If you’re in healthcare, you’re familiar with HIPAA. But like anything written by the government, there are a million regulations and conditions within the law to consider. On top of that, healthcare regulations were made exponentially more complex with the Affordable Care Act.
Unless you invest a significant amount of time learning the law, it’s tough to know which regulations apply to you. Healthcare providers who aren’t careful can risk damage to their reputations, civil fines, and even criminal penalties.
HIPAA fines are no joke. Beth Israel Deaconess Medical Center in Boston was charged $100,000 because of a stolen laptop. Cignet Health in Maryland was fined $4.3 million because they were found to be grossly noncompliant.
Those are extreme examples, but they can happen. Imagine a $100,000 fine on your business. You’d probably have to declare bankruptcy and close your doors.
The consequences are just too great to be uninformed. Fortunately, the most common HIPAA violations occur in a few basic categories. In order to build a strong defense and maintain your patients’ privacy, be mindful of these potential violations.
1. Not destroying old information
Under HIPAA law, you are required to destroy outdated or incorrect medical information. It’s safe to do this on your own premises, by your own hand. In some states, you are permitted to hire a document destruction company to handle your waste, but it’s often easier and cheaper to shred it yourself
Never place patient healthcare information in the trash without destroying it. Place a paper shredder in a convenient place for your staff so they know to ruin it first.
2. Not releasing patient information quickly
HIPAA requires that you release medical records to your patients within a reasonable period of time upon their request. It’s not quite clear what “reasonable” means, but so far courts have fined organizations who took weeks to send the documents.
If your records are up to date and properly sorted (ideally via electronic recordkeeping), this shouldn’t take long. Have your staff check for release requests once per day.
3. Inappropriate information disclosure
This is the most common way medical information is compromised. Healthcare staff gossip with their coworkers in places where impermissible third parties can overhear, like the lunch counter or in waiting rooms. They also tend to recount their days to family members with too much detail.
Surprisingly, there have been numerous incidents of healthcare staff posting information or photos to social media websites. Even if these posts don’t include a name, their photos and circumstances can identify the patients.
You and your staff need to be careful about who is privy to patient medical information. The only time anyone outside of your organization discloses health information is when the patient has signed a medical release form.
Even with release authorization, you can only disclose information in the time and manner indicated on the form. Be sure all release forms include the proper patient information and a signature so there’s no confusion or misunderstandings.
Remember to always check the end date of a release form before disclosing information to make sure you aren’t outside the window (if you use practice management software, it should come with a locking feature for this).
4. Malicious outside access (or “hacking”)
Hacking can mean a lot of things. It’s a term that’s used loosely for many different infiltration techniques. It could mean…
- Someone discovered and avoided a technical vulnerability that gave them account access to your software and/or database.
- Someone “phished” you or your team. According to Health IT Security, “Phishing scams are a type of email or social engineering attack, where cyber attackers attempt to trick individuals into releasing personal information. This can be done through email or websites where individuals enter in certain data. Healthcare phishing scams are usually attempts at gaining sensitive patient information from employees, or company information that can then be used to gather patient data.”
- Someone social engineered their way inside. Social engineering is good old fashioned fast talking where the malicious party convinces you or your team that they deserve access. According to Security Metrics, “Social engineering often gets bypassed as part of a security strategy, because it’s not something that can be fixed through a new technology or a more secure password. The only way to protect against social engineering is employee training with frequent refreshers.”
As a small operation, hacking isn’t much of a concern because you don’t offer much value to the hacker. Still, you need to safeguard yourself as any information can be stolen and sold.
Use encryption, firewalls, and other security measures to block malware. Train your staff to recognize unknown email addresses (don’t assume the sender is who they say they are) and resist attempts for information from impermissible parties, no matter how reasonable they sound.
5. Misplaced or physical documents
Human error is unavoidable. If you use a paper documenting system, a document is guaranteed to be misplaced at some point. If that document contains sensitive information, you could be exposed to a violation.
The best course is to switch from a paper-based system to electronic medical records (for all documents, not just charts: everything from schedules to billing to intake forms). While it’s still possible to miscategorize an electronic record, the document isn’t left lying around for anyone to see.
6. Unsecured electronic devices
Your electronic recordkeeping system and operations software tools need to be protected from a cyber security standpoint. Encryption is a must (and a HIPAA requirement for all records in transit or on a disk). It’s wise to consult with an IT firm who specializes in medical data security. In many cases, it’s smart to utilize a cloud-based record model so data is never lost and can be accessed anywhere.
Hardware can be stolen or misplaced, as well. According to compliance experts at HIPAA One, mobile devices are most vulnerable to theft. Protect patient information by securing every device with two-factor authentication, well-crafted passwords, and encryption. If you have any easy-to-steal devices around your office, make sure they’re locked away securely before leaving at the end of the day.
7. Lack of a business associate agreement
In order for healthcare providers to use outside vendors for services, those vendors need to be certified HIPAA business associate. For instance, a physician’s’ office would hire an accounting firm to handle their books. The accountant is the HIPAA business associate. There needs to be a business associate agreement between both parties.
In order to stay HIPAA compliant, make sure you have a Business Associate Agreement with any third-party that has access to your PHI.
Preventing HIPAA violations
The best way to prevent violations is to keep yourself and your staff properly trained. One-time training isn’t enough. Your team needs refresher courses and notifications when regulations change.
Once you hire five or more people, it’s smart to implement a HIPAA compliance training program that your staff completes regularly. It should cover HIPAA regulations and your custom work policies.
Now that you know the most common violations and how to prevent them, steer yourself clear of those business-ending penalties. Keep in mind, however, that we only covered the most common. You should be intimately familiar with all HIPAA regulations that pertain to your business. You’ll find all the information you need on the U.S. Department of Health and Human Services website.