Did you know that more than 113 million people were affected by a HIPAA compliance breach in 2015? That’s an increase of 107 million from just five years ago.
Every day, an average of 17,000 patient records are compromised.
The Health Insurance Portability and Accountability Act of 1996 (i.e., HIPAA) was enacted to keep people’s personal health information, including medical records and billing information, secure. The rules and regulations are not only notoriously complicated and easy to misunderstand, but they also frequently change. However, feigning ignorance won’t work in your favor.
HIPAA compliance violations are a big deal, with fines ranging from a few thousand dollars to millions of dollars and even jail time in some cases. These rules don’t just apply to doctors and nurses but to anyone on your team who has access to sensitive health information.
In this post, we’re going to look at some of the ways that HIPAA compliance affects employees.
Why HIPAA Compliance Affects Almost All Departments
While most of us think that HIPAA applies only to doctors’ offices, hospitals, and other trained medical professionals, the reality is that it applies to many more people and organizations, including companies that create medical software as well as any third-party agencies or vendors (i.e., business associates) that provide services involving personal health information.
HIPAA applies to all sensitive health records, including occupational health records, Americans with Disabilities Act (ADA) records, flexible spending accounts (FSAs), and corporate wellness programs.
If your business fits any of these criteria, then almost every department and employee may be affected by HIPAA compliance, including
- Customer Support
- Sales & Marketing
This means that any employee who has access to these records, like your software engineers, frontline support staff, office manager, or HR team, should undergo HIPAA training at least once a year; to help off-set potential fines and lawsuits.
In addition, any third-party vendors the company works with must sign a business associate agreement and comply with HIPAA training and regulations. Many companies over the last decade have gotten into hot water because they didn’t execute a business associate agreement. Examples include North Memorial Health Care of Minnesota, which was fined $1.55 million, and the Raleigh Orthopaedic Clinic, P.A., of North Carolina, which was fined $750,000.
Complete a full risk assessment
Since HIPAA fines can exceed $2 million, it’s important to understand where your biggest compliance risks and vulnerabilities are.
Businesses can start by taking a free HIPAA compliance checkup to get a better understanding of their biggest blind spots and security vulnerabilities.
They should then follow up with a security audit of their company. Here are some things to think about during an audit:
- Who on your team has access to sensitive health information?
- What information do they have access to?
- How do they access it?
- How is it stored?
- What software are you using? Is the software HIPAA compliant?
- What data does that software have access to?
- Which third-party vendors and agencies are you working with? If they have access to sensitive data, have they signed the necessary business associate agreements (BAAs)?
Write and update company documentation and training regularly
HIPAA regulations change often. Updated documentation, privacy policies, and mandated team training are necessary to stay compliant.
In fact, even businesses that require staff to go through the required training each year but fail to document it may be fined for non-compliance. This is actually where some of the biggest fines happen.
Another common violation that can cost companies hundreds of thousands of dollars in fines is disposing of healthcare records improperly.
Most companies hire a chief privacy officer — usually an office manager or someone on the HR team — to help hold the team accountable.
Use HIPAA-Compliant Software
Nowadays, we use software to help us with just about every aspect of our jobs, from email and file-sharing to online forms and website hosting. It can be easy to overlook just how much information some software can access.
If you use software that isn’t HIPAA compliant, and it has access to (or stores) private health information about patients or customers, it is best practice to have proper controls in place to maintain the highest levels of privacy, security, and compliance.
One of the biggest software blind spots is cloud file-sharing. When sharing photos, documents, and other files, using HIPAA-compliant software can protect you.
Another blind spot is forms. According to one study, medical providers fill out an average of 20,000 forms each year. Using paper forms is tedious, wildly inefficient, and prone to all kinds of human error — from the dreaded coffee spill to flat-out misplacing a form. While it’s one thing to lose a volunteer signup form, it’s another to lose a paper form of someone’s drug prescription history, including their allergies.
It isn’t an exaggeration to say that switching to online forms can literally save lives. But you should use online form software that provides users with the tools to create, manage, transmit, and store HIPAA-compliant forms.
Encrypt data on smartphones and other portable devices
How many times have you seen someone leave their laptop open to go to the restroom, keep their phone on the table as they run to refill their drink, or lose their phone in the back of a taxi? All of these are prime examples of how sensitive health information can get into the wrong hands.
In fact, hospitals like Children’s Medical Center of Dallas were fined over $3 million for seemingly simple violations like the ones listed above.
Another common violation is downloading sensitive information to an unsecured device. This could be a doctor accessing patients’ records from their home computer because they left their encrypted laptop in their office, or a nurse downloading a patient X-ray on a smartphone that isn’t properly encrypted.
HIPAA compliance is nuanced, complicated, and ever-changing. It can impact pretty much everyone in your company. The risks are high and can set you back hundreds of thousands of dollars in fines.
About the Author
Annabel Maw is a Marketing Communications Manager at JotForm, a full-featured, HIPAA-compliant online forms platform that provides a robust data collection solution for healthcare professionals. Say hi @AnnabelLMaw