The 7 Most Common HIPPA Violations (And How to Avoid Making Them)Greg Garner
The Office for Civil Rights (OCR) received more than 28,000 complaints of possible HIPAA violations in 2019. The resulting investigations lead to more than $15 million in fines.
Nearly all fined entities were guilty of the same handful of common HIPAA violations. In fact, the same seven violations account for the majority of breaches nationwide every year. Here’s what you need to know about these violations and how to protect your organization.
1. Failing to Secure and Encrypt Data
Perhaps the most common of all HIPAA violations is the failure to properly secure and encrypt data. In part, this is because there are so many different ways for this to happen.
In some cases, organizations mistakenly assume that encryption is not mandatory since it is categorized as “addressable” instead of “required.” Other times, breaches are the result of simple staff mistakes and human error. For example, staff may:
- Accidentally leave physical charts and files in exam rooms where later patients can see them
- Leave files on desktops or computer screens while they step away
- Access patient files from home to finish work late at night where they are exposed to others’ view
- Text unsecured patient information to another provider in an attempt to provide prompt care
- Download records onto unsecured mobile devices
Encrypting data can powerfully protect your organization. The loss of encrypted data only becomes a HIPAA breach if the encryption key is also stolen.
Preventing other breaches of this nature almost entirely comes down to proper staff training. All providers must educate their staff on:
- What constitutes a breach
- Minimum standards and best practices to prevent breaches
- What to do if they think a breach may have occurred
2. Device Theft
When providers think of HIPAA violation examples device theft rarely comes to mind. Yet lost or stolen devices are a huge source of HIPAA enforcement investigation and penalties.
The OCR estimates that between 2009 and present, up to 50 percent of Americans have had their PHI compromised. A large proportion of these breaches are due to the theft of unprotected and unencrypted mobile devices. These include:
- Cell phones
- PDAs and Blackberries
- Flash, zip, and USB drives
- Disks and CDs
Thanks to their small size, concealability, and common appearance, these items are easy to steal. They can be taken from an individual or removed from offices, vehicles, or homes.
There are two primary ways to protect your organization from this type of violation. The first to encrypt all PHI on all devices. This ensures that even if a device is stolen, information is protected.
The second is to train your staff on appropriate device handling procedures. This includes practices such as:
- Storing devices in locked drawers when they are not on their person
- Double-locking devices, such as in a locked glove compartment in a locked vehicle
- Password-protecting all devices and handling passwords securely
- Accessing and sharing PHI only via password-protected apps
3. Employee Misconduct
Employee misconduct is similar to the failure to secure data. It can happen in many different ways and is often accidental. For example, employees may:
- Answer questions from patients’ friends or family in ways that violate privacy
- Post photos or personally identifiable information to social media that exposes patients
- Have conversations regarding or including PHI in non-private settings where they may be overhead
- Leave files containing PHI where they can be seen by others
Unfortunately, not all breaches are so innocent. Employees may purposely misuse their access to PHI and knowingly share patients’ private information through gossip, social media, and other methods. Understandably, HIPAA violation penalties are much higher when breaches are intentional.
Again, there are two ways to protect your organization. The first is to ensure that PHI access is restricted to only those staff who need it and only when necessary to do their jobs.
The second is to ensure that all staff receives appropriate HIPAA training. This will prevent accidental breaches. It will also ensure that staff understands the severe risks and penalties of non-compliance.
4. Improper Records Disposal
At first glance, records disposal seems like an odd cause for so many HIPAA breaches. However, it is easy for staff to mistakenly assume that documents have no PHI. Casually discarding these documents then causes a breach.
Items such as hard drives and USB drives may also continue to hold protected PHI until they are wiped or destroyed. If they are not accounted for and stored under lock and key between the end of their use and when they are wiped of PHI, they can constitute or lead to a violation.
To protect your organization, you need strong and clear policies on document and device handling. You also need to train staff on best practices and possible HIPAA violations in this area.
5. Non-Compliant Partnership Agreements
Non-Compliant partnership agreements are a straight-forward and common HIPAA violation. The average health care organization works with a wide range of partner companies in its daily operations. The possibilities for complications are seemingly endless.
- Contracts may be handled by off-site or regional departments
- Partner companies may be bought, sold, or merge with other companies
- Partners may need to be brought onboard quickly to manage urgent facility needs
In these and other circumstances, it is easy for errors or misunderstandings to result in non-compliant agreements. The costs of these errors can be steep, however. The best way to protect your organization is to ensure that the staff managing partner contracts are fully trained in HIPAA compliance as it applies to them.
6. Failure to Perform an Organization-Wide Risk Analysis
Performing an organization-wide risk analysis is required as part of your organization’s HIPAA compliance. Not doing so its own costly HIPAA violation. Performing these assessments is also critical because it helps you catch and prevent all of the other common HIPAA violations on this list.
7. Inadequate Staff Training
Given that staff training prevents nearly every other item on this list, it will come as no surprise that inadequate training is one of the most common HIPAA violations each year. There is simply no substitute for getting your staff proper HIPAA training and verifying that they fully understand the rules and how they apply.
Conducting effective training can be challenging, however. Particularly as the health care environment continues to evolve and change.
HIPAA Exams can help. Our HIPAA for Health Care Workers course takes only about 60 minutes to complete. In that time, it teaches your staff:
- What HIPAA is and what the rules require
- What breaches are and how to avoid them
- The personal and organizational penalties for violations
- How to apply this information in their daily routines
We also offer HIPAA courses for your business partners to offer your organization 360-degree protection. All of our courses include:
- Tests at the end to ensure comprehension
- Printable completion certificates to make tracking easy
- Free retakes of the course and exam as needed to achieve mastery
- 24/7 online access from anywhere for your convenience
Protect Your Organization From Common HIPAA Violations
Don’t let your organization fall victim to these common HIPAA violations and the hefty fines that go with them. Contact our helpful and responsive team today to get your team the training they need.