5 Most Common HIPAA Violations

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for more than 20 years now, but unfortunately, HIPAA violations are still a reality in the healthcare industry. We've broken down the 5 most common ones here.

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for more than 25 years now, through the United States Department of Health and Human Services. Unfortunately, HIPAA violations are still a reality in the healthcare industry, continuing to build annually. Below is an overview of the 5 most common (and costly) Protected Health Information (PHI) violations of HIPAA requirements. 

No matter whether they are small or large, common violations of HIPAA regulations always have the potential to be extremely damaging to the practice that commits the violation, and to the privacy of the patients affected. 

Unauthorized access to patient information is a constant struggle in behavioral healthcare practice. Quantifying the damage, financial consequences levied on the violating practice typically carry penalties ranging from $100 to a maximum annual fine of $1.5 million. Ensuring HIPAA compliance through PHI security is imperative, both from a business and consumer perspective. 

The 5 Most Common HIPAA Violations

HIPAA Violation 1: A Non-Encrypted Lost or Stolen Device  

One of the most common HIPAA violations is that a lost or stolen device can easily result in theft or unauthorized access to PHI. Fines of up to $1.5 million – per violation category, per year that the violation has been allowed to persist. Whether it’s a laptop, tablet, or phone, if it holds patient data, or is linked to it, there’s a problem if there’s unauthorized access to it. 

For example, a recent case was settled where a cell phone that contained a significant amount of PHI, such as SSNs, medications, and more. The phone was also without a password or encrypted to protect the PHI. The phone was also without a password or encrypted to protect the PHI. With more than 400 people affected by the breach, the facility was fined $650,000. 

Cell phones and tablets are such a part of behavioral health professionals’ everyday lives, in and out of the office. It’s easy to be casual with them, even with the sensitive information they can contain if they are used by providers for work purposes. 

People are prone to forgetting phones, leaving them unattended, or aren’t password-protected, especially in a comfortable environment like an office. However, that negligence can result in significant issues for practice, should the wrong person gain possession of the phone and the PHI.   

RELATED: Establishing a HIPAA-Compliant Personal Device Policy   

HIPAA Violation 2: Lack of Employment Training  

Having a staff that's consistently HIPAA compliant is a testament to the diligence of employees, but it's also a result of the training from upper management. Unfortunately, too many behavioral health practices do not thoroughly train employees in the ways of HIPAA compliance. 

Without proper or thorough HIPAA training, obvious compliance issues won't be a problem, but rather the smaller, more complex violations will cause issues on account of employees' lack of knowledge. Unfortunately for the practice, even minuscule violations can cause significant issues.  

Being proactive and training employees for anything and everything regarding HIPAA compliance keeps practice safe.  

HIPAA Violation 3: Database Breaches  

Data breaches get the most publicity of all reported HIPAA violations, given the grand scale on which many of them take place. Annually, data breaches cost the healthcare industry more than $6.2 billion.  

Any organization is vulnerable to hacking, which is why it's incredibly important for each health organization to take database breaches seriously and implement security measures to protect against them.  

HIPAA Violation 4: Gossiping and Sharing PHI 

Conversations between co-workers are typically no issue, but in healthcare practice, that standard doesn't always apply. There will always be situations in which medical practice employees need to discuss a specific patient's diagnosis, treatment plans, and medications.  

This is where it’s imperative that those conversations occur only in private, not in front of a public audience. Although it might seem harmless, carelessly discussing patient information around non-medical practice employees can damage a patient's privacy and result in financial consequences for the practice. Being consciously cautious is always a protective concern. 

HIPAA Violation 5: Improper disposal of PHI 

HIPAA compliance requires thorough and proper disposal of PHI. Failure to do so can make patients more vulnerable to their confidential information being exposed. 

When disposing of PHI, employees should always shred or destroy the patient records. Simply throwing records away is not sufficient and makes it easy for PHI to be accessed by the wrong people (more so these days…). Also, it's important to not forget to wipe the patient records or PHI from local and portable device hard drives if they were stored securely electronically. 

Proper employee training can help ensure that PHI is protected and secured from its initial creation all the way through disposal. 

Preserve Your Practice’s PHI 

For HIPAA-compliant PHI security, InSync Electronic Health Records (EHR) automation provides you and your team’s practice with interoperability. In healthcare, it refers to timely and secure patient information access, with the multisystem delivery ability for use of electronic health data. In addition to these record-sharing functions’ PHI benefits, it’s used to optimize health outcomes for individuals and populations.  

Interoperability capabilities of EHR leverage data in a standardized way, breaking down and sharing information securely among your partners and their systems. Your practice’s terminology, treatment, and medication symbols can be recognized. The necessary data is exchanged automatically, with no manual processes needed. 

PHI is bolstered through interoperability by: 

• Creating data unity your mental health practices and your partners, to manage and access information between external systems’ connections.  
• Improving your data protection of HIPAA-regulated patient information, and sharing records through interoperability. This security step eliminates manually and repeatedly keying to enter personal information. 
• Reducing operational costs by eliminating duplicate and outdated data.  

To strengthen your practice’s PHI reliability to limit HIPAA violation potential, take a look at InSync.