6 Common HIPAA Violations and How to Avoid Them
Even if you think you are securely protecting your patient’s health information, your organization may be overlooking required HIPAA security regulations. Not only do you need to implement security for data storage, but you also need to consider safety measurements when medical records are being transferred to requesters.
HIPAA violation fines can be as high as $50,000 per occurrence, so your office continually needs to be proactive about meeting compliance standards. A few seemingly small mistakes could turn into significant threats against your organization.
Here are some common HIPAA violations relating to medical records and the steps to take to avoid them:
1. Unauthorized Access of Healthcare Records
The HIPAA privacy rule states that patient health records should only be accessed for treatment, payment, and healthcare operations. However, a common HIPAA violation occurs when an employee peaks at the record of a friend, family, neighbors, celebrities, and coworkers.
Solution: Employee training is the key to prevent unauthorized access of this type. Additionally, network security measures can be used to restrict employee access as needed. Emphasize to employees the gravity of data breaches and their role in limiting it.
2. Hacking Secure Data
Hacking is a serious threat in any industry, but especially in the healthcare world. If someone can hack into your computers, they can steal valuable information such as Social Security numbers, insurance information, private details about patients, etc.
Solution: You need cloud-based and physical security measures to prevent hackers from getting in. Start by updating antivirus software on computers and mobile devices. Add a firewall for another layer of protection. Another effective deterrent is to use strong passwords and frequently update passwords.
3. Improper Medical Record Disposal
Any document containing patient PHI that is no longer in use or has expired needs to be appropriately destroyed. Improper disposal, such as an office trash can or a building disposal unit (aka dumpster), is susceptible to stolen patient data.
Solution: Search for a vendor who specializes in medical record archiving and disposal. An experienced company will provide full-service details and how they handle unusable or expired PHI. Depending on the information format, it may be as simple as receiving a digital back up or deleting files.
4. ROI Vulnerabilities
Even if you think your medical record security is HIPAA-compliant, it doesn’t mean that you are compliant when transferring records to requesters. Whether you handle your release of information process in-house or outsource, many healthcare organizations overlook this process, resulting in non-compliant practices.
Solution: The best way to assure compliance is by understanding and identifying the compliance protocols followed from within your organization or by your ROI vendor. Any reputable ROI vendor should be able to list out the steps they take in meeting HIPAA compliance guidelines.
5. Loss or Theft of Devices
If a computer, smartphone, or tablet falls into the wrong hands, the user could access patient health information. Thieves often target electronic devices since the valuable information contained on the device has a monetary value.
Solution: Devices that contain PHI should always be stored in a secure location and password protected. Unless these devices are necessary for out-of-office work, staff members should not be taking unauthorized devices from the facility. Furthermore, a remote, device-wiping feature can erase sensitive information should a secure device be compromised or stolen.
6. Unauthorized Release of Information
Before PHI is released, a request authorization must be obtained and verified. If this request is not accurate and verified, sending patient data to an unauthorized requester or sending incorrect patient data could result in a HIPAA violation. The patient or third-party requester must provide documented authorization before any information about data can be released.
Solution: Healthcare organizations (or their ROI vendors) should always check (and verify) request authorizations before sending information to a third party. Having the proper compliance checks and balances within your release of information workflow should minimize and ultimately negate any unauthorized releases.