Potential HIPAA Security Violations
By Adrian Johansen, freelance writer; @AdrianJohanse18.
Your health is the most personal part of your life. Going into a doctor’s office or hospital makes a person feel vulnerable, even if they’re only there for a routine checkup. There’s an unspoken trust between patient and doctor that whatever is discussed or recorded will remain private. When your protected health information (PHI) gets out, either accidentally or purposefully, it can be embarrassing and seriously affect your life.
The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996. It was created to formalize data and privacy security requirements so that PHI remains safe. Healthcare administrators and staff such as nurses who work with patient records must be trained in these regulations, and they also must know how to handle HIPAA violations.
The growth of HIPAA violations
HIPAA compliance has always been important, but it’s become even more of a hot topic in recent years as the number of data breaches has climbed. Between 2009 and 2015, HIPAA violations occurred mainly because of loss or theft of healthcare records and PHI. Encryption and improved policies reduced those types of breaches. From 2015 to 2018, top causes of HIPAA violations included hacking incidents and unauthorized access and disclosures. There’s more than one healthcare data breach reported per day, and nearly 190,000,000 healthcare records have been stolen or exposed since 2009.
Common HIPAA security violations
A HIPPA violation involves the loss or unauthorized access of PHI. This includes identifying information that gets out, such as the patient’s name, date of birth, contact information, photos, or healthcare records. A data breach may occur when:
- A tech device, like a laptop, smartphone or USB, is lost or stolen
- PHI is accidentally sent to the wrong patient
- A break-in at the medical office results in theft of patient records
- A cybersecurity breach occurs, like hacking, malware or ransomware
- Employees talk about PHI outside the medical office
- There’s a security breach by a business associate or another unauthorized individual
- PHI is shared online (such as via social media) or via text
- When developing a mobile health app, the software does not follow software-specific HIPAA requirements
- Privacy rights are violated while discussing a case in court. Note that there are times when privacy laws may be temporarily waived, like during a medical malpractice case
If a HIPAA violation occurs, an incident report has to be filed with the Department of Health and Human Services, and any individual affected by the HIPAA breach has to be notified. Failing to notify the individual of the breach within 60 days is another type of HIPAA security violation.
How to stay HIPAA compliant
Every medical office should have a designated security officer who is responsible for creating, launching, and managing a compliance program. The security officer will create safeguards so that PHI remains confidential, ensure that PHI access logs are maintained, and conduct regular risk analyses. He or she will also control who is able to view PHI and will create a process for terminating PHI access when the employee no longer requires it. The security officer should also arrange for HIPAA training.
Here are a few more ways to stay compliant:
- Any device that’s used to store or communicate PHI should be encrypted. Most organizations encrypt PHI on in-office computers, but it also needs to be encrypted for smartphones and tablets, whether it’s the company’s device or a personal device.
- Regularly audit who has accessed databases and systems. You may find that some employees think they need to access PHI when they really don’t or that they’re snooping around for information.
- Medical records should be destroyed properly via HIPAA-compliant medical shredding. This may mean allowing a representative from the organization to witness the shredding or using locked bins to secure documents that will be shredded.
- HIPAA compliance rules may change, so it’s necessary to regularly review current guidelines and to provide training for employees to get them up to speed.
Your security officer should help set up all of these processes. However, if you can’t hire an in-house security officer to ensure your organization stays HIPAA-compliant, consider working with a managed service provider that specializes in HIPAA compliance. A HIPPA data backup plan is also key.
Everyone is a patient at one point or another — even a doctor, nurse or health insurance rep. That means that everyone who works for a medical organization should understand why it’s so important to protect a patient’s health information. PHI data breaches are scary for patients; they have to worry that their personal information will be exposed to the world or that a cybercriminal will steal their identity.
Healthcare companies have to be concerned, too. Not only can HIPAA violations and data breaches cost them money, but they can also destroy the business’ reputation. By being aware of common violations and knowing how to prevent them, medical companies can keep themselves and their patients safe.