With HIPAA violation fines reaching up to $50,000 per occurrence and a maximum annual penalty of $1.5 million per violation, it's important for medical practices to ensure they are HIPAA compliant at all times. And while all possible HIPAA violations should be considered potential threats to your medical practice, some are more common than others.
Because HIPAA regulations are complex and ever-changing, it's hard to stay up-to-date on the latest changes and common violations. By ensuring your staff is well-trained on HIPAA compliance and understanding which violations occur most often, your practice can more adequately protect against instances of violations.
We've combined a list of the ten most common HIPAA violations so your practice can take the necessary steps to prevent them. Here is the list of the top 10 most common HIPAA violations, and some advice on how to avoid them.
1. Keeping Unsecured Records
As part of your employee training, all staff members should be required to keep documents with PHI in a secure location at all times. Physical files containing PHI should be locked in a desk, filing cabinet or office. Digital files should require secure passwords to access them, in addition to being encrypted whenever possible.
2. Unencrypted Data
The dangers of leaving PHI data vulnerable without encryption are simple. Encrypting the data is an added protection if a device containing PHI is lost or stolen. It offers an additional layer of security if a password protected device is somehow accessed, such as through hacking. Although it is not a strict HIPAA requirement, it is highly recommended. You should also be familiar with your State HIPAA regulations as many States have passed laws requiring ePHI and PII to be encrypted.
Although we'd like to think it would never happen to us, hacking is a real threat to medical ePHI. There are people out there who want to use this information for malicious purposes, and therefore medical practices need to protect against hacking wherever possible.
Keeping antivirus software updated and active on all devices containing ePHI is a great place to start. Using firewalls adds another layer of protection as well. Finally, creating unique and difficult to remember passwords, and changing them frequently is another important measure to take to prevent hacking.
4. Loss or Theft of Devices
A case was settled in June of 2016, where an iPhone containing a vast amount of ePHI, including social security numbers, treatment and diagnosis information, medications, and more was stolen.
In addition, the iPhone was neither password protected nor encrypted, leaving all ePHI vulnerable to access by anyone possessing the phone.
The violation occurred at a facility called the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). A combination of nursing home residents and family members totaling 412 people were affected by the data breach, and the facility was fined $650,000.
Unfortunately, if devices containing ePHI are not stored in a secure location at all times, they are subject to the possibility of loss or theft. If the information stored on such devices is not encrypted or password protected, the loss or theft of the device becomes an even more severe issue.
5. Lack of Employee Training
When it comes to training employees on HIPAA regulations and compliance, it's important that every employee who comes in contact with PHI be thoroughly educated. Employee HIPAA training is more than a recommendation - it is a requirement of the HIPAA law. All staff members must be well-trained on the law, as well as on the particular policies and procedures set forth by your individual practice.
6. Gossiping / Sharing PHI
Although general gossip or chit chat by the water cooler can be harmless, PHI should always be off limits. When talking to co-workers, there is no reason to discuss PHI. Plus, it comes with a hefty fine.
Medical practice employees with access to patient PHI need to be careful about the information they share with others. When discussing PHI, should always be aware of who may be listening. Keep conversations about PHI behind closed doors, and only with appropriate office personnel.
7. Employee Dishonesty
Although not always done with a malicious purpose, when employees try to access PHI that they are not authorized to view, this is a HIPAA violation. Often it is merely out of curiosity, but the punishment is the same regardless of the intent. Thorough and precise training and procedures that outline who can access what, as well as a clear indication of the consequences that will result, can help prevent occurrences of this particular HIPAA violation.
8. Improper Disposal of Records
When training your staff members on HIPAA regulations, one of the most important procedures to enforce is proper disposal of PHI records. Staff members should understand that all information that contains PHI, such as social security numbers, medical procedures, diagnoses, etc., should be shredded, destroyed, wiped from the hard drive, etc.
If any of this information is left lying around in a trash can, in a computer's recent files folder, etc., it could get into the hands of the wrong person, and this would be a serious HIPAA violation. You can prevent this from happening with proper employee training and enforcement by a compliance officer or other staff.
9. Unauthorized Release of Information
This violation most often occurs when members of the media release PHI regarding public figures and celebrities. It can also happen when medical personnel release PHI to family members that are unauthorized, as only dependents and those with a Power of Attorney are allowed access to the PHI of a family member.
10. 3rd Party Disclosure of PHI
When it comes to discussing PHI, it should only be discussed with the people who need to know, such as the patient, the doctor(s), and/or the person(s) billing for the procedure, medication, or other related service. If you have access to PHI and discuss it with those who do not have the right access to this information is a direct violation of HIPAA.
However, it does happen frequently. Again, by educating all staff members with access to PHI about HIPAA regulations such as this, you can eliminate the majority of data breaches caused by this violation.
Another example of 3rd party disclosure would be if a staff member were to release the wrong patient's information due to human error. In this case, the act may be an accident, but the consequences would be similar to those for a purposeful violation.
Keep your medical practice staff well-educated on HIPAA regulations, and make sure your policies and procedures reflect the most recent rules associated with the law. Train them to be careful with records containing PHI, and to share PHI only with those authorized. Otherwise, you may end up with a hefty fine, or even jail time.