Healthcare data should remain private, but over 40 million patient records were compromised in 2021 alone! Many of the affected organizations were not complying with The Health Insurance Portability and Accountability Act (HIPAA), and faced significant financial and legal penalties for failing to do so. Keep reading to learn more about what constitutes a HIPAA violation, some common HIPAA violations, and how to make sure you remain HIPAA compliant.
HIPAA is a set of regulations put forth by the United States Department of Health and Human Services (HHS) to protect people’s medical information and ensure individuals can access their records. These regulations are focused on how organizations create, store, or transmit protected health information (PHI). PHI is any data containing individually identifiable health information.
A HIPAA violation is when a covered entity or business associate fails to comply with any component of HIPAA. HIPAA has three main rules governing how protected health information should be handled: the privacy rule, the security rule, and the breach notification rule. Breaking any of the requirements set forth by these rules constitutes a HIPAA violation and must be dealt with immediately.
This rule is what one typically thinks of when someone mentions HIPAA. The HIPAA privacy rule defines what constitutes a covered entity or business associate. It also outlines what constitutes PHI, when organizations can use or disclose PHI, and the rights patients have over their medical information. It’s easy to accidentally break the privacy rule, so all healthcare employees should be well aware of the regulations surrounding PHI.
This rule creates a set of standards for protecting electronic private health information (e-PHI). Covered entities must conduct a risk assessment and create a risk management plan to reduce any risks that could affect the confidentiality, integrity, and availability of e-PHI. All organizations that are required to follow HIPAA rules must have administrative, physical, and technical safeguards to keep PHI secure. Failure to protect e-PHI is a HIPAA violation.
This rule mandates that covered entities and business associates report any data breaches within 60 days of discovering that a breach has occurred. Unauthorized disclosure of PHI is considered a data breach under HIPAA regulations. Any healthcare organizations that experience a breach must alert any affected individuals, submit a form to HHS, and potentially notify the media.
Although HIPAA violations come in all shapes and sizes, there are a few examples that happen more frequently than others. Here are some common HIPAA violation examples to know about to help your company stay compliant.
This is the most common form of HIPAA violation. This happens when an employee shares PHI outside of the scope of acceptable disclosure under HIPAA.
HIPAA mandates that PHI is created, stored, and transmitted in a secure fashion. One important aspect of safe data handling is encryption. Unencrypted data allows unauthorized individuals to gain access to private information.
The security rule requires covered entities to conduct risk analyses and create a plan to deal with any risks that could affect PHI. Failing to account for potential risks leaves the door wide open for hackers.
Covered entities must create BAA’s with any companies they work with that come into contact with PHI. A BAA outlines both parties' responsibilities and liabilities and is mandated by the HIPAA omnibus rule.
HIPAA’s security rule mandates that covered entities and business associates train all employees that have a reasonable likelihood of accessing PHI. Organizations must provide HIPAA privacy training and security awareness (cybersecurity) training.
Covered entities or business associates that violate HIPAA rules are at risk for a variety of penalties. The severity of these penalties depends on the nature of the HIPAA violation and what steps were taken to remediate it. Criminal charges typically require an element of malicious intent. The HHS Office for Civil Rights (OCR) is prohibited from issuing HIPAA fines to companies that correct violations within 30 days. Here are the various tiers of HIPAA violations and the penalties associated with them.
Most HIPAA violations are discovered in one of three ways. The first is when someone in the organization internally reports a violation. The next section will cover more on self-reporting violations.
The second main way employer HIPAA violations are found is when the organization undergoes an internal audit. All HIPAA covered entities should conduct periodic audits of their policies/procedures and security systems. Discovering a vulnerability before a third party does will protect your organization from security breaches and HHS penalties.
The third primary method for discovering HIPAA violations is if the Office for Civil Rights audits an organization. OCR will sometimes randomly audit companies, and they must be ready to demonstrate compliance. OCR will also audit companies that have had complaints filed against them.
Since HIPAA has exceptions for companies that remediate violations within 30 days, it is important to immediately report any potential HIPAA violations you come across. Reporting all violations, both inadvertent and intentional, enables organizations to solve the issue and protect themselves from increased liability.
If you believe your organization is violating HIPAA, you should inform your privacy officer as soon as possible. Your privacy officer will know the best course of action to take regarding the situation and will work to fix the HIPAA violation.
If you do not feel comfortable going within your organization, The Office for Civil Rights has a portal for people to report any HIPAA violations. The forms can be submitted anonymously and are intended to protect people from any potential retaliation.
The best way to prevent violations is by implementing a compliance program to ensure your entire organization is abiding by HIPAA rules. Any healthcare providers or HIPAA covered entities that come into contact with medical records should have a compliance program in place to protect the organization from potential repercussions.
Although employee training is only one out of seven items on the list, it is arguably the most important aspect of preventing many HIPAA violations. Many security breaches happen as a result of human error, but properly training employees reduces the risk of those errors. Healthcare workers rarely disclose patient information in violation of HIPAA standards on purpose. Every employer can reduce the risk an individual commits violations by making sure to offer HIPAA compliance training. It may shock you to learn that one in four healthcare workers aren't offered security awareness training!
Haekka is a great option to improve your employee training to prevent any HIPAA violations. Haekka has a large library of content including HIPAA privacy and security awareness training to meet your compliance needs. Haekka is integrated into Slack so employees can learn in the apps they’re already using on a daily basis. If you want to learn more about Haekka, schedule a demo with us today!