A patient’s health information consists of the most intimate details about them; there is no question about it – it needs to be kept confidential. When a person seeks health care, they come with the understanding that none of their personal particulars, information associated with their ailments, or any other related matter will be seen by an unauthorized person. It is with this guarantee in mind that health care providers must make sure no HIPAA violations occur when they store, use, or share their patients’ data.
But, what is HIPAA?
HIPAA stands for “Health Insurance Portability and Accountability Act.” It was passed by Congress in 1996 to cover:
- The removal of obstacles in the continued health insurance coverage of American workers – irrespective of their employment status
- Modernizing the way PHI data flows between concerned health care service providers or related organizations and businesses entities – with the help of modern technologies
- Protection of PHI data to curb attempts at fraud or theft of either the data itself or the access it may grant to even more personal information which could be used maliciously
PHI is an acronym for “Protected Health Information.” This includes any information about the health status, provisions of medical services, and any financial transactions for such services that can be traced back to a patient or an individual.
The overseeing and enforcement of the HIPAA Privacy and Security Rules falls under The U.S. Department of Health & Human Services (HHS) Office for Civil Rights.
What are HIPAA covered entities?
Although it is health care providers that are the primary targets of the Act, they are not the only ones. HIPAA violations can be committed by other “covered entities” that are equally responsible for the safekeeping of PHI.
These covered entities include:
- Health care plans – although they are not directly involved in the wellbeing of an insurance bearer, they will need to handle their health information when claims are made
- Health care clearinghouses – these entities handle the financial aspect of insurance claims which can require PHI as well as billing and other transactional data
- Any businesses that are associated with these covered entities – these are usually contracted or sub-contracted businesses that offer support to, or take on outsourced work from, businesses that are covered under the HIPAA Privacy Act
In 2009, this list of covered entities was extended to include banks and other financial institutions that handle any PHI that comes from patients or the covered entities as part of payments, transactions, or settlements.
What are the most common HIPAA violations?
Ok, now that we have cleared the terminologies up, and identified the identities involved, it’s time to have a look at the HIPAA violations themselves. It usually comes down to assuring the confidentiality, integrity, and availability of patients’ personal health information.
With that in mind, common HIPAA violations would therefore be:
Sharing and security issues
- Passing PHI on to an unauthorized third-party entity – whether intentionally or otherwise – is a cardinal sin; it is the basic HIPAA violation that should, ideally, never occur
- Looking into other people’s health information records without their consent
- Straight-out theft of PHI for financial gain or any other benefit – this makes it a criminal act
- Any of the primary or their associated, covered entities that do not enter into a HIPAA compliance agreement with their associates – and so on down the line – are committing a HIPAA violation if they handle PHI
- Giving out more PHI than is required for a task or more than was requested by a concerned entity; research purposes would serve as a good example here and all data used should have no unique identifiers
- Posting – in full or in part – of PHI online, texting, or sharing it via social media platforms without the patients’ consent
- Erroneous handling of PHI in a way that risks compromising or revealing it – carrying around sheets of paper with personal data on it or storing it on a flash drive that can easily be lost or stolen, are good examples
- Sending or emailing PHI to the wrong person or covered entities’ addresses
- Patients have the right to access their own PHI; it would be a HIPAA violation to not provide it to them immediately upon request
Account management issues
- Not having the necessary user access controls in place to prevent HIPAA violations before they occur – be it hardware or software
- Not having an Identity and Access Management System (IAM) to control access and privileges of user accounts
- Not disabling accounts and revoking access rights to health information once users no longer have need for them
- Not using a secure database or using a database that was not created for the purpose (E.g. Excel spreadsheets)
- Not having an IT policy that protects PHI or neglecting to have it strictly enforced by everyone concerned
- Not implementing end-to-end data encryption
- Not taking the time to analyze a PHI storage and retrieval system to find out any security weak points
- Not taking immediate action to fix these weak points
- Even in the most secure systems, anyone who accesses PHI should be tracked – even if they are authorized to do so; keeping and monitoring of access logs is an important aspect of HIPAA compliance
- Failure to document compliance efforts to keep track of efforts put into securing PHI
- Not notifying patients or the Office for Civil Rights – within 60 days – of a breach occurring when PHI was involved
What are the consequences of HIPAA violations?
Violating the HIPAA privacy Act is a serious offense; and the Department of Health treats every claim as such. Over the years, violators – both individuals and organizations alike – have found that out the hard way.
The actions taken against violators include:
- Warning or termination – personnel found in breach of a patient’s privacy have lost their jobs
- Personnel could be fined or even sent to prison – this is no light matter considering the maximum criminal penalty for a HIPAA violation by an individual; it could earn them a 10-year sentence if malicious intent or personal gain from the leak can be proven
- Monetary penalties against organizations – the starting fines against a HIPAA privacy covered entity can go as high as $50,000 per violation (with a maximum of $25,000 per year)
Image source: HIPAA Journal
How can HIPAA violations be avoided?
Now, since we have had a look at the HIPAA violations that can get your business in a great amount of trouble, let us have a look at the remedies:
- Using a secure database – one thing that will help prevent a HIPAA violation from occurring is a cloud database that is hosted in a secure framework; if they can’t access it, they won’t breach it.
- Electronic data capture – data integrity can be protected with security features like passwords, limitations to data entry, data type formatting, and also preventing unauthorized modification or deletion.
- Access control – PHI data needs to be protected using methods that include end-to-end encryption, monitoring of roles and privileges, as well as interface hardware security measures like using secure server rooms or hosting providers.
- Using the latest technology – with cloud-hosted servers and low-code database design platforms available, there really is no excuse for using outdated software or spreadsheets to store such critical information.
You can prevent the next HIPAA violation
Health care service providers, associated organizations, and any other related businesses that want to make sure that a HIPAA violation doesn’t occur on their watch can create secure HIPAA-compliant databases, have them hosted in protected servers, and have the data accessible to anyone – including the patients themselves –who may be located anywhere in the world. It, therefore, makes perfect sense to start taking the steps to secure the data immediately.
Contact us now; we will help you secure your PHI today.