HIPAA Violations & Tips to Stay Compliant
The Security and Privacy Rules of the Health Insurance Portability and Accountability Act (HIPAA) protect every patient’s health information. Healthcare providers, health plans, and health clearinghouses are the three categories of organizations that are considered covered entities under the Act, so all businesses in those industries must be well aware of HIPAA requirements.
If the health organization itself does not want to handle all aspects of HIPAA compliance, they can sign a business associate agreement with an outside party (such as a web hosting service). The agreement makes the external party responsible for specifics listed in the contract, as described by the US Department of Health & Human Services.
What Happens If You Violate HIPAA Laws?
Unfortunately, avoiding HIPAA violations is not as easy as it first may appear. If any employee in a company violates the HIPAA stipulations, even unintentionally, the company could be fined up to $1.5 million (the yearly cap per business). Below are several of the most frequently occurring HIPAA violations, along with advice for avoidance.
What Is Considered a Violation of HIPAA?
Legally, a HIPAA violation occurs when any of the HIPAA standards and provisions are not complied with. In practical terms, most HIPAA violations fall under one or more of the following broad categories
- Protected health information is disclosed without permission
- Protected health information is accessed by an unauthorized party
- Protected health information is improperly disposed of
- Patient files are stolen or lost
- Protected health information is shared online, such as on social media, without consent
- Protected health information is shared via text message without consent
- Protected health information is mishandled or sent to the wrong person
- Protected health information access logs are not adequately maintained and monitored
- Controls are not put in place to restrict access to protected health information
- Protected health information is not encrypted properly
- The right to access protected health information is not terminated when no longer necessary
- More protected health information than necessary is disclosed in order to complete a certain task
- Patients are not provided with copies of their protected health information when they request it
- Compliance efforts are not adequately recorded
- A HIPAA covered entity fails to conduct a proper risk analysis
- A HIPAA covered entity fails to properly manage the risk of HIPAA breaches
- A HIPAA covered entity or business associate fails to notify the relevant parties within 60 days of a HIPAA breach
- HIPAA and security training is inadequate
- A HIPAA covered entity does not first enter into a HIPAA-compliant agreement with business associates or vendors before offering access to protected health information.
Typical HIPAA Violations – Healthcare privacy and security violations
Incorrect selection of data
New England Medical Transcription reports that it repeatedly sees the following violations in confidential healthcare transmissions. The NEMT’s list focuses heavily on incorrect data selection:
- CC’ing an unintended party on an email containing PHI (protected health information)
- selecting an incorrect patient’s chart
- selecting an incorrect dictator when sending transcriptions
- selecting incorrect numbers (medical record, account, or ID)
- inputting an incorrect doctor
- disclosing healthcare information to third parties without consent
- waiting or generally neglecting to notify compliance officials or other appropriate personnel of any possible data breaches
- throwing away confidential healthcare documents in an unauthorized way (making them susceptible to theft).
NEMT also notes an additional compliance issue that can arise, although it does not occur as frequently as the above in their experience: record access without cause. Regardless whether or not an individual or facility has the right to review the record, there still must be a justifiable reason associated with each instance of access.
OneSource Document Management lists several additional violations. Many of the problems cited by OneSource are contractual errors:
- accepting patient authorization forms with missing information (any of the following: full name of the patient, entity to which the health records are to be released, elements of the PHI/EMR (electronic medical records) that have been cleared for disclosure, and the end date through which permission is granted)
- omitting a clause related to revocation (a right that needs to be clearly stated on a HIPAA authorization form for it to be legitimate)
- neglecting to sign updated business associate agreements (BAAs) with all applicable third parties – external organizations that handle healthcare data on your behalf, such as a hosting service – per the Final Omnibus stipulations, outlining their role with regards to HIPAA compliance.
- disclosing patient data beyond the dates established in the relevant HIPAA contract, which typically involves an employee failing to double-check the authorization prior to release.
- using laptop PCs to store PHI, without appropriate security parameters installed (which, in 2012, represented the highest number of HIPAA violations and can be solved with HIPAA-compliant cloud hosting solutions for remote access).
Recommendations to avoid HIPAA violations
Of course knowledge of some of the most common offenses, as described above, is helpful for your organization to avoid HIPAA compliance fines. Medical Office Today offers several pieces of additional advice to protect your business:
- Fully secure all PHI and EMR. Establish one password to get access to the data, and designate a compliance officer on your staff (if you haven’t yet) to safeguard the password. Adjust the password frequently, ideally with random password generation software, and use two-factor authentication for access.
- Creation/development of protective policies. Institute management policies to make it less likely that patient health information gets into the wrong hands. Notify all personnel that any instances of entry into the EMR database are logged and monitored, and supply appropriate training as needed.
- Simple and timely patient access. HIPAA requires that patients be able to review their EMR whenever they desire. The PHI software you use should be able to allow patients to establish user accounts. Usernames and temporary passwords can be supplied to all patients immediately, both for compliance and efficiency.
- Noncompliant disposal of hard-copy PHI. HIPAA places significant focus on digital communications, but controlling paper copies of EMR is critical as well. You want to either have all paper documents under lock and key, accessible only to the appropriate staff members, or keep all the paperwork at a fully secured external location. Shredding of any paperwork for disposal should either be conducted in-house, with extreme care, or through an expert third party. Be careful that labels on the outside of patient folders do not convey health details.
Can You Get Fired for a HIPAA Violation?
Most HIPAA violations happen unintentionally, but that doesn’t mean that there aren’t consequences to be faced. Given the hefty fines your employer faces for a violation of the HIPAA rules, you might be forgiven for worrying about your job.
There is no clear-cut answer. A lot will depend on the seriousness of the HIPAA violation, as well as the outcome of investigations conducted by the organization involved in the breach.
However, it is worth noting that if you had unintentionally acquired, accessed or used protected health information within the scope of authority and in good faith, it is unlikely that you would have triggered a HIPAA breach.
When investigating a breach, lots of questions will be asked, including how the breach occurred, what this means for the individuals whose health information has been disclosed, and what legal issues might result from the breach.
There is no rule that prevents an employee from being fired for committing a HIPAA breach. So whether you get to keep your job would depend on how serious your employer judges your involvement in the breach to be, the policy of the organization and even your boss’s mood that
It is worth noting that some HIPAA covered entities already have their own rules regarding HIPAA breaches which may or may not involve immediate termination of employees who cause such violations. Your company’s HR department should be able to advise you as to what to expect.
Can You Sue for a HIPAA Violation?
What happens if you’re an individual whose protected health information has been violated? Can you sue the pants off whoever is responsible?
The short answer is, no, you cannot sue based solely on a violation of HIPAA.
However, you might be able to sue based on other points of state law, such as for losses and distress suffered as a result of the disclosure.
Here are the steps to take if you’ve had your personal health data breached.
- File a complaint – You have a right to file a HIPAA Privacy Complaint with the Office of Civil Rights within 180 days of the breach. All cases are investigated, and, in the most serious instances, the OCR investigation can escalate into criminal charges or an FBI investigation. In
other instances, the fines against those responsible might be raised.
- File a complaint against the healthcare professionals involved – Your state’s department of health can receive complaints made against physicians, nurses and other healthcare professionals licensed by them. Each state’s complaint filing procedure is different, so you will
have to get in touch with them or consult their website for more information.
- File a report to Medicare or other third-party payer or insurer – If your medical bills are being taken care of by Medicare, a health insurer or some other third-party insurer, you can file a complaint to them so they can investigate the case. Even if there is no outcome, a copy of
your report can be submitted as evidence if you do decide to go to court.
- Commence a lawsuit – Depending on your state, you might be able to sue for a breach of confidentiality of patient or medical records, which could result in damages for negligence or invasion of privacy. Of course, the viability of such a lawsuit would depend on your ability to
submit proof of damages. You will need to show documented evidence of loss or suffering and be able to prove it arose from the breach. If you’re thinking of filing a lawsuit, it is key to keep all documentation including bills and receipts that can prove any loss or damage suffered by you. Another option is to join the other individuals affected in a class action lawsuit. A greater number of plaintiffs can be persuasive, but all the same caveats apply.
It worth noting that lawsuits can be very expensive. So, unless you have suffered great loss due to the breach which has been documented and is provable, it might not be worthwhile trying to sue the parties responsible.
That said, go right ahead and file complaints to the relevant bodies if you feel that the responsible parties should be investigated further.
Taking advantage of HIPAA-compliant business associates
HIPAA violations can be extremely costly, and staying compliant represents a time-consuming hassle for many healthcare organizations. Using fully HIPAA-Compliant Hosting solutions can remove the stress by allowing a company with two decades of data center expertise stand guard over your PHI. We offer a full lineup of 100 percent HIPAA-Compliant Server solutions.
Comic words by Kent Roberts and art by Leena Cruz.