The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal regulation that was put in place to protect the privacy of healthcare patients’ personal data. While it’s important that healthcare providers have access to the information they need to treat patients, it’s also essential that the information isn’t shared with outside parties that don’t need access to the information, even inadvertently.
This regulation applies to all forms of communication, including oral, written, and electronic. However, the HIPAA Security Rule applies more specifically to electronic health information, and puts strict guidelines in place for “electronic protected health information” (e-PHI).
In order to comply with the security rule, healthcare providers, insurers, and associated businesses and organizations must
- Ensure the confidentiality, integrity, and availability of all electronic protected health information
- Detect and safeguard against anticipated threats to the security of the information
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce
While large organizations often have strict protocols in place to protect their patients’ e-PHI, smaller healthcare offices and solo practitioners may be less prepared to comply with these regulations, and can end up facing violations.
And the penalties for HIPAA violations can be steep. Violations are graded on a four-tier scale, based on the level of offense, and fines can be upwards of $60,000 per violation for the most serious offenses (willful neglect that is not corrected within 30 days).
HIPAA is governed by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), and OCR has settled millions of dollars in penalties against organizations who’ve violated HIPAA regulations. States can also levy additional fines and penalties, and may even subject individuals to criminal penalties if they have knowingly violated HIPAA laws, particularly if they have financially benefited from sale of the data.
While OCR focuses most heavily on large organizations, it can penalize any organization that’s considered a “covered entity,” which includes health providers, health insurance plans, healthcare administrative organizations, and third-party associates that work with any of these types of businesses.
So if you’re a healthcare provider, health insurance agent, work in healthcare administration, or you professionally collaborate with any of these types of people, the HIPAA regulations apply to you.
{{blogpost-cta1-component}}
What are some common organizational HIPAA violations?
If you’re a covered entity, it’s important to be aware of the most common types of HIPAA violations so that you can ensure that you stay within compliance at all times. After all, a severe HIPAA breach might cost you your practice or business, and could result in steep penalties or even jail time.
Here are some of the frequent types of HIPAA violations to watch out for on an organizational level:
- Keeping unsecured patient health information
Whether you’re storing files and information physically or digitally, it’s essential to manage the security of your patients’ health records. Physical records should be stored under lock and key, and digital files should be encrypted and password-protected.
- Cyber hacking
Even if an outside party is responsible for stealing your patient data, you can still be found liable if you haven’t put suitable protections in place. Make sure that you have antivirus software in place and check regularly for updates; use a firewall; and use secure, strong passwords that are changed frequently.
- Improper employee training
Training employees on HIPAA regulations is a requirement of HIPAA law. When new hires come on board, you should provide a thorough training session that educates them on how to comply with the data protection measures that HIPAA mandates, and provide them with access to a HIPAA training manual for ongoing reference.
- Impermissible disclosure of protected health information
HIPAA requires covered entities to limit access to healthcare information only to contacts who need access for their jobs, or to individuals that the patient has explicitly provided access to. If an employee or an organization knowingly or unknowingly discloses personal health information to an individual’s employer or unapproved contacts, or carelessly handles the information resulting in exposure, they can be subject to steep fines. For instance, New York Presbyterian Hospital was fined $2.2 million for filming patients without their consent.
- Improper disposal of PHI
HIPAA rules require that health information be destroyed if the information is no longer needed and the retention period has expired. That means paper records should be shredded, and electronic records need to be fully erased from devices. If these measures aren’t taken, organizations can be subject to significant fines: Parkview Health faced an $800,000 penalty for improper disposal of records.
Most organizational HIPAA penalties can be avoided with proper employee training and protocols. By setting up an in-depth HIPAA training program for new employees, ensuring that protocols are followed at all times, using secure document storage for both online and offline records, and putting strong cybersecurity measures into place, you’ll be able to avoid unauthorized disclosures.
{{blogpost-cta2-component}}
What types of employee HIPAA violations most frequently occur?
But what about on an individual employee level? While employee training should cover all of these scenarios, it’s important to be aware of potential issues that could arise if an employee is careless or negligent with healthcare data.
Whether you’re an individual employee or an administrator, it’s vital to watch out for these types of common employee violations. Failure to do so could result in your job loss, substantial penalties for your organization and yourself, and possibly even jail time. Employee HIPAA violations can attract fines of up to $250,000 and a jail term of up to 10 years, depending on the severity of the incident.
- Sharing ePHI to unsecured phone networks
Many healthcare employees might inadvertently send health documents to their own personal email addresses, or text with colleagues about it—but removing ePHI from a protected network and sharing it on unsecure networks is a violation of HIPAA, and places the information at risk of exposure. Data can also be compromised when mobile devices are used on public hotspots.
- Providing protected health information to an unauthorized party
An employee might share their login credentials to another employee who does not have the same level of access, which can enable that employee to access protected patient information that they don’t have the right to view. They might also share or discuss health information with the patient’s family members or employer, which they’re not authorized to do unless the patient has listed them on a HIPAA waiver. And even speaking about patient health records in a public place may be grounds for a HIPAA waiver: It’s important to only speak about protected patient information in a private office or meeting room with others who are authorized to discuss the information.
- Lost or stolen mobile devices
Employees working in the healthcare industry need to go to great lengths to keep their mobile data secure. Losing a phone or having it stolen can mean that any unsecured ePHI can be raided in a large data breach. A Bitglass survey found that 68% of information breaches in healthcare organizations occurred due to the theft or loss of mobile phones. If the employee doesn’t securely encrypt their data and disarm a lost or stolen phone, they may play a role in aiding others in the theft of large volumes of patient data.
How to prevent employee-driven HIPAA violations?
While organizational HIPAA violations can be kept in check with regular compliance audits and workplace training, it’s also important to drill down to the individual employee level. When it comes to keeping HIPAA protections in place, every organization is only as strong as its weakest link.
Some guidelines for making sure your staff stays HIPAA-compliant include:
- Quiz employees on HIPAA requirements
Rather than conducting a one-and-done HIPAA training session, use individualized learning plans to ensure that your employees are paying attention. By issuing regular quizzes on different parts of the HIPAA requirements, and checking their scores, you’ll be able to see which employees need extra training or reminders on HIPAA compliance requirements.
- Provide cybersecurity training
Beyond understanding HIPAA, it’s also important for your employees to understand what it takes to keep all of your data secure, HIPAA-protected or not. Train them on cybersecurity measures like using firewalls and VPNs to access your network securely, and ensure that they use cybersecurity threat detection software that regularly checks for breaches. They should also ensure that they use strong, unique passwords, and use two-factor authentication for apps and device logins whenever available.
- Use a HIPAA-compliant second phone line for texting and phone calls
Most healthcare practitioners and other covered entities don’t want to deal with the hassle of carrying around a second mobile device, but using a single mobile phone for all of your personal and professional calls and texting leaves you at risk of data exposure. By using an app like iPlum, you can add a secure second line to your existing mobile device, enabling you to set up secure texting and calls with a separate business phone line. The app offers HIPAA compliant calling, text messaging, and voicemail, helping you and your patients or customers stay protected even in the event of a phone loss or theft.
{{blogpost-cta3-component}}
Avoiding HIPAA violations in the digital age
The world of healthcare is changing rapidly, particularly in a post-COVID era. Many practitioners are able to complete virtual consultations from home or remote locations, helping them gain productivity, save costs, and reduce the risk of disease exposure.
However, their home or remote setups may not have the safeguards of their office network setup to protect patent data securely. Practitioners may do much of their work directly from their mobile phones, so it’s crucial that they’re properly trained on how to effectively manage and protect patient data when discussing PHI over text or phone calls.
By combining HIPAA compliance training, cybersecurity training, and access to affordable, but effective, technology solutions like iPlum, you can ensure that your team is properly prepared to handle secure patient data with confidence.
Staying ahead of HIPAA
HIPAA violations can cost your organization money, damage your reputation, and even lead to jail time, depending on the type of incident. Penalties can range to the millions, depending on the scope of the violation.
As such, it’s important to ensure that your organization has a proactive approach to HIPAA compliance, with mandatory HIPAA training for new employees, and ongoing assessments to monitor their understanding of requirements. Compliance initiatives should audit network activity to ensure that only employees with the right access levels are reviewing protected files, and that all data is securely encrypted online. All paper forms should be securely stored in locked cabinets. Both types of data must be tracked to ensure that when it is no longer needed for record-keeping, it is destroyed after its retention period.
Employees should also be enabled with the right technology to help them stay secure, both while working remotely and at the office. By using secure messaging and phone services, and ensuring that they take advantage of your organization’s antivirus and other cybersecurity tools, your team members can greatly reduce the risk of unauthorized access.
HIPAA violations are all too common, but with the right education, tools, and technology, your organization can stay out of the danger zone.