10 most common HIPAA violations and solutions
Enacted into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) includes five sections detailing data privacy and security provisions for safeguarding protected health information (PHI). Failure to comply with HIPAA can result in civil and criminal penalties. If a healthcare organization is unaware that its practices led to a HIPAA violation, the minimum civil penalty is $100 per violation, with an annual maximum of $25,000 for repeat violations. The maximum civil penalty is $50,000 per violation with an annual maximum of $1.5 million.
A story that headlined national news in December 2017 detailed the lawsuit filed by nurse Jane Doe. She found out a scrub nurse photographed her private parts while she was undergoing hernia surgery at her own Washington state hospital and shared them with colleagues. Although the scrub nurse was fired, Jane Doe suffered emotional and physical consequences that ultimately led to losing her job. In a different case, a New York hospital paid $2.2 million to settle a HIPAA violation because a television crew authorized to film in the hospital did not obtain the consent of patients in the footage. While the following 10 HIPAA violations may not make national news, they are far more common than photographing patients without their consent.
Keeping unsecure PHI records: A stolen laptop with unencrypted PHI can result in a violation. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's exam room and another patient sees it. Doing so, or forgetting to log off and walking away from a computer with patient information can also cause violations. All staff members should be required to keep physical documents with PHI in a secure location at all times (e.g. locked in a desk, filing cabinet, or office). Secure passwords or passphrases should be required to access electronic information, in addition to being encrypted whenever possible. Single sign-on (SSO) and authentication management will eliminate the need to repeatedly type usernames and passwords and ensure fast and secure access to clinical and administrative applications. Identity governance ensures secure and compliant access control to patient information.
Using the wrong technologies to share PHI: Clinicians need to communicate PHI in order to provide proper care. But using unsecure technologies, like SMS messaging on mobile devices, could potentially expose that information. Clinicians should be required to use a purpose-built secure communications solution for healthcare – one that has authentication, encryption, auditing, and other security controls in place to meet HIPAA compliance and patient privacy requirements.
Improperly disclosing PHI: Employees gossiping about patients to friends or coworkers is a HIPAA violation. Conversations about patients should be restricted to private places and conservations about PHI should be conducted behind closed doors with authorized office personnel. Employee policies need to clearly detail and reinforce this issue to help prevent violations. Other ways to protect PHI and decrease the risk of violations include implementing identity access management data solutions and utilizing secure authentication methods for accessing and transacting PHI on medical devices.
Insider snooping: Closely related to the prior violation, this involves family members or coworkers looking at a patient’s medical records without authorization. Physicians often use home computers or laptops after hours to access patient information. If the screen is accidentally left on and a family member uses the computer, PHI may be disclosed. This can be prevented by password protecting computers and laptops and keeping mobile devices out of sight. Preventing this at work can be remedied by installing a single sign-on password management system.
Hacking: Many people want to access PHI for malicious purposes, therefore medical practices need to find solutions to protect against hacking. Antivirus software should be updated and active on all devices containing PHI and firewalls should be installed to add a layer of protection. Single sign-on data solutions eliminate the need to frequently change and remember complex passwords, and mitigate the risk of healthcare data security breaches. The use of a virtual desktop infrastructure (VDI) can also help to mitigate cyber risks and build a resilient infrastructure.
Simple form violations: Patients can set a date when their authorization expires, so releasing confidential records after this date would be a violation. The right to revoke clause is a statement informing patients they may legally void their approval for a covered healthcare entity to use and disclose PHI. Access to directions on how to revoke authorization must also be provided. Without this clause, any information released to a third party would violate HIPAA regulations.
Patient signature noncompliance: Authorizations must contain specifics on what information will be released and for what purpose, who will disclose and receive PHI, an expiration date or event, and a patient’s signature. If information is released without the signature, this constitutes a HIPAA violation.
Releasing the wrong patient's information: This means the patient to whom the medical record belongs did not authorize the disclosure. A patient also has the right to release only parts of their medical record. Violations of this nature are likely accidental, though this is still considered a breach of privacy subject to civil or even criminal consequences. Healthcare organizations can implement biometric patient identification solutions to securely identify patients and retrieve digital health records from any location within the health network, thereby preventing misidentification.
Releasing information to unauthorized parties: Healthcare entities can only release PHI to listed recipients, so disclosing this information to undesignated parties constitutes a violation. This can happen when medical personnel release PHI to unauthorized family members or third parties not medically involved in the case.
Improper disposal of records: Staff members need to be trained in proper disposal of records containing PHI. Any documents with Social Security Numbers, driver’s license numbers, medical procedures, diagnoses, etc., should be shredded, destroyed, wiped from the hard drive, or otherwise removed to prevent information from getting in the wrong hands.
It doesn’t matter if violations are the result of egregious human behavior, insider or outsider hacking, gossip, or unintentional human error. It is crucial for healthcare systems to implement robust data security solutions to help ensure compliance.
Sources:
https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996
https://www.hhs.gov/hipaa/index.html
http://examples.yourdictionary.com/examples-of-hipaa-violations.html
http://www.grouponehealthsource.com/blog/top-10-most-common-hipaa-violations
https://www.ama-assn.org/practice-management/hipaa-violations-enforcement
https://www.beckershospitalreview.com/healthcare-information-technology/10-common-hipaa-violations-and-preventative-measures-to-keep-your-practice-in-compliance.html
http://www.radiologybusiness.com/topics/care-delivery/long-road-compliance
https://www.healthcare-informatics.com/news-item/cybersecurity/21st-century-oncology-pay-23m-settle-potential-hipaa-violations
https://www.hipaajournal.com/scrub-nurse-fired-photographing-employee-patients-genitals/
https://www.hipaahelpcenter.com/violations/failing-to-include-right-revoke-clause