Signed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions for safeguarding medical information. Essentially, if you’re handling, transmitting, in possession of, or responsible for any health records; you’re going to need to be in compliance with HIPAA.
Regulation around HIPAA is strict and specific. However, what happens if HIPAA guidelines aren’t followed to the letter?
It’s important to know what constitutes a HIPAA violation for the sake of personal data.
Did you know that there are stiff penalties and fines for a violation? A breach could also destroy your business and your credibility within the healthcare community.
Who Needs to Worry About HIPAA Compliance?
The short answer is that everyone within the healthcare industry must be compliant. Anyone handling PHI must receive proper authorization and commit to full HIPAA compliance. HIPAA’s prime directive is to protect individually identifiable health information and to become the standard for the healthcare industry.
The standards are in place to protect both sides of the information: the patient and the establishment. These violations and the potential for a poor public reputation could be disastrous. Being aware of your requirements and standards is essential. If the guidelines aren’t followed, HIPAA violation penalties can be assessed
Organizations are required to secure all information and data on-site according to all relevant guidelines. They are also expected to remain compliant with their vendors and service organizations, known as Business Associates (BA). The secure sharing of protected electronic medical records is vital to providing quality medical care.
The intersection between healthcare professionals and the IT/Security industry means that many teams are working tirelessly behind the scenes to remain HIPAA compliant.
Here is a sampling of situations where HIPAA compliance is necessary at all times:
- IT vendors that access hospital information systems (containing patient data) to install, update and maintain malware protection and other security services.
- Organizations that hire outside cleaning, security or HVAC services. These services could view unattended documents and/or computer rooms while being unauthorized.
- Software companies that locally host programs that use or process Protected Health Information.
- A consultant granted local network access to PHI records to review compliance, quality or competitive metrics.
- Healthcare organizations that are instructing and monitoring BAs that handle PHI.
- A local or international data center or HIPAA web hosting company that has a focus on compliance for many regulations.
What Constitutes a HIPAA Violation?
You and your team have all of the HIPAA pieces in place: you’ve studied up on the rules, regulations, implementation, and even spoken to your external vendors. But what happens if you think you have missed something and you’re concerned about a violation. What do you need to know and what do you have to watch out for?
As long as you’re vigilant and detailed, you should be able to avoid some of the most common HIPAA violations:
- Sending texts containing PHI.
- Improper mailing or emailing of PHI. Is Gmail Compliant?
- Failure to monitor and maintain PHI access logs.
- The omission of a HIPAA-compliant Business Associate (BA) agreement with vendors before allowing access to the information system containing PHI.
- Accessing patient information on a personal device or home computer.
- Inadequate or lack of limitations as to who may view PHI.
- Failure to remove access authorization to employees who no longer have a reason to access PHI.
- Poor training to ensure that employees understand the many HIPAA requirements and guidelines.
- Lack of documentation of HIPAA compliance efforts.
Lost or Stolen Devices
Professionals in the healthcare industry often travel for work to attend security seminars and conferences. A smartphone, tablet, or laptop is a prime target for theft when left unattended.
A physician or hospital administrator has access to PHI. Therefore, if their device is lost or stolen, it is a direct violation of HIPAA. It is vitally important to keep track of your mobile devices. It’s also worth having remote-wipe systems in place in case a device goes missing.
Employee Disclosure of PHI
Employees must understand that discussing a patient’s condition, medications, or any personal data with co-workers or friends is a direct violation of HIPAA regulations.
Employees must also remain mindful of their environment when discussing a patient with authorized colleagues. Take extra care when discussing anything about a patient.
Improper Disposal of Medical Records
Employees must physically shred all records before placing them in the trash or recycling bin.
Electronic information that is deleted must be tracked and logged.
When in doubt, employees should seek the advice and training of their IT or compliance team to properly dispose of PHI records.
Mishandling of Records
Photocopiers are a high-risk zone for mishandling of PHI.
Most photocopiers feature a storage drive that saves and collects a document to let employee retrieve it at their desk or to re-print at a later time.
If the person creating the resulting document forgets to close their session, the following employee
Failure to Conduct a Risk Analysis
The HIPAA Security Rule and the HHS mandate that healthcare organizations perform a risk analysis. The risk analysis helps organizations discover opportunities and vulnerabilities in their computing system.
If the results indicate issues with confidentiality, integrity, and availability of electronic PHI held by the healthcare organization, the organization may correct the issue.
Left uncorrected, the findings may result in HIPAA violations. There are various examples of such violations, illustrating the possible impact on healthcare organizations.
HIPAA Penalty & Fine Structure
What are the consequences of violating HIPAA?
There are four tiers of HIPAA violations:
- Tier 1. Lack of awareness where a covered entity or individual was unaware that the act in question was a violation. Fines start at $100 and go up to $50,000 per violation, topping out at $1.5 million each year.
- Tier 2. Reasonable cause to believe the individual or entity knew about the rule or regulation. Issues at this tier are considered a lack of due diligence. The fines range from $1,000 to $50,000 per violation. The maximum fine is $1.5 million per year.
- Tier 3. The HIPAA violation was performed with willful neglect. The party then corrected the violation within the required time period of 30 days after discovery. Fines at this tier start at $10,000 and go to $50,000. The maximum penalty is $1.5 million per year.
- Tier 4. At this tier, the violation was made with willful neglect of HIPAA Rules. Further, the entity made no effort to correct the violation. There is a standard $50,000 fine per violation at this tier with a maximum fine of $1.5 million each year.
There are also criminal penalties for HIPAA violations and potential jail sentences:
- Unknowingly or with Reasonable Cause. The person may receive a jail sentence of up to one year.
- False Pretenses may result in a five years’ maximum jail sentence and a fine increase to $100,000 per violation.
- Personal Reasons or to Commit Fraud or a Crime. Malicious intent such as data breaches may lead to a jail sentence of up to 10 years and a fine up to $250,000 per violation.
As you can see from the HIPAA fines chart, the penalty structure for violations can act as a strong deterrent for healthcare organizations.
Recent HIPAA violations cases reported by federal law enforcement include:
- Memorial Healthcare System received a fine of $5,500,000 in 2017
- Children’s Medical Center of Dallas incurred a penalty of $3,200,000 in 2017
- Advocate Health Care Network’s violation warranted a $5,500,000 fine in 2016
How Are HIPAA Violations Uncovered?
The most common way that HIPAA violations are uncovered is through internal compliance audits performed by HIPAA-covered entities.
From an internal perspective, risk analysis is a powerful tool in discovering issues with HIPAA compliance. Risk analysis audits give organizations a chance to identify the violation source and correct it before an inspection takes place.
Employees often self-report when accidentally committing a HIPAA violation.
Finally, the Department of Health And Human Services Office for Civil Rights (OCR) may receive a direct complaint or tip on a potential HIPAA violation.
If a HIPAA private rule violation has occurred, there’s a safe bet that it will be uncovered sooner than later. It’s best to abide by all guidelines and regulations to avoid any issue.
Preventing HIPAA Violations
There are a few key steps to staying in-the-know and preventing HIPAA violations:
- Develop a strong PHI policy for employees that reflects current HIPAA rules and regulations. Optimize and update this policy regularly as HIPAA regulation will also change.
- Make sure all BAs sign the necessary PHI agreement.
- Perform regular audits of security systems and procedures.
- Hire an auditing team to perform the appropriate risk assessment to identify and correct potential security risks.
- Regularly monitor HIPAA compliance updates and changes.
With these steps in mind, you can avoid steep HIPAA violation fines.
Avoid Risking Compliance Fines and Penalties
The more you know about HIPAA guidelines and regulations, the better your organization will be when it comes to remaining compliant. The last thing you want is to unknowingly (or knowingly) walk into a situation where you’re handed an avoidable violation face a large fine.
The most important tool at your disposal is information. With the right strategy and training, your organization can stay on track for complete and consistent HIPAA compliance.