Not keeping up with HIPAA regulations can be quite costly for any physician’s office or entity that needs to adhere to compliance. HIPAA Violation fines range from $100 to over $4 Million. Staying compliant is not an easy task, regulations are always changing and you are required be up to date about every change. I have written below a few basic examples and how to avoid them.
What is this so called HIPAA Violation?
A HIPAA violation happens when there is some sort of Breach, acquisition, access or a disclosure of Protected health Information which is known as (PHI) that can result in personal risk of the patients.
Everyone that works with PHI should be compliant:
Health care clearing houses
Health care providers who transmit claims in electronic form
Medicare prescription drug card sponsors
Any Business Associate, Entity or Individual that has access to any type of PHI.
How Much can HIPAA Violations Cost you?
If you haven’t known already there are two types of HIPAA violations which are civil and criminal. These violations of course have different structures and consequences.
The Civil HIPAA Penalty
These Civil penalties are usually given to the individuals who are committing a violation without any malicious intent like being neglectful or unaware that their actions were wrong.
Your civil penalties would be as follows:
If the individual was not aware that they were committing a HIPAA violation, they would be fined $100 per violation.
If the individual had reasonable cause for their actions and did not act with willful neglect, they would be fined a minimum of $1,000.
If the individual was acting with willful neglect, but then fixed the issue, they would be fined a minimum of $10,000 per violation.
If the individual was acting with willful neglect and did not fix the issue, they would be fined a minimum of $50,000 per violation.
The Criminal HIPAA Penalty
The individuals that are committing a criminal violation did so with a malicious intent, these violations will lead to criminal penalties.
Your criminal penalties would be as follows:
If the individual knowingly obtains and discloses PHI, they would be fined up to $50,000 and jailed for up to a year.
If the individual commits violations under false pretenses, they can be fined up to $100,000 and jailed for up to 5 years.
If the individual commits the violation for personal gain (i.e sells PHI or uses it to harm the patient), they would be fined up to $250,000 and jailed for up to 10 years.
Most Common HIPAA Violation Examples
1) Lack of Encryption
To ensure your PHI does not land on the wrong hands, you need to make sure that all data is encrypted.
This will add an additional layer of cybersecurity on top of all the other best practices – even if there’s a breach and PHI data gets stolen, the hackers will not be able to access it without a encryption key.
The hospital staff should also be using encrypted messaging applications when sending PHI.
2) Getting Hacked OR Phished
You hear on the news about companies being hacked and all the data leaks and of course you think it will never happen to you, no one really expects that their organization will be breached. But it does not matter how big or small you are, hacking is a very legitimate threat that you must take serious.
What would Hackers do with your PHI?
These hackers are benefiting from selling PHI data to a 3rd party organization that would benefit from the information.
These hackers are targeting you with ransomware. Which they would take your data and lock it from you being able to access it and if you dont pay up the ransom they will delete all your data. In 2016, an LA Hospital had to pay off the hackers of around $17,000.
How would you go about preventing this from happening to you? Well, there are several best practices to protect you from phishers and hackers.
Keeping all the anti-virus software up-to-date
Use encryption on all systems
Regularly changing passwords on all important devices
Limiting access to devices and data based on employee status
- One of most important steps to take is to have your employees go through basic continual security training and awareness.
3) Unauthorized PCI Access
Employees that are accessing data they’re not authorized to view is a pretty common HIPAA violation. Accessing any patient records that is not related to the individual in-front of you or assigned to you and is out of curiosity is still a violation and can result in both a fine and information breach.
In a worst case scenario even your own employees could sell PHI for personal gain. To make sure this doesn’t happen you must set up a authorization system. which will prevent employees from accessing data that is not directly related to their own case.
You should also setup some additional good practice safeguards. In which if you are requested to disclose any PHI that is not used for health care operations, treatments or payments, the employee should get written consent from right authority.
4) Loss or Theft of Devices
A very common HIPAA violation is a result of lost company devices.
In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. This device was not even password-protected and there was PHI \ PII of over 20,000 patients available to be read.
it is very hard to prevent devices from being stolen but it’s simple enough to avoid PHI being leaked by using software to encrypt the data on your devices. So even if the device gets stolen, the thieves won’t be able to access the PHI.
5) Sharing PHI Information
Any confidential information including PHI, should be on a need-to-know basis. You might think it’s just harmless to talk and to share discussed cases with colleagues but the truth is this might result in information leaks. One of the most common way to hack is a method called social engineering. These hackers would try to trick employees to give out information that would help them to gain access to computers that hold PHI or verbal information that contain PHI.
To ensure that you don’t fall for these types of social engineering hacking is to make sure that all information is only provided in a private setting with authorized personnel. Even casually sharing PHI with family members can result in a HIPAA violation.
6) Disposal of PHI
Your employees should be trained in the proper procedures on how to dispose PHI for both physical documents and digital files. If a document is left on a table or leaves patient information available on their desktop it has the potential to be ready by unauthorized personnel and resulting in a HIPAA violation.
The known best practice is to make sure that physical copies are storied in a properly secured location or it should be shredded. Any information on a desktop should be locked out so no one can see it and a privacy filter should be applied to the screen.
7) Accessing PHI from Unsecured Location
Many employees or clinicians tend to work late hours and they happen to use their personal computers which they think is okay. While this seems to be innocent to the regular person, it can actually have disastrous consequences.
There are many ways this could go wrong…
The clinician or employee might leave a document with PHI open on the computer screen and their family member ends up seeing it, this would be considered a HIPAA violation.
Yourself or a family member accidentally downloads malware on the computer and the computer is not properly protected the Hackers can in turn find and steal that PHI data, which would be considered a HIPAA violation.
There are many other ways that hackers go about obtaining PHI so the best way avoid this is to have a dedicated computer for anything to do with patient information and make sure to access it from a secure location over a VPN. (Public WIFI IS NOT SECURE!)
What would be the best ways to avoid HIPAA Violations?
Many of the causes of HIPAA violations is due to lack of employee training. They have no idea how regulations work and they would make far less mistakes that were mentioned above with proper quarterly training. This is not just me providing a recommendation on what you should do to protect yourself. This is actually required to meet HIPAA compliance requirements.
If you happen to need any help with training routes or just have general questions about HIPAA feel free to contact me directly.