Top 10 HIPAA violations and how to prevent them
According to the Federal Register, HIPAA violations can reach as high as $50,000 per occurrence, with a maximum annual penalty of $1.5 million per violation. And some violations are also treated as criminal charges that result in serious jail time.
“The biggest challenge presented by HIPAA is to accurately and consistently protect individuals’ privacy without crippling your business,” said Christopher Fuller of TechRepublic.com. “That being the case, the best technologies available would be those that allowed you to share exactly the right information.”
So here are the top 10 violations of HIPAA and how to prevent them (better safe than sorry):
- Unsecured medical records:
Protected Health Information (PHI), whether in the form of physical or digital files, should be kept in a secure location at all times. Physical files should be placed in a well-secured and locked in drawers or folders when not in use, cover charts when faxing records so patient names and data are not visible, and avoid leaving open charts in examining rooms. Digital files should be well-encrypted and password-secured, with a high level of security.
- Lost or stolen devices:
Stolen or lost devices containing protected health information, including smart phones, laptops, tables and other electronic devices, should be all kept in a well-known secured location and that they are password protected & securely encrypted. Make sure all portable devices are accounted for on a daily basis, as they are the most vulnerable to loss or theft due to their small in size.
Hacking is the major and most important threat when it comes to HIPAA violation, so it’s important to make sure all of your digital data is proactively secured. All devices must have active firewalls and updated antivirus software installed to guard against malicious software. Change passwords frequently and make sure you use complex and hard-to-guess password combinations. Limit e-mail transmissions of protected health information only when necessary and always through secured channels. Create back-ups of all disks containing PHI and store them on a HIPAA compliant cloud server. It’s been found that using secured cloud servers to be safer than localized servers and paper documents, according to the US Department of Health and Human Services.
- Unencrypted data:
Data encryption, even though not required by HIPAA, is a very important step for all physicians and healthcare centers to apply, as it adds a high level of protection when sharing PHI or even in case a device containing PHI got lost or stolen. It’s also important to make sure any third parties associated with your practice are properly following HIPAA standards as well.
- Lack of training:
It is required by HIPAA that all employees handling protected healthcare information and performing health plan administrative functions are trained on HIPAA requirements and safeguards in addition to individual practice policies. So make sure to provide an up-to-date training and seminars to all employees.
- Employee sharing of PHI:
Different level of security clearance should be assigned to different employees, as role-based security prevents accidental sharing of private information that does not pertain to their specific duties. It’s highly recommended to use single sign-on systems, like voice recognition and fingerprint detection, to prevent unauthorized access and to make sure employees and staff members do not share passwords between each other.
- Illegal file access:
Closing computer programs containing protected healthcare information when not in use can help prevent unauthorized data access, and applying management systems with automatic time out settings can help ensure that. Employees must be made aware that by discussing or sharing patient information as a favor to friends, relatives or other co-worker, out of curiosity or spite, they are violating HIPAA and will be subjected to high fines and possibly jail time.
- Improper record disposal:
Proper disposal of PHI is a crucial step to ensure HIPAA compliance. Improper disposal of confidential records could result in unauthorized sharing of patient information which is considered a HIPAA violation. Make sure all physical and digital media containing PHI are correctly disposed like shredding papers, and destroying and wiping all data from local hard drives and online servers.
- Unauthorized information release:
Releasing confidential patient information concerning individuals, public figures or celebrities to unauthorized family members, friends or the media, is considered a HIPAA violation. This information is only allowed to dependents and those with Power or Attorney (POA).
- Home computer access:
Using personal computers or laptops to access patient records after work hours could result in an accidental unauthorized sharing of information; For example, viewing of the PHI by a family member on an open screen. So make sure screens are turned off when not in use and out of sight, as well as, using password protection that is not shared with other family members.