How to protect sensitive patient information and avoid incurring hefty penalties
There’s a lot to juggle when running a medical practice, and the myriad of HIPAA requirements aren’t often top-of-mind for many administrators. However, HIPAA violations can cost you dearly.
Did you know that you can incur a fine of $50,000 per occurrence and a maximum annual penalty of $1.5 million per violation?
It’s important to ensure that your processes are HIPAA-compliant at all times and your staff is trained to adhere to the regulations.
To help you take the necessary steps so you can properly protect PHI (patient health information, such as social security numbers, medical procedures, diagnoses, etc.) and avoid hefty penalties, here are 10 common HIPAA violations and what you can do prevent them:
1. Unsecured Records Containing PHI
It’s not uncommon for busy medical staff to leave patient files or computers unattended or unsecured when things get hectic. However, this could violate HIPAA regulations, which require that all documents containing PHI be kept in a secured location at all times.
Make sure your employees remember to lock all paperwork containing PHI (e.g., in file cabinets or an office) and ensure that digital files are password protected.
2. Unencrypted Data
When electronic files containing patient data aren’t properly encrypted, it’s easy for criminals to steal the information if the files are leaked, passwords are cracked, or devices containing PHI are lost or stolen — which can lead to a violation of HIPAA regulations.
Add an extra layer of security by encrypting all your digital files that contain PHI or PII. In addition, if you work with third-party service providers, make sure all sensitive information is encrypted during transit and storage.
3. Data Breaches
Digital files containing patient information is a treasure trove for criminals who can steal the data and use it for malicious purposes. Hackers can breach your network in many different ways (e.g., phishing, malware, stolen devices, etc.) and gain access to electronic files containing PHI.
Protect your network by installing firewalls and using antivirus software. If you use a third-party service to process patient information, such as payment and invoicing, it should adhere to the highest compliant standard (e.g., HITRUST certified) to ensure the security of your patients’ information.
4. Improper Disposal Of Patient Records
If your staff is improperly disposing of files and documents that contain PHI in a way that allows criminals the opportunities to retrieve and misuse the information (e.g., left lying in a trash can or stored in a hard drive that’s being tossed), you’re violating HIPAA regulations.
Enforce a standard procedure for the proper disposal of records and documents in your medical practice. For example, physical paperwork should be shredded and electronic files should be completely wiped from a hard drive.
5. Insufficient Or Lack Of Employee Training
HIPAA requires that all employees who come into contact with PHI to receive proper training. The inability to provide the most up-to-date education on HIPAA policies and procedures is a violation of the law.
Implement a comprehensive employee onboarding process that includes training on HIPAA compliance. Send reminders about cybersecurity (e.g., how employees can prevent phishing attacks) and provide refresher training regularly to ensure compliance.
6. Unauthorized Release Of Patient Information
HIPAA requires a consent form to be submitted by the patient before PHI can be released to a third party — even if the request comes from another medical facility, an employer, or a family member. Otherwise, only dependents and those with a power of attorney are allowed to access PHI.
Implement a standardized procedure for PHI release requests and ensure that all your employees are trained to follow the process to avoid sensitive information being sent to a third party without prior authorization.
7. Failure to Perform an Organization-Wide Risk Analysis
Medical organizations need to perform organization-wide risk analysis regularly to identify vulnerabilities to the confidentiality, integrity, and availability of PHI. Failure to do so is a violation of the HIPAA regulations.
You can download this risk assessment tool developed by HHS’ Office of the National Coordinator for Health Information Technology and the Office for Civil Rights to understand the security risk assessment process.
8. Oversight in Entering HIPAA-Compliant Business Associate Agreements
When you engage a third-party service that involves the handling of PHI and neglect to enter a HIPAA-compliant business associate agreement to ensure that the vendor is taking the proper measures to protect patient information, you’re violating HIPAA regulations.
Always review all business associate agreements when you hire third-party service providers to ensure that they’re HIPAA-compliant.
9. Missing the 60-Day Deadline for Issuing Breach Notifications
When a data breach occurs, you’re required to notify all affected patients without unnecessary delays. If you fail to provide notifications within 60 days of the discovery of a data breach, you’re in violation of the HIPAA law.
Regularly monitor your security log so you can catch any security breach and send out notifications in a timely manner. In addition, implement a procedure for handling data breaches and providing notifications so you can react quickly.
10. Unauthorized Access of Patient Records
Sensitive patient information in your system could be inadvertently seen by personnel who isn’t authorized to access the data. Whether the PHI was obtained intentionally or came across accidentally, you’re in violation of HIPAA regulations.
To avoid unauthorized access to PHI, enforce access control to any application that handles sensitive patient information so only employees who have the right credentials can view and/or edit the information. This also allows you to track access, in the event that a data breach investigation is required.
While staying HIPAA-compliant can be quite a complex undertaking, it’s important to invest in the resources so you can properly safeguard your patients’ information, maintain their trust, and avoid incurring hefty fines.
Thankfully, you can now work with many HIPAA-compliant third-party vendors that offer services to support the operation of a medical practice, such as billing and invoicing, so you can adhere to the regulations without having to implement costly infrastructure or dramatically increasing your overhead.
Michael Bell is the Chief Marketing Officer for MailMyStatements. Mike is a dynamic, innovative thinker, a healthcare technology advocate, a consumer, a patient, and an avid golfer.
Follow him on Twitter!