HIPAA violations are common occurrences throughout the medical industry. Inadequate security protocols, failure to perform comprehensive risk audits, and human error are just a few of the many contributing factors that result in breaches of HIPAA regulations.
The following information discusses 9 of the most common HIPAA violations that occurred in 2019, the potential damage they can do to an organization, and how you can reduce the risk associated with each one – or even prevent it altogether.
HIPAA’s Privacy Rule only permits access to patient health records for a few specific reasons, such as treatment, payment, and healthcare operations. Any other reason for access on the part of a healthcare provider or employee is invalid, and considered to be a violation of patient privacy.
Sadly, “record snooping” is one of the most common HIPAA violations that occur today. Unauthorized employees will often look through the records of friends, family members, neighbors, colleagues, and even celebrities. If such violations are uncovered, they typically lead to the immediate dismissal of the guilty employee, and sometimes result in criminal charges.
They may also result in stiff financial penalties for the organization involved. For example, the University of California Los Angeles Health System was fined $865,000 for its failure to restrict an unauthorized doctor’s access to the confidential medical records of certain celebrities.
In order to prevent record snooping, it’s important that you set up adequate security controls that restrict general access to patient records, even among employees. This could include advanced password protection for electronic protected health information (PHI), or logging requirements that mandate documentation for each time a record is accessed.
Failure to Perform and/or Act Upon a Risk Analysis
Many organizations neglect to perform a comprehensive, enterprise-wide risk analysis. They are thus unable to pinpoint vulnerabilities in their security system or confidentiality process. Other healthcare providers do undertake a risk analysis, but fail to act upon the insights gleaned from the audit — or they wait to address pressing issues until it is too late.
An organization-wide risk analysis could uncover any number of flaws in current security measures, such as network vulnerabilities, weak authentication protocols, or even a general lack of effective training. (For instance, one study found that 36% of medical office professionals don’t have a clear understanding of HIPAA regulations.)
There could be harsh fines associated with failure to perform or act upon an organization-wide risk analysis. In order to avoid these penalties, as well as any loss of credibility, you should either implement an in-house risk analysis ASAP, or contract with a reputable 3rd party auditor to perform the task for you. Then, once the results of the audit are in, prioritize action items by order of importance. Though these steps involve an upfront investment of time and resources, they can prevent many problems in the future.
Failure to Enter Into a HIPAA-Compliant Business Associate Contract
A healthcare provider’s business associates typically include a number of vendors that are given access to PHI. If agreements with these business associates do not include HIPAA-compliant language and clauses, then the organization may be vulnerable to penalties for HIPAA violations.
It is also important to note that older business associate contracts may have been HIPAA-compliant at one point, but may not currently be so — especially if they went into effect before the 2013 Omnibus Final Rule from the HHS. Negotiated settlements for such HIPAA violations have ranged from $400,000 to $1.55 million.
In order to prevent heavy fines from a non-compliant business associate agreement, it is important to revise any contracts that went into effect pre-2013. With regards to new agreements, follow the guidelines posted by the HHS as to the appropriate language and clauses to incorporate into any contract.
Inadequate Access Controls for ePHI
In past decades, much Protected Health Information could only be accessed via hardcopy, which was both less convenient and in some respects more secure than today’s electronic access points for PHI. Nowadays, of course, it would be very difficult for healthcare providers and medical office professionals to do their job without the ability to digitally access necessary patient information.
Nevertheless, the HIPAA Security Rule requires that both covered healthcare providers and their 3rd party business associates implement access controls for ePHI, so that only authorized individuals can get in. Failure to integrate such access controls into organizational infrastructure is one of the more common HIPAA violations uncovered by the Health and Human Services office and state attorney generals each year.
In order to avoid the heavy fines associated with unauthorized ePHI access, ensure that your organization has robust information system monitoring protocols in place. Explore different security measures, such as 2-step authentication, and determine which ones will maintain HIPAA compliance without being an excessive burden on authorized employees.
Failure to Use Encryption or an Equivalent Security Measure
Data encryption is one of the most common and effective ways to prevent serious information breaches, such as unauthorized access to PHI. Encryption is such a powerful security measure that breaches of encrypted health information are not considered reportable security incidents unless the encryption key has also been taken.
Granted, encryption is not mandated under HIPAA regulations. However, if a company does not utilize encryption as a security measure, then it must implement an equivalent method. For example, pseudonymization is an acceptable alternative to data encryption, and with proper planning can be considered both GDPR and HIPAA-compliant.
Failure to use encryption can lead to serious penalties. For example, the Children’s Medical Center of Dallas paid out $3.2 million of civil fines for faililng to address known security risks, such as no data encryption on portable devices. To reduce the risk of data breaches, make sure that you use encryption techniques, or a robust security alternative.
Impermissible Disclosures of PHI
Impermissible disclosures include a broad range of HIPAA violations. Any disclosure of PHI that is not permitted under the HIPAA Privacy Rule falls under this category. Such violations could include:
- Improper disclosure to a patient’s relative, friend, employer, etc.
- Potential disclosures resulting from the theft or loss of portable devices that carried PHI
- Potential disclosures from careless handling of PHI
- Unnecessary disclosures
- Disclosing PHI after patient authorization has expired
Impermissible disclosures can result in millions of dollars’ worth of civil fines. In order to reduce the risk of impermissible disclosure, train your employees that handle PHI, especially on portable devices, as to security best practices (e.g., not leaving a laptop unattended in a public setting, always locking the computer screen, and so forth). In addition, make sure that there is a process in place, such as a checklist, to ensure that a disclosure is permissible before giving out the information.
Denying or Delaying Patient Access to Health Records
HIPAA regulations give patients the right to access their medical records, as well as obtain copies on request, in a timely and expedient manner. Companies that deny patients access to their own records, overcharge for copies, or neglect to provide requested copies within 30 days are in violation of the HIPAA Privacy Rule.
Denial of patient access can lead to stiff civil fines. For instance, Cignet Health of Prince George’s County was fined $4.3 million for denying patients access to their own records. While historically this is not a common HIPAA violation in terms of financial penalties, since 2019 the Office for Civil Rights has started to crack down on this aspect of non-compliance.
In order to avoid a similar penalty, it’s important that you establish clear procedures for responding to patient requests within the 30-day timeframe.
Failure to Issue a Data Breach Notification Within 60 Days of Discovery
According to the HIPAA Breach Notification Rule, covered entities must report data breaches that affect more than 500 people without “unnecessary delay,” and no later than 60 days following the discovery of the breach. Exceeding the 60 day deadline is a common HIPAA violation, and can lead to a heavy financial penalty.
In order to prevent this from occurring, make sure that relevant breach details are transmitted to the OCR, that the breach is reported to a major media outlet that serves the area affected by the breach, and that notification is posted on the company website.
Improper Disposal of PHI
According to HIPAA regulations, both physical and electronic PHI must be properly disposed of after their retention periods have expired. For hardcopies, this typically involves shredding or pulping; for ePHI, the disposal process could involve degaussing, secure wiping, or destruction of the portable device on which the ePHI is stored.
As with the other HIPAA violations mentioned above, improper or incomplete disposal of PHI could result in unauthorized disclosures, and stiff financial penalties. You can reduce the risk of data breaches resulting from improper PHI disposal by using appropriate and comprehensive disposal methods for each form of expired PHI in your database.
The 9 violations discussed above are just a sampling of the many ways that HIPAA rules could be broken. One way to help mitigate the risk of HIPAA violations is to partner with a reputable IT services provider – one that can help you manage your sensitive data, and remain HIPAA-compliant. If you’d like to learn more, reach out to NetTech Consultants today.