8 Common HIPAA Violations And How To Avoid Them
Professionals in the medical industry are all too familiar with HIPAA and the responsibilities it brings. Failure to follow HIPAA can result in fines, sanctions, and even loss of licenses. But even today, violations are commonplace.
HIPAA, or the Health Insurance Portability and Accountability Act, was established in 1996, the first standard created to protect patient information. Under HIPAA, healthcare providers are restricted from sharing or transferring protected health information (PHI) without patient authorization. Other rights under the act include the right to obtain or amend a copy of one’s medical record.
Safeguarding PHI isn’t just a matter of compliance but of patient safety. By reducing HIPAA violations, healthcare providers can protect their personnel as well as their patients.
Here are a few of the most common explanations behind HIPAA violations:
1. Employee Negligence
Whether by willful or genuine ignorance of the act, HIPAA is often broken by employees sharing information when they shouldn’t be. Typically, this is when personnel inadvertently share patient names, health plans, conditions, and other information with friends or family. This can be through:
- Gossip with another employee, friend, or family member
- Sharing access (password/login info) with unauthorized parties
- Casual discussion with a patient’s friend or acquaintance
- Leaving data unattended
- Lack of proper HIPAA training
But this can also happen when coworkers are talking to each other (without peer review or necessary authorization).
Solution: Every new hire, intern, partner, and medical professional in the company must be educated on the importance of HIPAA. Remind employees frequently not to discuss patient information in open, public. Patient info should never be shared without their explicit authorization, even at home.
2. Unsecured Data Storage
Employees may use printed readouts on a clipboard, or they may read the information on a computer. But they must always remember to secure the data when not in use — leaving sensitive data in the open leaves it vulnerable to hacking or theft. Even data on a digital device is at risk of being stolen if the device itself is not locked down or adequately secured.
Solution: Keep physical documents locked in storage cabinets. Patient data should be encrypted, password-protected, on physically and electronically secure devices.
3. Texting, Social Media and Other Unsecured Communication
While this may be categorized under the previous point, data leaks through texting or posting on Facebook are so commonplace that it deserves its own spot. Even on popular phones like iPhone and Android, texts may seem innocuous. But without full network security, hackers and other cyber criminals may be able to intercept the messages. The same goes for any social network, no matter how private, is always at some risk.
Solution: Avoid transmitting sensitive patient information through conventional means. Always rely on trusted, industry-approved technology solutions for delivering sensitive data. The application itself may vary from healthcare providers.
4. Accessing PHI From Unsecured Locations
Medical professionals may sometimes need to access patient data remotely- whether at home, at a cafe, or abroad. Unfortunately, there’s no guarantee that these networks or devices are up to HIPAA regulation. Public Wi-Fi may allow other guests to intercept the data, or computer screens left unlocked may attract unwanted attention.
Solution: Restrict personnel from accessing data on unsecured locations like libraries or cafes. If they must access data from home, make sure their devices are compliant with HIPAA, and that the professional has adequate training.
5. Unauthorized Personnel Access
Medical professionals may choose to access patient data without patient authorization. Whether it’s out of curiosity, spite, or personal gain, this is still illegal and subject to major fines or imprisonment. Just because you work in the same unit, company or building, does not give you the right to access HIPAA protected information.
Solution: Always get written consent and go through the proper channels before assuming access. Make sure that every data request from new hires and interns has the necessary authorization, even if it’s to check a patient’s name.
6. Improper Device Disposal
Computers can eventually malfunction or become obsolete, but healthcare providers must still ensure they are disposed of properly. Just because a computer will no longer turn on does not mean the data is destroyed. Cached or downloaded files may still live in the hard drive or SSD.
Solution: Hire a reputable data destruction company to remove and erase sensitive information properly. Companies like Securis are known for safely shredding and incinerating hard drives, phones, and other storage devices, even going as far as to GPS track trucks.
7. Form Violations
Patients can set the window for authorization and the purpose. If the healthcare provider continues to disclose or access the patient’s information after the terms of the form have lapsed, that would constitute a HIPAA violation. In addition, they may fail to get the patient’s signature, rendering the form useless and unauthorized.
Solution: Always ensure the patient is fully aware of the authorization terms, and that their consent has their signature. Don’t forget to educate them on the right to revoke clause: their legal ability to void the authorization.
While usually an accident, this occurs when a doctor incorrectly accesses a different patient’s file. This may happen through computer glitches or simply human error. In any event, the consequences remain just as dire as all the other violations.
Solution: Double verify every patient’s identity before accessing data. Biometric patient identification is also becoming more common- a safer way of preventing identity mistakes.
Protecting Personnel and Patients
HIPAA is admittedly a challenge for any major healthcare provider. Ensuring thousands of devices remain secure while training tens of thousands of employees will not always go according to plan.
But even if the reason seemed innocent or concerning, and regardless if it was a small error or a significant breach, always report HIPAA violations. At the end of the day, the act is there to protect the providers as well as the patient.