Organizations operating in the U.S. healthcare sector must maintain HIPAA compliance to protect the privacy and security of protected health information (PHI) and electronic protected health information (ePHI).
Companies that violate HIPAA guidelines can be subject to considerable financial penalties and reputation damage. Violations are typically discovered following a data breach involving ePHI or through complaints made against an organization by its patients.
The safeguards defined by the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule must all be implemented to maintain compliance. Neglecting to enforce the administrative, technical, and physical safeguards outlined in the rules is typically the underlying cause of these violations.
This article reviews eight of the most common HIPAA violations companies need to avoid. We will use ePHI in our examples, concentrating on the measures companies need to take to protect sensitive information in their IT environments.
In this article:
|
Failing to perform regular risk assessments throughout the organization is one of the most common HIPAA violations that result in monetary fines. The purpose of these focused risk assessments is to identify any vulnerabilities that may impact the security, confidentiality, and availability of ePHI.
The lack of risk assessments allows these vulnerabilities to persist and potentially lead to a data breach.
Organizations should conduct an annual risk assessment that addresses these HIPAA requirements:
Large financial penalties have been imposed on healthcare companies that fail to perform risk assessments. For example, in 2016, Advocate Healthcare, an Illinois healthcare network, was fined $5.6 million for failing to conduct a risk assessment that accounted for physical and administrative safeguards.
Companies must be prepared to address and manage the vulnerabilities identified during risk assessments and take demonstrable and documented actions to correct threats to ePHI. The failure to promptly address known vulnerabilities raises the stakes for violators and can result in some of the highest financial penalties levied for HIPAA violations.
Companies working with third-party IT vendors need to enter into a HIPAA-compliant business associate agreement (BAA). Failing to secure a BAA is a common HIPAA violation, and organizations should therefore work with certified vendors who will sign a BAA that defines:
Companies should not engage vendors unwilling to sign a BAA, as the consequences can be costly. In 2013, Raleigh Orthopaedic in North Carolina was fined $750,000 as a result of sharing the confidential information of over 17,000 patients with a potential business partner without first establishing a business associate agreement.
|
Improper disposal of medical records and PHI is a common HIPAA violation that can lead to unauthorized access and disclosure of sensitive patient information. Covered entities and business associates are required to securely and permanently destroy physical and electronic PHI when it is no longer needed and retention periods have expired.
In 2020, Wakefern Food Corp and two associated ShopRite supermarkets reached a settlement with the New Jersey Division of Consumer Affairs and NJ Attorney General to resolve violations of HIPAA and the NJ Consumer Fraud Act for improper records disposal.
The two associated ShopRite locations had "failed to properly dispose of electronic devices used to collect signatures and purchase information of more than 9,700 pharmacy customers," according to a report by Health IT Security. The settlement included $209,856.50 plus $25,143.50 for attorneys' fees and investigative costs.
Healthcare organizations should have proper policies and procedures in place to ensure the secure disposal of medical records and PHI. For physical records, such as paper documents, shredding is one option to make them unrecognizable when disposed of.
For digital records, companies can use methods like disintegration, pulverization, melting, or incinerating to ensure that there is no possibility of a copy existing.
Healthcare organizations are required to provide patients with timely access to medical records, and failure to furnish access to patient records or overcharging for copies is a violation that can incur financial penalties.
Additionally, access to patient data and any copies are required to be made available within 30 days of the request. Wait too long, and you could be on the receiving end of a fine. In early 2023, Life Hope Labs was fined $16,500 after a deceased patient’s family waited six months for their loved one’s medical records.
Companies must have procedures in place to address patient requests. The procedures must be secure and ensure that only the designated patient or other authorized persons can access the information.
|
The HIPAA Security Rule mandates that organizations take the necessary measures to protect ePHI from unauthorized access. Violations discovered after a data breach often involve insufficient access controls that put health information at risk.
Failure to prevent unauthorized access to ePHI is a common HIPAA violation, and companies must take multiple steps to avoid this type of violation.
The key takeaway here is that a patient’s medical records should never be accessed by or provided to anyone who lacks the proper authorization. For example, there have been a number of instances where the medical records of celebrities have been accessed and then made public by personnel at medical facilities.
In one such case, the UCLA Health System in California was fined $865,000 after staff inappropriately accessed the medical records of a number of celebrities and public figures, including Britney Spears and Maria Shriver, who was the state’s First Lady at the time.
Security breaches must be reported within a 60-day deadline. Notification must be made to any covered entities, including individuals whose data was affected and the U.S. Department of Health and Human Services (HHS). Failure to meet this deadline results in a violation of the Breach Notification Rule with associated financial penalties.
This is a common violation that can be avoided by making timely notification when a data breach occurs. Delaying the process will result in greater fines due to the additional violation.
Presence Health of Illinois was fined $475,000 in 2017 for failing to report one such breach within 60 days. In this case, the organization became aware of the loss of documents detailing the confidential medical records of 836 patients on October 22nd 2013, but failed to report it until January 31st 2014 — a delay of more than 3 months.
|
The HIPAA Security Rule is designed to protect ePHI in an IT environment, and failing to implement adequate safeguards to secure ePHI is a common violation of HIPAA guidelines.
The following are some examples of inadequate safeguards that can lead to violations:
Of course, it goes without saying that data loss protection plays a critical role in any organization, but this is especially true within the health industry, with potentially crippling fines being enforced in response to violations.
In 2013, Banner Health of Arizona found itself with a $1.25 million settlement and a two year corrective action plan. This was in response to a hacking incident seven years earlier that resulted in the health information of nearly three million people being exposed.
The theft or loss of devices (work or personal devices) containing patient health information also poses a significant risk for exposing ePHI. Mobile devices, such as smartphones and tablets, are particularly vulnerable to theft and misplacement due to their smaller size and portability.
Device theft is often the result of poor physical security and a lack of device policies within healthcare institutions. To mitigate this risk, institutions should provide employee training on proper device handling and storage policies, ensure physical device security, implement device encryption, and use device tracking software.
Employee training on HIPAA regulations and compliance is not just a recommendation, but a requirement under HIPAA. All staff members who come in contact with PHI must be thoroughly trained on HIPAA requirements, as well as on the specific policies and procedures set forth by the organization.
For instance, Athens Orthopedic Clinic PA in Georgia experienced a hacking incident in 2016. The actors successfully exfiltrated data and attempted to extort the organization. When Athens Orthopedic failed to comply with the monetary request, the actors leaked the ePHI of 208,557 patients online.
Among other violations, such as a failure to conduct a risk analysis and implement effective risk management procedures, the OCR found that employees had not been provided with adequate training on the HIPAA Privacy Rule. Athens Orthopedic settled with OCR for $1,500,000.
By providing comprehensive training, organizations can ensure that employees understand their responsibilities in safeguarding PHI and are aware of the potential consequences of HIPAA violations.
Training should cover topics such as the importance of patient privacy, the proper handling and disposal of PHI, and the use of secure communication channels. Regular refresher training sessions should also be conducted to keep employees up to date with any changes in HIPAA regulations.
Solutions like the Reveal Platform by Next can help to keep employees informed about their role in protecting ePHI by providing incident-based training. When an employee attempts an action that could put ePHI at risk, Reveal automatically reminds the user of the relevant policy and recommends safe alternatives for handling the data.
|
Data loss prevention (DLP) software can be instrumental in promoting HIPAA compliance and avoiding expensive violations. A DLP platform specifically addresses violations stemming from insufficient access controls or protective safeguards.
Enforcing a data handling policy that protects HIPAA-regulated data ensures sensitive patient information is not misused or accessed by unauthorized individuals.
The Reveal Platform by Next leverages next-gen agents that employ machine learning at the point of risk to enforce the data handling policy and keep sensitive data secure. Attempts to use data in unauthorized or risky ways are restricted, and the user is presented with an informative message describing their mistake.
Reveal helps your organization maintain HIPAA compliance and protect ePHI.
Schedule a demo with the DLP experts at Next to discover the benefits Reveal provides for HIPAA compliance.
The types of physical safeguards required to protect ePHI include:
Companies can perform HIPAA risk assessments using in-house teams or qualified and certified third-party assessors. Large organizations often have internal audit and assessment teams that can fulfill this role, while smaller organizations may benefit from engaging outside help to ensure compliance.
In both cases, it is critical to document any vulnerabilities identified and the measures taken to address them.
The results of HIPAA risk assessments need to be addressed promptly to protect patient data and avoid additional fines for violations. Ignoring the results of an assessment is considered “willful neglect” and typically results in larger financial penalties than if the issues are mitigated. Companies are expected to fix any vulnerabilities related to ePHI as soon as they are identified.