HIPAA Violations: What’s New This Month?Greg Garner
HIPAA violations can serve as a cautionary tale.
Public disclosure of a HIPAA violation is unnerving. It can harm the standing of your organization. What’s more—it can prove costly.
Still, a financial penalty can serve as the least of your burdens if you’re found in violation of HIPAA rules. A HIPAA Corrective Action Plan (CAP) can cost your organization even more.
This June, the Office of Civil Rights (OCR) fined a small medical practice. The medical practice has agreed to pay the fine as well as comply with the OCR’s CAP.
To learn more about this month’s HIPAA violation, as well as how you can protect your organization, keep reading.
Understanding HIPAA Violations
With its passage in 1996, the Health Insurance Portability and Accountability Act (HIPAA) changed the face of medicine. The law has had far-reaching effects. What’s more, it’s transformed the way that many health care providers operate.
The most important part of the HIPAA Act states that you must keep personally identifiable patient information secure and private. This provision has made electronic health records safer for patients.
However, it’s also imposed several sometimes burdensome rules on health care providers. It’s estimated that compliance with HIPAA rules costs companies about $8.3 billion every year.
The various sections of the HIPAA Act are called titles. Titles I and II are the most relevant sections of the act.
Title I encompasses the portability rules of the HIPAA Act. It ensures that insurers can’t deny people moving from one plan to another due to pre-existing health conditions.
This is the part of the HIPAA Act that has had the most impact on consumers’ lives. However, Title II is the part of the act that’s had the most impact on health care organizations.
The Purpose Of HIPAA
Health care organizations must comply with Title II. It states that covered entities must maintain reasonable and appropriate safeguards to protect patient information.
In part, those safeguards must include administrative measures. These kinds of measures include workforce training and risk analyses.
They also include physical safeguards. Physical safeguards include measures such as access control. It also includes technical deployments such as cybersecurity software.
In general, Title II says that organizations must ensure the confidentiality, integrity and availability of all patient information. The latter is where one organization got into trouble this month—more on that in a moment.
Organizations must also protect against anticipated security threats. Furthermore, they must protect against impermissible uses and disclosure of patient information.
In addition, the HIPAA Act requires that health care providers ensure compliance in the workplace. At the same time, it doesn’t mandate specific measures.
In this regard, the act offers some flexibility. Here, organizations are free to decide how to comply with HIPAA guidelines.
At the same time, this flexibility creates ambiguity. Accordingly, it can prove challenging to figure out how to meet HIPAA standards. In part, a brief example might shed light on the matter.
As previously noted, in June of 2021, the HHS Office for Civil Rights (OCR) fined a health care provider $5,000 for HIPAA violations. Here’s a closer look at that event.
Current HIPAA Violations
This month, the OCR issued its 19th action involving a patient’s right to access. The covered entity in question was a small specialty medical practice.
The fine was the office’s response to the care provider’s failure to provide a parent with timely access to the medical records of her child. In the end, the OCR issued a financial fine and recommended a supervised corrective action plan.
The Diabetes, Endocrinology & Biology Center Inc. of West Virginia agreed to the OCR’s terms. The care provider will pay the $5,000 fine. They’ll also comply with the OCR’s corrective action plan to prevent future violations of HIPAA regulations.
According to the OCR, the case began with a complaint filed in August 2019. It alleged that the center failed to respond to a parent’s record access request in July 2019.
In response to the complaint, the OCR launched an investigation. The investigation determined that, indeed, the center failed to comply with the timely access provision. As a result, it made a ruling that the Diabetes, Endocrinology & Biology Center was in violation of HIPAA policies.
Top Causes Of HIPAA Violations
Occasionally, the Office for Civil Rights conducts HIPAA compliance audits. Recently, for instance, the OCR audited 166 health care providers and 41 business associates. The purpose of the audits is to check for compliance with HIPAA rules.
HIPAA violations might occur due to ignorance or negligence. In either case, a resulting violation can accompany massive fines.
The fines can range from hundreds of thousands of dollars to millions of dollars. The OCR establishes the fine amount based on the severity of the infraction.
The OCR may impose fines per violation. Alternatively, they may apply a single fine for a series of violations. The fines might also accompany corrective action plans.
There are a few common types of HIPAA violations that arise during audits. For instance, the OCR may find that an organization allowed unauthorized access to patient health information.
Alternatively, the office may learn that an organization is not performing organization-wide risk analyses. The OCR may also find that a health care provider does not participate in HIPAA-compliant business associate agreements as required.
A health care provider may also face an OCR fine for failing to encrypt patient information stored on mobile devices. Finally, audits also frequently reveal that organizations do not dispose of patient information properly.
Other HIPAA violations come to light after a cyber breach.
Types of HIPAA Breaches
There are two primary classifications of HIPAA breaches. If a violation doesn’t result in the use or disclosure of patient information, the OCR ranks it as “not a breach.”
Still, the OCR must make another assessment when a violation involves patient information. They must define whether the violation was intentional or unintentional.
Accidental disclosure is still a breach. However, it comes with much less severe penalties.
Alternatively, the OCR considers a deliberate disclosure very serious. Resultantly, they levy much heavier fines for this kind of breach.
After a breach, the OCR typically finds that the breach occurred in one of several common areas.
Lack of a Valid Risk Assessment
Risk analysis is an important element of the HIPAA Act. The purpose of this assessment is to identify risk to patient information. It’s the first step that a health care provider should take in meeting compliance.
Sharing Patient Information
Here, a health care provider might share information intentionally or unintentionally. In either case, a health care provider should never provide patient information to an unauthorized recipient. An unauthorized recipient could include coworkers, the media or a patient’s unauthorized family member.
Unauthorized Viewing of Patient Information
Reviewing patient information for administrative purposes or delivering care is acceptable. However, it’s a violation of the HIPAA Act to view patient records outside of these two purposes. Personnel cannot view patient records unless doing so for a specific reason that’s related to the delivery of treatment.
Improper Disposal of Patient Information
The HIPAA Act mandates the secure disposal of patient information. Complying with this rule might include the appropriate destruction of data, hard disk or backups.
It also includes destroying data on stolen devices. In addition, it covers the destruction of hardcopy patient information.
Lack of Patient Access Controls
According to HIPAA rules, health care providers must control access to patient information. For example, your organization could deploy multi-factor authentication. Multi-factor authentication is an excellent place to start if you want to ensure that only authorized personnel accesses patient records.
Lack of Encryption
This violation usually occurs when a care provider doesn’t encrypt patient information that’s shared over a network. Tools such as VPNs, TSL certificates and security ciphers enable you to encrypt patient information digitally. It’s also a good idea to encrypt patient information that you’re not transmitting.
Breach Notification Compliance
Failure to notify the OCR of a breach is a violation of HIPAA policy. Furthermore, you must do so within 60 days of the breach. If not, you’ve violated this part of the HIPAA Act.
Improper Handling of Patient Information
Care providers must share patient information using official channels. Staff members cannot email patient information using personal accounts.
They also shouldn’t print patient information and take it off-site. Either act is a HIPAA offense.
Unauthorized Information Disclosure
Your staff members should never release patient information to unauthorized individuals. Doing so is considered a breach. However, the OCR did relax this part of the HIPAA regulations during the pandemic.
Limited Access Logging
Organizations must maintain detailed records of who accesses patient information. They must also track changes and updates to patient information.
You never know when your practice or organization could face an audit. If so, the OCR will want to see information about who accesses what patient information on specific dates. If you cannot provide this information, the OCR will consider you in violation of HIPAA rules.
Here, however, the OCR has also relaxed the rules. They’re offering some leniency in the data logging of COVID test stations.
There are many more ways to violate HIPAA regulations. Fortunately, your organization can stay clear of violations with the right HIPAA training.
What is HIPAA Training?
Health care professionals must have HIPAA training. The HIPAA Act requires training for doctors, nurses and anyone who comes in contact with sensitive patient information.
Understanding the many HIPAA rules can prove challenging. In many cases, they’re vague and confusing.
HIPAA training is a critical part of compliance for this reason. Proper training will ensure that all employees are up-to-date on what it takes to maintain the privacy and security of patient information.
With training, your staff will learn the many details of complying with the HIPAA Act. More importantly, they’ll understand their role in HIPAA compliance.
It’s important to provide HIPAA training for medical employees. Without it, you place your organization at risk.
As an example, your organization could face considerable fines due to a violation. The smallest fine for an intentional violation is $50,000.
In a worst-case scenario, the OCR could levy a fine on an individual for $250,000 for a criminal offense. Furthermore, the court could find your organization liable for paying restitution to the victim of the crime.
What is HIPAA Certification?
With HIPAA certification, you can prove that your staff members know how to comply with HIPAA regulations. Today, earning HIPAA certification is a part of due diligence.
HIPAA compliance rules change continually. As a result, there’s no official path to HIPAA certification. If a training provider advertises that their course is endorsed by the Department of Health & Human Services, it’s a falsehood.
Nevertheless, you can claim that your organization is certified HIPAA compliant. The statement simply means that you’ve completed third-party HIPAA compliance training.
It also means that you’ve taken measures to comply with HIPAA regulations. Here, however, it’s vital to find a trusted HIPAA training partner.