Is Your Company Doing Enough to Prevent These Ten Common HIPAA Violations?
If your organization is like most, technology is the backbone that keeps everything running smoothly on a daily basis. However, that reliance on technology can also lead to HIPAA violations. In this blog post, we will explore ten of the most common HIPAA violations firms run into because of technology, and share some tips you can use to help prevent them.
1. Unauthorized Intrusions (Hacking)
Hacked company systems are a major source of HIPAA violations in organizations of all sizes. Hackers’ methods are constantly changing, so it’s critical to have systems designed to prevent and detect unauthorized intrusions.
Your information security protocols should include installing software designed to scan for and detect malware, using next-generation firewalls, making sure that software patches and updates are applied promptly, and requiring strong passwords. All of these efforts can make it more difficult for cyber-criminals to access or infiltrate your systems.
2. Lost or Stolen Laptops, Tablets, Smartphones or Other Devices
No matter how careful you and your employees are, and despite the safeguards you have in place to prevent the loss or theft of your business’ data, laptops, tablets, smartphones, flash drives, hard drives or other devices are always at risk of loss or theft.
You can limit your risk of loss by encrypting data and devices (more on that in the next section), and training employees on what to do in the event a device is lost or stolen.
3. Unencrypted Data
When you encrypt electronic files, you are making the data unreadable and, therefore unusable, to anyone who access or steals the information without the means to unencrypt it.
The HIPAA Omnibus Rule does not specifically require organizations that collect personal health information to encrypt that data, the U.S. Department of Health and Human Services has levied fines against businesses that didn’t do enough to protect patient or customer information.
While it may not be required under the letter of the law, encrypting your data at rest, in transmission and in storage is a simple way to help you protect electronic records.
4. Unsecured Physical and Electronic Records
HIPAA provisions require businesses that collect personal health information to physically secure all physical and electronic records containing that information.
Taking steps to ensure workers don’t leave paper files out on their desktops at the end of the day, making sure file cabinets and file rooms are locked and secured, and requiring secure passwords to access systems are simple ways of limiting risk of loss.
An extreme example of an unsecured records violation occurred in 2014 when Parkview Health Systems, Inc. was fined $800,000 because 71 boxes containing patient data and records were left on the porch of a doctor’s home. Be sure everyone in the organization understands the importance of securing all records and documents.
5. Unauthorized Release of Data
Sharing personal health information about someone else, unless that person is a dependent or the person sharing the information has a valid medical power of attorney in place, is breaking the law.
This type of HIPAA violation is all-too-easy in this day and age of social media. Make sure everyone in your organization understands that sharing PHI is illegal, and that doing so could have severe consequences.
6. Improperly Disposing of Records/Files
You probably already take steps to ensure paper records containing personal health information are shredded or incinerated rather than being thrown away or recycled, and that electronic files are “shredded” when workers are done with them.
However, don’t forget other systems and tools, such as photocopiers that maintain copies of documents scanned or copied on the machine’s hard drive. Don’t make the mistake of returning a leased photocopier or scanner without first wiping the hard drive to remove all of your information.
7. Unauthorized Employee Access
Another reason for HIPAA violations is simply having a bad apple in your employee ranks. Employees who are either simply curious about accessing records they have no legal right to access, or those who intend to access and use your patients’ or customers’ personal health information illegally could subject your company to severe fines and penalties.
Pre-screening workers can help limit your risk, as can establishing systems limitations so employees can only see records they need to access for legitimate business purposes.
8. Disclosure to Third Party Contractors or Service Providers
Most companies have contractual relationships with third-parties, whether those are third-party service providers for systems or services or third-party (contract or temporary) workers. Before entering into a contract with a third party, it is important to conduct due diligence and be confident that any third party you work with understands their obligation to keep information confidential and secure.
The HIPAA Omnibus Ruling’s Common Agency Provision holds you responsible for your third-party providers’ compliance, so ask them to document in writing how they will keep your business’ and its’ patients’ information secure.
9. Ineffective (or Nonexistent) Employee Training
HIPAA violations can occur even in organizations with detailed and thorough training programs, however they are more likely to occur when the organization hasn’t devoted sufficient efforts toward educating workers about their obligations under the law – and how to meet those obligations.
Train managers on how to protect information in their departments, but don’t make the mistake of thinking you can limit training just to managers or supervisors. Every employee in the organization, including those who interact directly with patients – plays a key role in upholding and enforcing your HIPAA compliance policies and procedures.
10. Unwitting Disclosure
Finally, many HIPAA violations occur simply because someone is talking shop with a co-worker in an elevator, a restaurant or any public setting without considering the possibility the conversation will be overheard.
Having employees who care about and are engrossed in their work is usually a good thing, but when they engage in discussions about patients or customers without thinking about their surroundings, your organization could face a hefty fine.
Don’t Leave HIPAA Compliance to Chance
Being aware of these common HIPAA violations and taking steps to address them can help keep your customers’ or patients’ information safe while keeping your company out of regulatory hot water.
Intrinium offers a comprehensive HIPAA audit, risk management and gap analysis strategy designed to help companies identify specific compliance gaps in their administrative, technical and physical processes and controls, and recommend remedial actions. To learn more, call us toll-free at 866.461.5099, or contact us online today.