By Benjamin J. Fenton, Partner, Fenton Law Group
HIPAA regulations are complex and can change from year to year, so it can be difficult to stay up-to-date on the latest rules and know which violations occur most frequently. With fines for HIPAA violations reaching as high as $50,000 per occurrence, medical practices need to ensure that they are always HIPAA compliant. Below are some of the most common HIPAA violations occurring today. Ensuring that your personnel are well-trained in HIPAA compliance and helping them understand which violations occur most often can help protect your practice from violations and the associated consequences.
Hacking is a serious threat that can happen to anyone. In 2020 alone, more than 300 hacking incidents were assessed for HIPAA violations. You might wonder what hackers could do with the Protected Health Information (PHI) they obtain. There are two possible reasons for these incidents.
- Hackers sell the information to third-party organizations that benefit from the data.
- Hackers use ransomware to encrypt a person’s data, then may threaten to publish data or block access unless a ransom is paid.
Below are several best practices that you can follow to protect your practice from hacking:
- Make sure that all anti-virus software stays updated.
- Use encryption.
- Change passwords regularly, especially on important devices.
- Limit access to devices and information based on employee status.
2. Unauthorized Access
One of the most common HIPAA violation examples is when employees access data they are not authorized for. Even if they do it out of curiosity, this is still a violation and can result in both an information breach and a fine. It is even worse when your own staff sells PHIs for personal gain.
Based on the HIPAA Security Rule, covered entities, as well as their business associates, should limit access to electronic PHI (ePHI) only to authorized individuals. Setting up an authorization system is one way to ensure employees can only access data that is relevant to their case.
3. Failure to Use Encryption
Encrypting PHI is one of the best methods to prevent data leaks from happening in your practice. If encrypted PHI is breached, it isn’t a reportable security incident unless the key to access the encrypted data is stolen as well.
Although encryption is not mandatory based on HIPAA rules, it provides clear security benefits. If your practice decides not to use encryption, you need to have an equivalent security measure in place instead.
4. Loss or Theft of Company Devices
A common HIPAA violation is losing company devices that contain PHI.
In 2017, Lifespan Health System ACE suffered a HIPAA breach and a $1,040,000 HIPAA penalty after the theft of an unencrypted laptop. An employee had left the laptop in their vehicle, which was broken into. The laptop contained more than 20,000 personal details. To make matters worse, the device itself was not password protected. Although Lifespan ACE tried to remedy the situation, they could not stop the information from being misused.
While theft cannot be prevented at all times, adding encryption to company devices, as mentioned above, helps prevent information leaks and safeguards patient data even if the device gets stolen.
5. Sharing Personal Information
All confidential data, PHI included, should be on a need-to-know basis. Although it appears harmless to discuss details with colleagues, it can easily cause information leaks which result in lawsuits.
To prevent the spread of personal information, ensure that sensitive information is shared securely and only with authorized staff. Even talking about patient information with loved ones is a HIPAA violation.
6. Failing to Dispose of Unneeded PHI
It is vital that your employees securely store or dispose of PHI that is no longer needed, such as digital and physical documents. Forgetting to secure documents can lead to these files falling in the wrong hands, and thus result in a violation. The best approach is to keep the information in a secure place or securely destroy unnecessary documents so that they can no longer be accessed.
7. Accessing PHI from an Unsafe Location
Many clinicians are used to working after-hours, and at times may try to gain access to PHI from their personal computers. Although this can appear harmless, it can have significant consequences. For example, a family member using a physician’s computer can easily stumble upon confidential documents, especially when unsecured. They may also accidentally introduce malware from hackers stealing PHI.
To prevent this, have a dedicated computer for any confidential information and only access the device from secure locations.
8. Texting Confidential Data
Although sending patient information through text may seem quick and effective, it provides hackers with another way to get their hands on such data. You are not allowed to put patient information in a text message because it is not an encrypted form of communication. Getting caught doing so can result in a violation and fine. You are also legally obliged to report such violations.
There are messaging apps available that encrypt data for more secure communication, but often they do not fulfill the technical safeguards to meet HIPAA requirements, and personal devices may be lost or stolen.
You can use a reliable electronic medical record (EMR) software to share information with colleagues efficiently.
9. Denying Your Patients Access to Health Records
According to the HIPAA Privacy Rule, patients have the right to access their medical data and acquire copies of records upon request. Denying your patients access to health records, overcharging them for copies, or simply failing to supply their data within 30 days are grounds for a HIPAA violation.
10. Failing to Enter in a HIPAA-Compliant Business Associate Agreement
Your practice must enter into a HIPAA-compliant Business Associate Agreement with any vendor that has access to PHI. This contract specifies each party’s responsibilities with PHI and clarifies how they expect each other to secure data.
Even with a Business Associate Agreement, a vendor may still be out of HIPAA compliance. This is especially true if the agreement has not been revised after the Omnibus Final Rule or other updates to HIPAA regulations.
11. Issuing Breach Notifications Exceeding 60 Days
According to the HIPAA Breach Notification Rule, covered entities are required to issue notifications to relevant parties regarding breaches without unnecessary delay. This means providing notification no later than 60 days after discovering the data breach.
12. Impermissible Disclosures of Protected Health Data
Disclosing protected health data includes potential disclosures after the loss or theft of unencrypted laptop computers, disclosing PHI to the employer of the patient, unnecessary disclosure of PHI, failing to adhere to the minimum necessary standard, and disclosing of PHI after authorization from a patient has expired.
13. Releasing Patient Data to an Unauthorized Person
Without patient consent, healthcare providers may not release PHI for purposes other than the payment for healthcare, treatment, or for healthcare operations. Patients must fill out an authorization form before entities can legally disclose their PHI to a third party.
To prevent unauthorized disclosure, healthcare workers must ensure the proper authorization has been given. An authorization form is valid only if it has been signed by the patient or their representative.
14. Downloading PHI on Unauthorized Devices
It is not easy for healthcare IT personnel to monitor all devices connected to their network. Making sure that these connected devices are secured is a major task but is a requirement to be HIPAA compliant.
Employees need to be aware of the associated security and privacy risks when they download ePHI to unauthorized electronic devices. Unauthorized devices not only increase the risk of accidentally disclosing ePHI in case the device is lost or stolen, but can also be seen as theft and a HIPAA violation.
15. Releasing Wrong Patient Data
Even if a patient has provided an authorization form, healthcare employees need to be careful with the types of data released to third parties. Each authorization form should include what types of data have been authorized by the patient to be released. Any details that have not been listed under the authorization form should remain confidential and private.
HIPAA violations are common and can seriously harm your practice’s finances and reputation. Familiarity with violations like those listed above can help you protect your practice and your patients and help ensure that your practice meets HIPAA requirements.
About the Author:
Benjamin J. Fenton is a litigator with significant trial and appellate experience. He regularly advises and represents healthcare providers and entities in healthcare business disputes, hospital peer review actions, and state and federal administrative actions and investigations. Ben regularly represents physicians and other healthcare providers before the Medical Board of California, the Osteopathic Medical Board, the Board of Registered Nursing, and other healing arts licensing agencies. Ben has extensive experience representing healthcare providers in Medicare and Medi-Cal disputes, such as overpayment demands, terminations or suspensions, and audits and investigations. Ben also regularly litigates business disputes in court, representing physicians and medical groups both as plaintiffs and defendants. He also represents healthcare providers in the defense of RICO, False Claims Act and Fraud and Abuse litigation.