The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for more than 20 years now, but unfortunately, HIPAA violations are still a reality in the healthcare industry.
No matter whether they are small or large, HIPAA violations always possess the potential to be extremely damaging to not only the practice that commits the violation, but to the privacy of the patients affected. Hence, the sometimes staggering financial consequences levied on the violating practice. Penalties can range from $100 to a maximum annual fine of $1.5 million
Some violations occur more than others, however and being proactive is crucial in violating HIPAA violations. In order to ensure your practice remains HIPAA compliant, take a look at these five most common HIPAA violations and keep them in mind to hopefully avoid committing these at your practice, too.
HIPAA Violation 1: A Non-encrypted Lost or Stolen Device
One of the most common HIPAA violations, a lost or stolen device can easily result in the theft of PHI. For example, a case in 2016 was settled where an iPhone that contained a significant amount of PHI, such as SSNs, medications and more. The phone was also without a password or encrypted to protect the PHI.
With more than 400 people affected by the breach, the facility was fined $650,000.
Our cell phones are such a part of our everyday lives that can be treated lightly at times, in regard to the sensitive information they can contain, especially if they are used by providers for work purposes.
We are prone to forgetting our phones or leaving them unattended, especially in a comfortable environment like an office. However, that sort of negligence can result in significant issues for a practice, should the wrong person gain possession of the phone and the PHI.
HIPAA Violation 2: Lack of Employee Training
Having a staff that's consistently HIPAA compliant is a testament to the diligence of employees, but it's also a result of training from upper management. Unfortunately, too many practices fail to thoroughly train employees in the ways of HIPAA compliance.
Without proper or thorough training, obvious HIPAA compliance issues won't be a problem, but rather the smaller, more complex violations will cause issues on account of employees' lack of knowledge. Unfortunately for the practice, even the miniscule violations can cause significant issues.
Be proactive and train your employees for anything and everything regarding HIPAA compliance!
HIPAA Violation 3: Database Breaches
Data breaches definitely get the most publicity out of these HIPAA violations, given the grand scale in which some of them take place. In 2016, data breaches cost the healthcare industry approximately $6.2 billion.
Any organization is vulnerable to hacking, which is why it's incredibly important for each health organization to take database breaches seriously and implement security measures to protect against them.
HIPAA Violation 4: Gossiping/Sharing PHI
Conversations between co-workers are typically no issue, but in a medical practice that standard doesn't always apply. Of course, there will always be situations in which medical practice employees need to discuss a specific patient's diagnosis and treatment plans, medications, etc.
However, it's imperative that those conversations occur only in private, not in front of a public audience. Although it might seem harmless, carelessly discussing patient information around non-medical practice employees can damage a patient's privacy and result in financial consequences for the practice.
HIPAA Violation 5: Improper Disposal of PHI
HIPAA compliance requires a thorough and proper disposal of PHI. Failure to do so can make patients more vulnerable to their private information being exposed.
When disposing of PHI, employees should always, always, always shred or destroy the patient records. Simply throwing records away is not sufficient and makes it easy for PHI to be accessed by the wrong people. Also, it's important to not forget to wipe the patient records or PHI from the hard drive if they were stored electronically.
Proper employee training can help ensure that PHI is protected and secured from its initial creation all the way through disposal.