U.S. Health and Human Services’ (HHS) HIPAA, the Health Insurance Portability and Accountability Act, protects the rights and privacy of patients. Healthcare covered entities (CEs) must follow this set of regulations and standards or face a HIPAA violation if found noncompliant. Let’s take a closer look at this accountability and how to avoid HIPAA violations.
What is a HIPAA violation?
A HIPAA violation under the privacy rule occurs when a CE (or a business associate (BA)) does not properly safeguard its protected health information (PHI). HIPAA compliance (i.e., not committing a violation) is about reducing the risk of a breach to an appropriate and acceptable level with security measures such as HIPAA compliant email.
SEE RELATED: The Complete Guide to HIPAA Violations
And a breach can be due to either negligence or an accident. While both are likely to result in a fine, a breach does not automatically mean a violation (as long as a CE demonstrates its due diligence). But if a violation does occur, depending on the outcome of the HHS Office for Civil Rights’ (OCR) investigation, fines can be $100 to $1.5 million along with possible jail time.
Common HIPAA violations
HIPAA compliance is much more complex today than in the past. Of the 144 January–June 2016 OCR Breach Portal incidences (4,544,119 affected individuals), only 44 (30%) were hacking/IT-related. Most (42%) were from unauthorized access/disclosure; only 21 (15%) were email breaches.
SEE RELATED: 7 Common HIPAA Violations You Need to Avoid
Since then, hacking/email incidences have increased drastically. For January–June 2020, the OCR portal lists 196 PHI breaches (4,538,867 affected individuals). And of these, 60% are from hacking/IT incidents, followed by unauthorized access/disclosure (23%), theft (8%), improper disposal (6%), and loss (4%). The majority were email (45%) or network (22%) breaches. On June 15, Becker’s Hospital Review listed 10 common reasons for HIPAA violations:
- Employee email phishing attacks
- Malware and ransomware attacks on networks
- Medical records snooping
- Improper disposal of medical records
- Theft of medical records
- Non-compliance third-party BA agreements
- Downloading PHI on unauthorized devices
- Medical records exposed during natural disasters
- PHI accidentally posted online
- Loss of medical records
While not in any specific order, the list is comparable to the portal’s breakdown. In other words, phishing/malware is currently a major cause of breaches and HIPAA violations.
So how can you avoid a HIPAA violation?One of the easiest ways to avoid a HIPAA violation is by focusing on compliance and risk analysis reviews that help discover breaches before they cause damage or are identified by OCR. And beyond these necessary analyses, every CE must implement a compliance program that eliminates as much risk as possible in order to block and uncover almost every actual, possible, and probable breach. A good compliance plan should include (but not be limited to):
- Employee awareness training
- Policies/procedures on work/personal device use
- Access controls
- Inbound/outbound email security
- Separate networks for sensitive data
- Offline data backups
- Policies/procedures for data disposal.
In short, avoiding a HIPAA violation means actively and continuously finding the right combination of security features, for an organization and its patients.