HIPAA violations can be detrimental to your organization’s reputation, as well as costly. Learn which are the most common, and how to put safeguards in place to avoid them.
The Top 10 Most Common HIPAA Violations:
Source: HIPAA Journal, February 2023.
- Snooping on healthcare records from individuals who are not caring for the patient directly at the time – regardless of intent.
- Failure to perform a practice-wide or organization-wide risk analysis.
- Failure to manage security risks, or the absence of a risk management process.
- Denying patients or representatives access to health records or exceeding the time limit for providing access.
- Failure to put a HIPAA-compliant business associate agreement (BAA) in place.
- Insufficient ePHI individual access controls.
- Failure to use encryption or an equivalent cybersecurity measure to protect ePHI on portable devices.
- Failure to issue breach notifications within 60 days of the occurrence.
- Impermissible disclosures of protected health information.
- Improper disposal of PHI.
Fines for HIPAA breaches can result in civil penalties that range from $100 for violation deemed “unknowing” all the way up to $1.5 million for “willful neglect”. HIPAA breaches can also generate criminal penalties. In fact, since the advent of HIPAA in 1996, the OCR has referred 824 criminal violations to the Department of Justice for investigation.
How Can I Avoid Breaching HIPAA?
Taking the time to establish the right foundations for HIPAA compliance in your practice are important. This includes provider and employee education, risk assessment and management, and compliant processes for providing records.
No Snooping!
Improperly accessing patient records is one of the top reasons for HIPAA violations. It is important that everyone working in the practice understands the three permissible reasons for accessing health records:
- Treatment
- Payment
- Healthcare operations – such as data collection for quality reporting.
Basically, if someone doesn’t have a “need to know”, then they are prohibited from looking at the record.
A physician at the University of California Los Angeles Health System accessed medical records of two celebrities without authorization 323 times. He lost his job and became the first healthcare employee to be jailed for HIPAA violations, serving four months in federal prison. The health system paid $865,500 in fines.
Perform an Organization-Wide Risk Analysis
A thorough risk analysis is required by the HHS for covered entities and business associates. Whether you are an independent practice or part of a larger network, the policy is the same. A HIPAA Risk Assessment should occur at least annually and be led by a multidisciplinary team. The HHS and other entities provide pre-built tools and compliance checklists to help facilitate the process for your team.
Some of the largest HIPAA fines have been issued to organizations and individuals for failing to conduct a risk assessment.
- Premera Blue Cross paid $6,850,000 for risk analysis and risk management failures.
- Dr. Steven A. Porter, was penalized $100,000 for the same.
Follow up on Identified Risks
Performing the risk assessment isn’t enough by itself – you must then establish methods to mitigate and manage the risks. Each risk identified should be prioritized and addressed in a reasonable time frame.
Settlements with covered entities that failed to manage risks they identified include:
- The Alaska Department of Health and Social Services was penalized $1.7 million for failing to perform risk analysis and risk management.
- Metro Community Provider Network was penalized $400,000 for risk management failures.
Establish Compliant Processes for Providing Patients Access to Health Records
Under HIPAA, patients have the right to access their own medical records and obtain copies upon request. Ways that practices can violate this right include denying patients copies of their records, taking too long (over 30 days) to provide records, or overcharging for copies.
Establish Business Associate Agreements when Required
Not every business relationship needs a BAA, but many of them do. All vendors that are given access to PHI in any format must enter into a HIPAA-compliant business associate agreement. Some good examples of business associates are consultants, IT professionals, outsourced billing services, and transcriptionists.
Limit Access to ePHI
Employees and business associates should have access to ePHI that is limited to the scope of responsibility. The practice or organization should establish policies and procedures that grant access to only enough ePHI to perform the needed functions – whether for care, payment, or organizational functions.
Implement Sufficient Security Protections for Electronic Data
Cybercrimes in healthcare are more prevalent than ever, as the value of PHI increases on the black market. One of the most effective ways to prevent data breaches is to encrypt PHI. HIPAA does not specifically tell covered entities how to protect their data, however they must have some sort of system in place that offers sufficient protections.
Costs for these types of breaches may go beyond HIPAA fines. The individuals who had their data compromised can also sue, and compensation for damages may go on for years.
- Children’s Medical Center in Dallas incurred a $3.2 million civil penalty for failing to address known risks, including the failure to use encryption on portable devices.
- Lifespan Health System paid a $1,040,000 penalty for failing to encrypt data and implement proper device and media controls. This resulted in the disclosure of 20,431 patients PHI.
Promptly Report any Breaches
If, in spite of best efforts, a breach occurs – it is the covered entity’s responsibility to issue notifications of the breach without delay. Notifications should be made as soon as possible, and definitely no later than 60 days after the discovery. Delaying notification can appear as if the entity is attempting to hide breaches, or to minimize the damages. These violations are some of the most common HIPAA violations.
Prevent Careless Disclosures
Impermissible disclosures categorize a range of offenses, such as the theft or loss of laptop computers, giving information to a patient’s employer, careless handling of PHI, or failing to update HIPAA forms online.
Dispose of PHI Securely
Whether the PHI is in a paper form or electronic, it must be disposed of in accordance with the rules. After the retention period, information must be securely and permanently destroyed. For paper, this usually involves shredding or pulping, and for ePHI it requires degaussing, securely wiping, or destroying the electronic devices involved.
Some examples of improper disposal:
- New England Dermatology and Laser Center was fined $300,640 for disposing of empty, labeled specimen containers with regular trash, which exposed the PHI of 58,106 patients.
- Parkview Health was fined $800,000 for failure to securely dispose of paper records.