The Office for Civil Rights (OCR) is increasing its Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts; covered entities should be aware of some of the most common HIPAA compliance violations. In 2016, the OCR collected a record-setting $23 million in HIPAA fines, greatly surpassing the previous record of $7.4 million in 2014.So, whether you're a primary care physician, surgeon, dentist, health care specialist or any other covered entity, you should avoid the following 7 HIPAA compliance violations.Click To Tweet
1) Lost or Stolen Devices
Lost and stolen devices are the number one reason for medical data breaches affecting more than 500 individuals. Under HIPAA, covered entities are required to implement physical, technical and administrative safeguards to prevent the unauthorized access of Protected Health Information (PHI). If PHI is stored on a laptop or smartphone, those safeguards must be implemented on the respective device.
In 2014, Concentra Health Services agreed to pay more than $1.7 million as part of a resolution to settle HIPAA violations stemming from a stolen laptop. After conducting an investigation, the OCR concluded that Concentra failed to “manage its identified lack of encryption,” nor did it document why encryption was not implemented. This occurred as a result of a single stolen laptop containing unencrypted Electronic Protected Health Information (e-PHI).Start Your Online Medical Office Suite Today
2) Improper Disposal of PHI
Whether paper or electronic, you must dispose of PHI in a manner that makes it indecipherable and unrecoverable. Tossing a patient’s medical file in the trash, for instance, isn’t going to cut it. There have been dozens of cases in which the OCR has cited covered entities for improper disposal of PHI.
In 2012, Cornell Prescription Pharmacy agreed to pay $125,000 for improper disposal of PHI. Investigators determined the pharmacy had tossed documents containing PHI in the dumpster. And just one year later, CVS — the largest pharmacy chain in the United States — agreed to pay $2.25 million as part of a resolution agreement for tossing PHI in publicly accessible dumpsters.
So, what methods of PHI disposal are acceptable under HIPAA? The HHS doesn’t require any specific methods of disposal. Rather, it allows covered entities to choose their own methods, as long as it completely destroys the PHI so it cannot be reconstructed or otherwise deciphered.
Acceptable method of disposal for e-PHI include purging with a strong magnet, physically destroying the media, or clearing the media using software or hardware. For paper PHI, acceptable methods of disposal include pulverizing, incinerating, burning or shredding.
3) Non-HIPAA Compliant Cloud Service Provider
Cloud computing and cloud storage services have become increasingly popular among professional healthcare providers. Rather than storing patient data locally, they can store it on a remote server (the cloud). This mitigates the risk of lost data, while also allowing workers to access it from any Internet-connected computer.
But if you’re thinking about partnering up with a cloud service provider (CSP), you should choose one that’s HIPAA-compliant. The Department of Health and Human Services (HHS) requires all covered entities to enter into a business associates agreement (BAA) when using a CSP. If the CSP isn’t willing to enter into a BAA, you cannot transfer or otherwise give them access to your practice’s PHI.
4) Not Conducting Regular Risks Analyses
As part of the HIPAA Security Rule, covered entities are required to conduct a risk analysis to determine the likelihood of a data breach involving e-PHI. Also known as a risk assessment, it’s intended to identify potential risks and vulnerabilities to e-PHI.
Recently, Advocate Health Care was slapped with a $5.5 million fine for failing to conduct accurate and thorough risk analyses of its practices. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI) was also cited for failure to conduct regular risk analyses — among other violations — for which it paid $1.5 million.
Some of the elements required in a risk analysis include:
• Location of e-PHI
• Documentation of potential threats and vulnerabilities
• Assessment of your practice’s current security measures
• Likelihood of threat occurrence
• Level of risk
• Finalized document
5) Unencrypted Data
Encryption is a tricky subject in regards to HIPAA compliance. Neither the Security Rule nor any other Rule specifically requires covered entities to encrypt their e-PHI. Nonetheless, failure to do so could attract an audit and subsequent penalties.
Encryption is considered an “addressable” specification, meaning covered entities are only required to implement it if it reduces the risk of e-PHI data breach. Here’s the thing: encryption will almost always reduce the risk of data breaches, as it renders sensitive data unusable without the decrypt key. If you lose a laptop containing encrypted e-PHI, the risk of an unauthorized user accessing the data is still low. But if you lose a laptop with unencrypted e-PHI, the risk is significantly higher.
6) Unauthorized Third-Party Disclosure
Dozens of covered entities have been fined for unauthorized disclosure of PHI to third parties. Generally speaking, covered entities should only disclose a patient’s PHI to other individuals and organizations when it’s helpful in facilitating treatment, payment or healthcare operations. For all other disclosures, a written consent form is required.
If a patient’s friend comes into your practice requesting an update on the patient, for instance, you must seek a written consent form before disclosing any PHI — assuming the disclosure isn’t being used to facilitate treatment, payment or healthcare operations. When deciding whether a consent form is required, it’s best to err on the side of caution and use one.
7) Not Training Employees
Another all-too-common HIPAA violation is the failure to train employees on HIPAA compliance requirements. Even if you’re familiar with the nuances in HIPAA law, perhaps your employees aren’t. HIPAA requires all covered entities to provide training to their employees. Failure to provide this training could leave you subject to fines and other enforcement penalties.
Employee training isn’t a one-time requirement, either. Under HIPAA, covered entities must train all existing and new employees on HIPAA law, as well as providing a refresher course periodically. There’s no specific time for these refresher courses, though most healthcare organizations offer annual training to their employees.
As a covered entity, you should be aware of these HIPAA violations, so you aren’t slapped with a fine and corrective action plan.