We discussed in a prior post what exactly HIPAA (Health Insurance Portability and Accountability Act) is and how HIPAA regulations can affect your practice. Much of what goes into being HIPAA compliant comes down to common sense and being proactive in protecting patients’ protected health information (PHI). With that in mind, it’s important to know how to avoid common violations and potentially heavy fines and court settlements.
Common HIPAA Violations
1. Lost or Stolen Devices
This is probably one of the easiest ways to draw a HIPAA violation. The average American owns roughly three connected devices (including mobile devices), not counting devices supplied by their employer. While for most employees losing a work device can result in a tongue lashing from IT, for healthcare providers, losing a device with PHI can result in major trouble. While lost and stolen devices have resulted in some major settlements, healthcare companies could protect themselves by using HIPAA compliant encryption to lessen or eliminate violations.
2. Unsecured Records
The fines for unsecured patient records can be substantial. This is understandable as record security for covered entities is the basis for the existence of HIPAA. While the violation itself is pretty straightforward, so is avoiding it. Paper PHI should be stored in filing cabinets under lock and key. Similarly, electronic files need to be protected. Keep devices under lock and key and protected with complex passwords to comply with HIPAA privacy.
RELATED: Not Having Email DLP Leads to 90,000 Patient Records Breached
3. Dishonest Employees
It is a straightforward task to manage paperwork and digital files. The human element, on the other hand, can be quite unpredictable – especially with identity theft or fraud being as prevalent as jaywalking. Medical records are a prime source for sensitive patient information that can be used to steal a victim’s identity including social security numbers, addresses, family members and financial information. Avoiding a dishonesty violation ultimately comes down to hiring discerningly and monitoring staff closely.
While hacking may be considered an inevitable risk for a world that grows ever more dependent on sharing and storing information digitally, not taking all the proper and available steps to avoid becoming a victim of a data breach simply ensures the worst case scenario. Complex passwords, firewalls, updated software and anti-virus programs and encrypted data transfers are the easiest way to avoid being a victim of stolen medical information or unauthorized access.
READ MORE: 5 Business Best Practices for Email Security
5. Improper Disposal
Maintaining medical records is only half the job. Making sure that patient information and patient data are disposed of in a manner that they cannot be retrieved by ne’er do wells is extremely important. Shredding documents, and securely deleting devices that have a hard drive (don’t forget your office printer) are an absolute must when it comes to maintaining document integrity and keeping private health information private.
6. Unauthorized Disposal
This violation is a more common occurrence when the patient is a person of note. Leaking PHI to the media can be an easy way for someone to make a sizable sum of money quickly. Bottom line, if a patient hasn’t signed an authorization form, their medical status had best stay under lock and key. Medical staffs also need to be careful not to leak PHI verbally or through social media either. Even passing conversation about a patient’s history is a violation of HIPAA code, especially if you consider how a little gossip can spread like wildfire. Remember that while it’s fun to have the cool story at the water cooler, it’s not worth having to pay a six figure settlement.
7. Third Party Disclosure
This is your good old fashioned “guilt by association” statute. Most every medical practice will have to subcontract at some point. Thanks to HIPAA’s Common Agency Provision, your subcontractor’s violations are your violations as well when it comes to any patient health information that you supply that they let slip through the cracks. For this reason, business associate contracts are a key component to protecting PHI shared between healthcare practices and their vendors. Before you agree to contract a third party service, make sure to review their compliance plans and their privacy policies. It could cost you your practice. Ultimately, avoiding HIPAA violations requires a certain amount of diligence. Performing regular HIPAA compliance checks is key to avoiding violations as well as following general best practices and monitoring workflows to prevent mistakes. To help make things easier, be sure to use technology to your advantage to secure your workflows and make your practice more efficient and profitable. Services like Paubox Email Suite can help you increase efficiencies. One customer saw a 50% improvement in their email workflow after switching to Paubox. Paubox Email Suite Premium adds on Next Layer Security and can prevent unauthorized disclosure of PHI.