What Is a HIPAA Violation?

Avoid reputational loss and fines by keeping your technology and staff aligned with healthcare’s most important compliance standard.

The Healthcare Information Portability and Accountability (HIPAA) act helps protect the confidentiality of patients by ensuring that their providers take every reasonable step to keep their personal health information (PHI) secure and private.

But unlike other major regulatory compliance standards, HIPAA allows for a degree of interpretation. That open-endedness makes achieving and maintaining HIPAA compliance a significant challenge for many providers, who struggle to preserve the confidentiality and integrity of personal data.

What is a HIPAA violation, then? HIPAA is violated whenever personal health information is exposed to an unauthorized party. In the era of near pervasive reliance on technology, the number of violations has steadily increased, as small and midsized healthcare providers struggle to keep their network endpoints aligned with the latest HIPAA regulations.

What Are the Most Common Violations?

There are literally hundreds of ways that HIPAA can get violated, but for the purpose of this article we’ll focus on the ones that are most likely to damage your organization.

1. Lost or Stolen Devices
Any device used in a healthcare setting should be treated as though it contains PHI, including smartphones, tablets, and thumb drives. If an unencrypted device is lost and you wish to avoid a fine, you’ll need to conduct a risk assessment and prove that it didn’t contain PHI with the appropriate documentation.

2. Improper Training
HIPAA rules stipulate that covered entities and business associates are both required to “implement a security awareness and training program for all members of its workforce.” That means going well beyond just the basics and truly preparing your staff for the rigors of modern security and compliance.

Here are some of the topics that should include:

1. 1. The importance of avoiding “curiosity viewing”
   2. Smart devices management, file attachment and data sharing best practices
   3. Safe handling and storing of both digital and paper PHI
   4. Password management and digital hygiene to control online behavior

3. Unencrypted Texting, Email, or Messaging
Although encryption is considered an “addressable” requirement in the HIPAA text, that doesn’t make it optional. All data that travel beyond your organization’s firewalls must be encrypted. This is especially important when sending PHI via email across an open network, like the Internet. When in doubt, conduct a thorough risk analysis to determine which type of email encryption or encrypted messaging service best suits your organization’s workflows and goals.

4. Accessing ePHI from Personal Devices
The bring your own device (BYOD) trend has become a popular trend, but there are major concerns when it comes to HIPAA compliance, including unauthorized app usage, device sharing, poor authentication, and many others.

To prevent violations, you should at the bare minimum deploy a mobile device management (MDM) solution to ensure centralized management of ePHI and employee devices, enforce password management policies across all devices, and communicate that each devices is subject to regular HIPAA audit.

5. Failure to Do Risk Analysis
The body of HIPAA is over 115 pages in length, which means that even organizations with an in-house compliance team may struggle to account for every change in their technology, staff, or new stipulations in the regulation itself.

Regular risk analysis is an integral part of building a culture and awareness around the importance of HIPAA compliance. It should include assessing new security measures to safeguard PHI, determining the likelihood of a PHI breach, assigning risk levels for possible threat scenarios and more. To learn more about HIPAA risk assessments, continue to this article.

6. Denying Patients Medical Record Access
Under HIPAA, patients have the right to access their medical records and put themselves in control of their health and well-being, empowering them to better manage their chronic conditions, adjust treatment courses, and contribute to their own healthcare.

But many organizations don’t have systems in place to provide patients with their medical records, billing records, enrollment information, and other forms of PHI in a way that’s considered timely and secure under HIPAA. Failure to provide PHI within a reasonable timeframe (usually 30 days) is a breach of HIPAA that can result in serious fines.

7. Improper Disposal of ePHI/PHI
HIPAA’s “Security Rule Device and Media Controls Standard” stipulates that both covered entities and business associates have policies and procedures in place to handle both the removal of ePHI from electronic media, such as hard drives, thumb drives, and disk media, as well as the destruction of PHI in paper form.

Despite the obvious nature of the problem, there continues to be a considerable number of HIPAA violations every year that are related to this category of violation. For example, the Parkview Health network in Ohio was fined over $800,000 for failure to properly dispose of PHI.

Just deleting files is not enough to stay HIPAA compliant, as even files that are overwritten could be recovered with the right software. Here are some of the steps commonly recommended to ensure proper PHI destruction.

1. 1. Track and catalog PHI as it moves through your organization
   2. Defined methods of destroying each type if PHI, including degaussing, physical disintegration, or pulverizing digital media, and shredding for paper documentation
   3. Designate staff to handle PHI disposal tasks, such as collecting obsolete media, and define holding areas for PHI awaiting destruction

How Are HIPAA Violations Uncovered?

In the best-case scenario, you’ll discover HIPAA violations during an internal audit. Other times, managers or co-workers may notice staff violating HIPAA rules. When you discover a violation internally, the first step is to report the violation to your organization’s HIPAA privacy officer. They should determine which documentation and remediation steps you’ll need to help mitigate penalties.

If a violation isn’t discovered internally, then you risk your state’s attorney general or OCR office making the discovery. This can happen when a complaint is filed about you or one of your business associates; it could also occur as part of a regularly schedule compliance audit. In either of those scenarios, you’re vulnerable to significant penalty.

Avoid HIPAA Violations with an Outsourced Compliance Consultant

The best way to keep your organization compliant with HIPAA is to work with an external compliance partner who has the expertise and technical skills to keep your organization, like Complete Network. If you have questions about how to strengthen your HIPAA compliance program, our friendly team is ready to help. Contact us any time at [email protected] or 877.877.1840.