s information and steering clear of a HIPAA violation.
A Violation is Just a Slap on the Wrist, Right?
While a violation in any of these areas could be minor, a HIPAA violation fine ranges anywhere from a few hundred to a million dollars based on various factors such as:
- Whether there was malicious intent or not
- The degree of negligence
- The number of records exposed
- If a breach occurred and if it presents a future risk
The biggest fine so far? $16 million in a single settlement. Monetary fines aren’t the only thing you have to worry about if you find yourself facing a HIPAA violation. Jail time and extensive corrective action plans involving extra oversight and administrative work are real possibilities if a violation is found.
So How Can You Best Avoid a HIPAA Violation?
Many HIPAA violations can be attributed to a lack of employee education on what’s required under federal law. Violations aren’t usually intentional or malicious, which is why it’s so important to create a culture of compliance within your organization and promote good habits. Keeping up with your HIPAA compliance program and staying updated on any changes to federal regulations is the best way to keep your patients’ information secure and avoid ending up as another HIPAA headline.