Health Insurance Portability and Accountability Act (HIPAA) compliance is mandatory and violations can add up to $1.5 million.
As of March 31, 2021, the Office for Civil Rights (OCR) had settled cases amounting to over $135 million. HIPAA violations run the gamut from snooping out of idle curiosity to malicious data breaches. The American Dental Association outlines some of the steps needed to be compliant, including:
- Appointing a HIPAA Privacy official
- Appointing a HIPAA Security official
- Reading and understanding all of the HIPAA requirements
- Creating a HIPAA compliance team and delegating tasks
- Performing regular risk assessments
- Devising policies and procedures
- Training Workforce members
- Maintaining compliance
Let’s consider the most common HIPAA violations identified by the Department of Health and Human Services (HHS), the penalties, and actions you can take to ensure compliance.
Impermissible Uses and Disclosures of Protected Health Information (PHI)
In October 2019, the OCR collected $10,000 from Elite Dental Associates following a case that involved multiple disclosures of patients’ PHI on the online review site Yelp.
The issue was first brought to the authority’s attention in June 2016, when the OCR received a complaint from an Elite patient, claiming Elite had publicly disclosed her protected health information when responding to her Yelp review of the practice. The following investigation found that not only had Elite disclosed the patient’s name, details of her health condition, treatment plan, insurance, and cost information, but also that it was not the first time Elite had disclosed PHI without authorization on Yelp when responding to patient reviews.
This example goes to show how easily HIPAA violations can happen due to a lack of employee training. Your staff must be well trained on HIPAA regulations, and you must have adequate policies and procedures in place relating to PHI and its disclosure on social media and other public platforms.
As OCR Director, Roger Severino, puts it: “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.
Lack of Safeguards of PHI
One benefit of going paperless is the reduced risk of patient files falling into the wrong hands. Patients detest waiting in the waiting room and don’t realize that the doctor has to do some administrative tasks, like entering patient details into the system.
If a workstation is left unattended and there are no measures to secure it, anyone can access patient information. For that reason, the Office of the National Coordinator for Health Information Technology has provided guidelines for physical safeguards to prevent breaches. They include:
- Facility access controls and alarms to ensure that only authorized personnel have access to the facilities that house systems and data
- Workstation security measures such as computer monitor privacy filters to guard against theft and restrict unauthorized access
- Workstation use policies to ensure the appropriate use of workstations.
Lack of Administrative Safeguards of ePHI
In October 2020, the Cedar Springs Hospital provided a copy of selected patient data to a Colorado Health Department Surveyor. Unfortunately, the Surveyor lost the device used to store this information. Had the information on this device been encrypted, there would be no need to report unless the encryption key had also gone missing.
Unfortunately, the information was not encrypted and the hospital found itself in a fix. Even when passing data to authorized persons, things can still go wrong. That’s why HIPAA was updated in 2013 with specific requirements on the handling and storage of ePHI.
Some states explicitly require PHI to be encrypted. Those that don’t require a similar measure to ensure that the patient cannot be identified. Using pseudonyms, for instance, is an acceptable way to maintain the patients’ anonymity.
The methods used to transfer information can also cause vulnerability, especially when dealing with large files. You can mitigate this by ensuring that the software you use is HIPAA compliant.
Lack of Patient Access to Their PHI
The OCR made it their objective to ensure compliance with this regulation in 2019. This ensures that a patient can have a copy of their health records within 30 days of making the request.
Furthermore, practitioners are restricted from overcharging patients for the copies.
In 2019, Banner Health, an Arizona-based healthcare provider was fined $200,000 for violating this regulation. Patients reported that they had to wait several months to receive copies of their health records.
In this case, it is vital to have a clear policy and procedure for handling such requests. With the crackdown on violators, the OCR doesn’t take complaints about the privacy rule lightly.
HIPAA compliance is a continuous exercise that requires regular review of vulnerabilities. At Central Data Storage, we are well versed with HIPAA requirements and understand the impact of our actions on our client’s business. For example, our file sharing solutions ensure that your data is encrypted and safe from unauthorized access while in transit.
All our other data storage services are also HIPAA compliant. Furthermore, we understand the need for a business associates agreement which is a vital component of HIPAA compliance.
If you’d like to know more about how we can help you remain HIPAA compliant, contact us for a free backup and recovery data assessment.