Medical practices need to ensure that they are always HIPAA compliant, as fines for HIPAA violations reaching as high as $50,000 per occurrence.
Since HIPAA regulations are complex and can change from year to year, it can be difficult, but still important to stay updated on the latest rules and the most common violations. The first thing you have to do is to be sure your personnel is acquainted with HIPAA compliance and the common violations in this market.
Check the most common HIPAA violations in this article.
Hacking
Hacking is a serious threat anyone can face. Only 2020 has shown us more than 300 hacking incidents, being assessed for HIPAA violations.
The leaked or stolen Protected Health Information (PHI) may be managed in the following ways:
- Hackers sell the information to third-party organizations that benefit from the data.
- Hackers use ransomware to encrypt a person’s data, then may threaten to publish data or block access unless a ransom is paid.
A small guide on how to protect your practice from hacking:
- Make sure that all anti-virus software stays updated.
- Use encryption.
- Change passwords regularly, especially on important devices.
- Limit access to devices and information based on employee status.
Failure to use encryption
PHI encryption is one of the best methods to prevent data leaks from happening in your practice. If encrypted PHI is breached, it isn’t a reportable security incident unless the key to access the encrypted data is stolen as well.
Despite the fact encryption is not obligatory, based on HIPAA rules, it provides strong security benefits. It is up to businesses to decide whether use encryption or not, still they need to have an equivalent security measure in place instead.
Sharing personal information
All confidential data, PHI included, should be on a need-to-know basis. Although it appears harmless to discuss details with colleagues, it can easily cause information leaks which result in lawsuits.
Social engineering is a prevalent hacking method nowadays. Hackers trick employees to provide information so they can gain access to data they can exploit.
To prevent the spread of personal information, ensure that sensitive information is shared securely and only with authorized staff. Even talking about patient information with loved ones is a HIPAA violation.
Texting confidential data
Sending patient information through text may seem quick and effective. But it gives hackers a way to get their hands on such data. Patient information should not be sent in a text message because if it is not an encrypted form of communication.
Getting caught doing so can result in a violation and fine. Businesses are also legally obliged to report such violations.
There is HIPAA-compliant messaging software available that encrypts data for more secure communication, as it fulfills HIPAA requirements and allows sharing information with colleagues efficiently.
Unauthorized access
One of the most common HIPAA violation examples is when employees access data they are not authorized for.
Even if it happens by accident, this is still a violation and can result in both an information breach and a fine. It is even worse when your own staff sells PHIs for personal gain.
Based on the HIPAA Security Rule, covered entities, as well as their business associates, should limit access to electronic PHI (ePHI) only to authorized individuals.
Setting up an authorization system is one way to ensure employees can only access data that is relevant to their case.
Loss or the theft of company devices
A common HIPAA violation is losing company devices that contain PHI.
In 2017, Lifespan Health System ACE suffered a HIPAA breach and a $1,040,000 HIPAA penalty after the theft of an unencrypted laptop. An employee had left the laptop in their vehicle, which was broken into. The laptop contained more than 20,000 personal details. To make matters worse, the device itself was not password-protected.
Although Lifespan ACE tried to remedy the situation, they could not stop the information from being misused.
While theft cannot be prevented at all times, adding encryption to company devices helps prevent information leaks and safeguards patient data even if the device gets stolen.
Accesing from unsafe location
Many clinicians are used to working after-hours and gain access to PHI from their personal computers. Although this may appear harmless, it can have significant consequences, even if using an unsecured wi-fi connection.
This may lead to data leaks of not only PHI, but also payment information, residency data, etc.
To prevent this, the best practice is to simply have a dedicated computer and use only your personal network connection for any confidential information and only access the device from secure locations.
Issuing breach notifications exceeding 60 days
According to the HIPAA Breach Notification Rule, covered entities are required to issue notifications to relevant parties regarding breaches without unnecessary delay. They should provide notification no later than 60 days after discovering the data breach.
Releasing patient data to an unauthorised person
Without patient consent, healthcare providers may not release PHI for purposes other than the payment for healthcare, treatment, or for healthcare operations. Patients must fill out an authorization form before entities can legally disclose their PHI to a third party.
To prevent unauthorized disclosure, healthcare workers must ensure the proper authorization has been given. An authorization form is valid only if they have been signed by the patient or their representative.
Releasong wrong patient data
Even if a patient has provided an authorization form, healthcare employees need to be careful with the types of data released to third parties. Each authorization form should include what types of data have been authorized by the patient to be released.
Any details that have not been listed under the authorization form should remain confidential and private.