Over the past 10 years, over 189,945,874 healthcare records have been exposed due to a breach.
HIPAA compliance is at the heart of all of the actions you take in your office… even if you aren’t realizing it. Many of the processes you enact serve to protect your organization from a breach, mishandling of PHI, and more. Yet, we hear of breaches frequently in the news and none of us are perfect. Human errors happen despite our best efforts. If we remain aware of the most common HIPAA violations, we can arm our practice with tools and knowledge to prevent them.
The 7 most common HIPAA violations include…
Failure to Perform an Organizational Risk Analysis:
Each year, your organization needs to perform a risk analysis to assess any vulnerabilities. At this time, you will discover any threats or risks that may exist to the PHI of your patients. This can be a long process, however, the tools available to help you can save you time and money. A risk analysis requires the following elements be present…
- Scope analysis
- Data collection
- Identification of Vulnerabilities
- How likely a threat is to occur
- Impact of potential threat
- Level of risk
- Review periodically/as needed
Failure to perform this analysis may result in a financial penalty for your practice. Even worse, failure to complete this analysis could leave your practice and patients open to outside threats.
Mismanagement of Security Risks:
It is likely that when your organization performs your risk analysis that potential threats will be revealed. When this happens, a risk management plan needs constructed and carried out. Risk analyses should not be treated as a check box on your HIPAA compliance check list… it involves work for your practice. If your practice knows of risks and fails to address them, your organization is at risk of receiving a penalty.
Excess Access to ePHI:
Not every individual at your practice needs access to ePHI data. If a personnel’s job role doesn’t require them to complete tasks involving this, limit their access to the information all together. This eliminates one potential risk of leaked ePHI and other malicious intent. This violation also occurs when individuals at your practice fail to securely send documentation to other providers in a secure manner. The financial penalty for this violation costs practice thousands when incidents happen.
Mishandling of Breach Notification after 60 Days:
The HIPAA Breach Notification Rule “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” 60 days is the deadline for this notification to be made after breach discovery by the covered entity. How much and to what extent notification needs to be made depends on how large of a breach took place. This one of the most common breaches and has cost health organizations hundreds of thousands.
Unnecessary Disclosures of PHI:
PHI should only be provided to the patients and other pertinent members of the care team. HIPAA specifically lays out who is permitted to receive and access this documentation in the HIPAA Privacy Rule. Disclosures outside of this are not permitted and will result in a violation of HIPAA. Another way PHI falls into the wrong hands is through lost or stolen laptops, computers, and phones that are not encrypted. This is considered careless handling of PHI and will land your organization in a world of trouble and fines.
When PHI is not disposed of properly, it is open to be used and interpreted by individuals who have nefarious intent. It is EASY to avoid this violation – practice safe disposal habits! If your practice still utilizes paper practices, simply shred your old documentation when it comes time to remove it. For those practices that click through EHR software, degauss, securely wipe, or destroy the electronic devices that ePHI was stored on. Covered entities that don’t dispose of PHI/ePHI properly face penalties.
Employee Mishandling of PHI:
Employees that tend to gossip in the office also put your practice at risk if they bring up an individual patient’s PHI. This is a HIPAA violation in itself and can cost the practice huge in fines. Employees need to be mindful of who they speak to about this information, and where they talk about it. Family and friends outside of the office should never be privy to this type of information. If it needs discussed at work, it should be in a private location with a coworker who needs to know the information.
ALL of the above common risks are preventable. None of these have to be an issue or concern for your organization if you practice due diligence. HIPAA is meant to protect a patient, and we are willing to bet that you are a patient, too. How would you want your PHI treated?