The Security and Privacy Rules of the Health Insurance Portability and Accountability Act (HIPAA) protect every patient’s health information. Healthcare providers, health plans, and health clearinghouses are the three categories of organizations that are considered covered entities under the Act, so all businesses in those industries must be well aware of HIPAA requirements.
If the health organization itself does not want to handle all aspects of HIPAA compliance, they can sign a business associate agreement with an outside party (such as a web hosting service). The agreement makes the external party responsible for specifics listed in the contract, as described by the US Department of Health & Human Services.
Unfortunately, avoiding HIPAA violations is not as easy as it first may appear. If any employee in a company violates the HIPAA stipulations, even unintentionally, the company could be fined up to $1.5 million (the yearly cap per business). Below are several of the most frequently occurring HIPAA violations, along with advice for avoidance.
Typical healthcare privacy and security violations
Incorrect selection of data
New England Medical Transcription reports that it repeatedly sees the following violations in confidential healthcare transmissions. The NEMT’s list focuses heavily on incorrect data selection:
- CC’ing an unintended party on an email containing PHI (protected health information)
- selecting an incorrect patient’s chart
- selecting an incorrect dictator when sending transcriptions
- selecting incorrect numbers (medical record, account, or ID)
- inputting an incorrect doctor
- disclosing healthcare information to third parties without consent
- waiting or generally neglecting to notify compliance officials or other appropriate personnel of any possible data breaches
- throwing away confidential healthcare documents in an unauthorized way (making them susceptible to theft).
NEMT also notes an additional compliance issue that can arise, although it does not occur as frequently as the above in their experience: record access without cause. Regardless whether or not an individual or facility has the right to review the record, there still must be a justifiable reason associated with each instance of access.
OneSource Document Management lists several additional violations. Many of the problems cited by OneSource are contractual errors:
- accepting patient authorization forms with missing information (any of the following: full name of the patient, entity to which the health records are to be released, elements of the PHI/EMR (electronic medical records) that have been cleared for disclosure, and the end date through which permission is granted)
- omitting a clause related to revocation (a right that needs to be clearly stated on a HIPAA authorization form for it to be legitimate)
- neglecting to sign updated business associate agreements (BAAs) with all applicable third parties – external organizations that handle healthcare data on your behalf, such as a hosting service – per the Final Omnibus stipulations, outlining their role with regards to HIPAA compliance.
- disclosing patient data beyond the dates established in the relevant HIPAA contract, which typically involves an employee failing to double-check the authorization prior to release.
- using laptop PCs to store PHI, without appropriate security parameters installed (which, in 2012, represented the highest number of HIPAA violations and can be solved with HIPAA-compliant cloud hosting solutions for remote access).
Recommendations to avoid HIPAA violations
Of course knowledge of some of the most common offenses, as described above, is helpful for your organization to avoid HIPAA compliance fines. Medical Office Today offers several pieces of additional advice to protect your business:
- Fully secure all PHI and EMR. Establish one password to get access to the data, and designate a compliance officer on your staff (if you haven’t yet) to safeguard the password. Adjust the password frequently, ideally with random password generation software, and use two-factor authentication for access.
- Creation/development of protective policies. Institute management policies to make it less likely that patient health information gets into the wrong hands. Notify all personnel that any instances of entry into the EMR database are logged and monitored, and supply appropriate training as needed.
- Simple and timely patient access. HIPAA requires that patients be able to review their EMR whenever they desire. The PHI software you use should be able to allow patients to establish user accounts. Usernames and temporary passwords can be supplied to all patients immediately, both for compliance and efficiency.
- Noncompliant disposal of hard-copy PHI. HIPAA places significant focus on digital communications, but controlling paper copies of EMR is critical as well. You want to either have all paper documents under lock and key, accessible only to the appropriate staff members, or keep all the paperwork at a fully secured external location. Shredding of any paperwork for disposal should either be conducted in-house, with extreme care, or through an expert third party.Be careful that labels on the outside of patient folders do not convey health details.
Taking advantage of HIPAA-compliant business associates
HIPAA violations can be extremely costly, and staying compliant represents a time-consuming hassle for many healthcare organizations. Using fully HIPAA-compliant and secure hosting solutions can remove the stress by allowing a company with two decades of data center expertise stand guard over your PHI.
HIPAA Pages and Services
By Brett Haines; comic words by Kent Roberts and art by Leena Cruz.