Is Your Practice Violating These HIPAA Regulations?
Fines for HIPAA violations can be up to $50,000 per incident. The maximum annual penalty for a violation is $1.5 million. Some of the largest HIPAA settlement fines have been paid by Advocate Health System in Downers Grove, Illinois ($5.5 million) and New York Presbyterian Hospital and Columbia University in New York City ($4.8 million) for compromising the protected health information (PHI) of their patients. With so much at stake, it’s critical for medical practices to remain HIPAA compliant.
HIPAA regulations are complicated and change frequently. It takes well-trained staff to ensure your practice is up-to-date with the latest changes. Some violations are more common than others. Is your practice violating these HIPAA regulations?
- Data Encryption
Encryption is a safeguard in the event that PHI is stolen or lost. If hackers somehow access a password protected device, data encryption offers an additional level of security. The HIPAA regulations in some states require electronic PHI to be encrypted. In other states, this is not a HIPAA regulation, but is advocated for every medical office.
- Hacking Protection
Hacking is a very real threat to medical offices. Hackers try to access patient information for malicious purposes. To protect PHI and avoid a HIPAA violation, you should ensure your antivirus software is up-to-date. Additional layers of protection, such as firewalls and password access, are also important. Staff should be trained to frequently change passwords to avoid getting hacked.
- Medical Record Security
All documents with PHI should be kept in a secure location at all times. This is applicable to both physical files which should be kept in a locked desk or filing cabinet as well as digital files which should be secured with passwords and encryption.
- Portable Devices
The importance of securing portable devices is evident from an incident in 2016 where an iPhone containing a large amount of sensitive patient information, including social security numbers and diagnosis, treatment, and medication history, was stolen in Philadelphia. The phone was neither encrypted nor password protected, leaving the PHI of hundreds of people vulnerable. A penalty of $650,000 was levied on the facility for this HIPAA violation. Ensure that all portable devices that contain PHI are stored in a secure location and are password protected and encrypted in the event of theft.
- Employee Training
Untrained employees at a medical practice who do not know how to correctly handle PHI are a common source of HIPAA violations. Employee education and training is not merely a recommendation, but is required by law. Every staff member at your practice should be well versed on the policies and procedures necessary to ensure HIPAA compliance.
- Sharing PHI
As part of the training employees receive, gossiping and sharing of sensitive patient information should be strictly prohibited. What may seem like harmless chit chat could constitute a grave HIPAA violation costing your practice thousands of dollars in fines and penalties. Encourage employees who have access to PHI to be aware of what they share and where. Conversations about patient information should be conducted behind closed doors, out of earshot of anybody except authorized office personnel.
- Employee Behavior
Employee behavior, whether malicious or inadvertent, can constitute a HIPAA violation. If an employee who is not authorized to view PHI tries to access this information, it constitutes HIPAA noncompliance. Whether the intent was malicious or simply curiosity, the penalty is the same. Employees should, therefore, be trained to follow procedures that clearly outline information access. The consequences of the HIPAA violation should also be reiterated from time to time.
- Disposal of Records
Proper disposal of records containing PHI is just as important as maintaining the integrity of current records. Staff members should be well versed on the procedures for disposing of records that contain social security numbers, medical diagnoses, and other PHI. Physical records should be shredded and destroyed. Electronic records should be wiped clean from devices and drives. Crumpling up a patient’s record and throwing it in the trash can or leaving an electronic record in the recycle bin of a computer constitute a violation of HIPAA laws. Again, proper employee training is vital in ensuring compliance in this regard.
- PHI Disclosure
If medical personnel disclose a patient’s PHI to a third-party, this constitutes a violation and could invite a penalty under HIPAA laws. PHI should only be shared on a need-to-know basis. Discussing PHI with a person who does not have the right to access this information is a direct HIPAA violation. Employee training is critical in ensuring data breaches of this kind do not put your practice at risk.
- Release of Information
If any member of your staff releases information about a patient to the media, this constitutes a HIPAA violation. This typically occurs when the patient is a public figure or celebrity. Employees may inadvertently release information to a member of the patient’s family who does not have proper authorization or a power of attorney to access the person’s health information. Sometimes the release of information is on account of human error and PHI is disclosed to the wrong person by mistake. Even though the act is accidental, the punishment is similar to a malicious violation.
It is evident that employee training plays a critical role in avoiding some of the most common HIPAA violations that can put medical practices at risk of hefty penalties. In addition, clear policies and procedures in the workplace can help your practice stay HIPAA compliant.