10 Most Common HIPAA Violations
The Health Insurance Portability and Accountability Act, also known as HIPAA, was passed in 1996 to uphold the standards of security, privacy, and transfer-ability of personal health information. Under the HIPAA law, healthcare professionals are required to protect the privacy of patients’ personal health information and never disclose the information without patient authorization. The law also gives patients rights to obtain copies of their medical records. HIPAA is always an important consideration for medical practices of all sizes.
As a healthcare professional, it is important that you are constantly up to date with changes regarding HIPAA’s rules and regulations. Potential violations could not only damage your medical practice’s reputation but also result in significant criminal and civil fines, ranging anywhere from $100 to $1.5 million. What’s more, you could be at risk of losing your medical license.
- Unknowing violation
- Minimum fine: $100 per violation and $25,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum
- Reasonable cause:
- Minimum fine: $1,000 per violation and $100,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum
- Violation that can be righted within the required time period:
- Minimum fine: $10,000 per violation and $250,000 for repeat violation
- Maximum fine: $50,000 per violation with $1.5 million annual maximum
- Violation that cannot be righted within the required time period:
- Minimum fine: $50,000 per violation with $1, 5 million annual maximum
- Maximum fine: $50,000 per violation with $1, 5 million annual maximum
In several instances, HIPAA violations arise from poor understanding of the rules and regulations, rather than from mischievousness. In fact, many violations can be prevented by ensuring that your medical staff is well-trained and by implementing policies that protect against instances of breach.
While every HIPAA violation should be considered a potential threat to your medical practice, some violations are far more common than others. To help you understand more about them, here are the 10 most common HIPAA violations:
1. Mishandling patients’ medical records
Mishandling patients’ medical records is a very common HIPAA violation. Sometimes, you or one of your staff members might accidently leave a patient’s chart behind for another patient to see. This is a violation of their privacy. All medical records should be locked in a filing cabinet or office – safely out of public view. Moreover, digital files should always require secure passwords in order to access them.
2. Disposing of patients’ medical records improperly
Properly disposing of patients’ medical records is an absolute must. When training staff members on HIPAA rules and regulations, it is vital that they understand all patient information containing PHI (protected health information) that needs to be destroyed should be shredded, deleted, or wiped from the hard drive. If any of this information falls into the wrong hands, it can lead to severe HIPAA violation.
3. Lost or stolen devices
Theft of PHI includes stolen diagnosis and treatment information, social security numbers, prescriptions, and more. If the information on devices such as laptops, smartphones, and desktops is not password protected or encrypted, the loss or theft of a device can result in HIPAA fines. Therefore, it is important that no device it left unattended and vulnerable to access of patient-specific information.
4. Unencrypted information
Encrypting information is adding an extra layer of protection if a device is ever lost or stolen. Under the HIPAA law, most states require patients’ medical records to be encrypted in order to eliminate the majority of data breaches and prevent violation consequences.
5. Hacking
In a healthcare setting, hacking is a severe threat to patient privacy. Hackers may use patients’ medical records for malicious purposes and it is your duty to prevent this from happening. Using firewalls, creating unique and secure passwords, as well as updating antivirus software are some examples of important approaches to preventing hacking.
6. Lacking in proper medical staff training
Medical staff HIPAA training is not just a recommendation but it is also a necessity under the HIPAA law. Every staff member in your medical practice with access to patient health information should be well-trained and educated on HIPAA rules and regulations. They should also be fully aware of the policies created and implemented by your medical practice.
7. Medical staff gossiping / disclosing personal patient information
Medical staff gossiping or disclosing personal information about patients to friends, family members, or colleagues is a HIPAA violation that could cost your practice a hefty fine. Inform your staff members that they should always be aware of their surroundings. They should restrict private conversations regarding patient health information to behind closed doors and only with appropriate colleagues.
8. Posting patient health information on social media
A strict HIPAA violation is posting a patient’s personal health information on social media. For instance, posting a photo of a patient, even without their name, is a breach of their privacy. Before sharing or releasing any information to social media networks, it is important to receive patient authorization. A written consent is required for the use or disclosure of any individual’s personal health information.
9. Texting patient information
Texting patient information, such as test results, may seem harmless but hackers can easily access this information. Potentially putting patients’ personal information into the wrong hands is a clear violation under the HIPAA law. Installing an encryption program is only a safe choice if both parties have the program installed on their devices and this is usually not the case.
10. Accessing patient health information on home computers
Accessing patient information on home computers could potentially result in a HIPAA violation. For instance, if you accidently leave your monitor on and another individual sees the information, this is a violation of patients’ privacy. More so, if your computer contains a virus, this could increase the risk of patient information being accessed or stolen. Make sure your computer is protected with a secure password and keep all work related mobile devices out of public view.
Other scenarios that violate HIPAA include the following:
- Staff members trying to illegally access unauthorized patient medical records;
- Failing to abide by expiration dates on patient medical records;
- Failing to release patient medical records on a timely basis;
- Failing to destroy outdated or inaccurate patient information;
- Releasing private patient information to unauthorized recipients;
- Releasing the wrong patient information to unauthorized recipients;
- Releasing private health information that is unauthorized by the patient themselves;
- Making errors when storing patient medical records;
- Not including the right to revoke clause in paperwork for patients;
- Accepting incomplete patient forms (missing information such as patients’ signature);
- Discussing private patient information with friends, family members or over the phone in a public area;
- Releasing private health information about a minor without a parent or guardian’s consent
Ultimately, such scenarios can be avoided by performing HIPAA compliance checks on a regular basis and monitoring workflow. In general, following best practices can ensure the efficiency of your medical practice. For instance, establish a secure encrypted program for all patient records and make workflows paperless. Use protection standards such as strong passwords and firewalls to protect sensitive documents and emails. Moreover, consider inspecting devices every so often to ensure the software is up to date and in accordance with the latest regulations. It can be easy to make a simple mistake that results in a HIPAA violation; however, with the proper training and technology, you can ensure your medical practice has the perfect balance of security and compliance.
Looking towards the future of healthcare, protecting patients’ privacy is just as important as providing quality care. It is apparent that steps need to be taken to enforce safety approaches such as medical staff training, secure communications, protection of digital health information, and more. Most violations can be easily prevented by keeping your medical staff well-educated on HIPAA rules and regulations and making sure that your policies are up to date with those that appeal to the law. Furthermore, be careful with private patient information and do not disclose the information with unauthorized parties. The safety and privacy of your patients’ health information should be your top priority.