What is a HIPAA violation?Greg Garner
With all the talk about HIPAA and its stringent rules, what exactly is a HIPAA violation? A HIPAA violation is when a covered entity doesn’t comply with outlined HIPAA standards and provisions outlined in their guidelines. There are a number of ways a covered entity can have a HIPAA violation:
- Disclosing protected health information (PHI) without permission
- Accessing PHI without authorization
- Improper disposal of PHI
- Failing to conduct a risk analysis
- Failure to manage risks
- Failure to implement safeguards to ensure confidentiality, integrity and available of PHI
- Failure to implement the proper safeguards
- Failure to maintain and monitor PHI access logs
- Failure to enter into a HIPAA-compliant business associate agreement prior to giving access to PHI
- Failure to provide copies of PHI to patients when they ask
- Failure to have limited access controls
- Failure to terminate access right to PHI when they aren’t required
- Failure to provide HIPAA and security awareness training
- Sharing PHI online or via social media without permission
- Mishandling or sending PHI mail to the wrong person
- Any patient record thefts including dentists
- Failure to encrypt PHI or using an alternative to prevent unauthorized access
- Failure to have compliance documentation
- Failure to notify persons or OCR of any security incidents of PHI within 60 days of a breach
HIPAA violations can be uncovered through internal audits, by supervisors who have observed employees in violation, by being reported by individuals or vendors. When a violation is reported, OCR investigates when the covered entity breach is more than 500 records. They also conduct periodic audits of HIPAA covered entities and their business associates.
There are different penalties based on the HIPAA Rules. The fines can be up to $25,000 per violation category per calendar year. Additionally, OCR can issue fines up to $15 million per violation category per calendar year.
HIPAA violations can be financially crippling for organizations, as penalties can be as little as $100 or as much as $50,000 per violation. One of the most alarming aspects of HIPAA breaches is that one instance within your organization can result in hundreds, or even thousands of HIPAA violations. All covered entities must report any and all violations not only to HIPAA, but also to the individuals affected by the data breach.
In 2015, there are a few ways covered entities can avoid HIPAA penalties if the act was not of “willful neglect” and the violations are corrected within a period of 30 days. Here are a few tips on how this can be accomplished:
- Update your security risk assessment as required by HIPAA.
Use the HHS risk assessment tool to conduct and document your risk analysis to identify and prevent potential security and data breaches.
- Implement the technical, administrative and physical safeguards required under the HIPAA security rule.
Although most organizations have policies in place that are required by the security role, there are many deficiencies that have been found in implementing the safeguards required by HIPAA. Making sure these safeguards are followed will help in compliance, but will also assist in fighting system failures or online crimes. Using the tools provided by the HHS is an effective way to achieve this compliance.
- Make sure all business associate agreements (BAAs) are in place.
HIPAA requires that all covered entities have business associate agreements in place, but these agreements also help protect the practices from liability if the business associate violates the HIPAA law. All business associate agreements must specifically outline that the associate is an independent contractor and not an agent of the organization.
- Implement and enforce training
Covered entities can avoid penalties by HIPAA when they have implemented rigorous training policies and checklist. Even when there is an employee that has violated the law, if the covered entity can show where the employee was adequately trained and was aware of the policies, they may be able to avoid fines. The organization must ensure that the training is thorough and effective.
- Immediately respond to breaches
This is very critical to covered entities. As a requirement of the law, all covered entities and business associates must immediately investigate any complaints of privacy and mitigate any breaches. Once an agent or employee has been found in violation, the appropriate sanctions must be applied. Data may avoid being compromised if the entity works quickly enough to avoid self-reporting to the HHS. If the entity or business associate did not act with willful neglect and corrects the violation within a period of 30 days with corrective action, they may avoid receiving a penalty.
- Report all breaches in a timely fashion
Failing to report a breach in a timely manner under the rules of HIPAA may lead to a determination of willful neglect. The unauthorized access, use or disclosure of unsecured PHI is reportable to HHS and the affected individual under HIPAA unless there is a low probability of the data being compromised. This can be based on factors like the type of PHI, recipient of the PHI, whether or not the PHI was disclosed or accessed and what was done to stop the breach.
- Have accurate documentation
All actions must be documented to help defend any potential breaches and HIPAA violations. All documentation from covered entities and business associates must maintain documentation for a period of six years as required by HIPAA.
These are crucial steps in ensuring your organzation and business associates have a way to avoid HIPAA violations. With due diligence and work, you can protect your organization for a positive outcome.
Making sure your organization stays HIPAA complaint is an essential part of your risk management strategy. Although you may have policies and procedures in place, have conducted employee training and attempt to stay abreast of any breach activity, many organizations unknowingly experience HIPAA violations on a consistent basis. There are extensive fines tied to HIPAA offenses, which could cost your organization a significant amount of money. Making sure your administrators are reviewing the policies on an ongoing basis can help in avoiding huge losses.
Common HIPAA Violations
These are some common HIPAA violations that may be occurring within your organization. Even when trained, these violations may fall through the cracks. Introducing these common violations as part of your training program will alert employees to potential areas that need improvement:
- Releasing protected health information (PHI) without out authorization due to incomplete forms.
Every patient authorization form must be fully completed before any information is released to an outside party. All forms should include the legal name of the patient, specific information that is authorized for disclosure, the date of the authorization, and the date of revocation. This includes cc’ing someone on an email with PHI by mistake.
- Disclosing patient information to an off-limits third party.
Employees may discuss information about a patient with friends, family and coworkers, which violates the federal law. Although the employees may feel secure in knowing the nature of the information will not be revealed any place else, these types of practices should be avoided at all costs.
- Failing to properly destroy old patient information.
HIPAA laws requires an organization to destroy any incorrect or outdated patient information to avoid the unauthorized release of PHI. When systems are not properly backed up, or there is a backlog, this opens the door for patient information to inadvertently fall into the wrong hands.
- Errors when storing patient files and other data.
Electronic Health Records (EHRs) have streamlined the process of keeping patient data private. While the use of EHRs has been helpful, many organizations still rely on a paper-based system for patient files. This can lead to patient files getting misplaced, data from another patient being misfiled and other errors. Most of these problems can be avoided by switching to an electronic database.
- Not releasing records on time.
When a patient requests their medical records, HIPAA law requires an immediate release. If the organization does not complete this in a timely manner, they could be fined and placed under investigation. Having a set timeline within your records department to complete any medical record requests should be a part of your policies and procedures.
- Inputting incorrect information
When working with patient files, employees may mistakenly enter an incorrect code, or select the wrong chart and enter information on the wrong patient. It is important to stress accuracy in every action.
- Not having proper security protocols.
Because so many organizations use mobile devices and other methods to backup information, PHI is at risk. Organizations should have adequate safeguards in place to protect PHI from breach, loss and theft. Having security measures like firewalls, wipe-down software, passcode-restricted access and cloud storage will assist in avoiding any hacks and Illegal retrieval of PHI.
- Waiting to inform management and compliance officials of PHI exposure.
Employees who have exposed PHI are reluctant to inform management for fear of repercussion. This leads to a lag in the reporting times between management and compliance officials, which is a violation of the law. Making sure your employees and business associates understand the ramifications of not reporting data breaches or release should be stressed in all employee compliance training.
Ongoing training is the key in making sure these common HIPAA violations are avoided, as one mistake can be detrimental to the organization.