While you’ve undoubtedly heard of lawsuits and penalties being filed against big healthcare providers over HIPAA violations, small and private practices are no less susceptible. Out of the 550 breaches listed in the U.S. Department of Health and Human Services’ HIPAA Portal, 204 were committed by practices and providers that serve 2,000 individuals or less.
These violations cost the responsible parties millions of dollars in penalties. One of the biggest offenders in 2019, UConn Health, lost the electronic protected health information (ePHI) of over 325,000 individuals in a phishing attack. Aside from HHS fines, UConn Health also faces a class-action suit.
If your organization is going through a digital transformation and would like to avoid these financial penalties and potential lawsuits, you must comply with HIPAA. Here are the top 5 HIPAA violations you should be aware of.
Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility
Due to overwork, staff shortages, and inadequate IT provision, some healthcare practitioners resort to taking their work home — literally. This common practice is not only unacceptable, it’s illegal under HIPAA.
HIPAA does not distinguish between hard copies of PHI and soft copies of documents stored in hospital-owned devices. Whether the healthcare practitioner carries a sheaf of paper documents home or copies patient records to their personal device, it is considered removal of ePHI from the premises.
Emailing ePHI to a personal email address also constitutes a violation of HIPAA regulations as it is considered removal of PHI from a healthcare facility. If you move data from a means of storage controlled by the facility to a personal one, whether physical or digital, you’re likely violating HIPAA regulations.
The removal of ePHI from the facilities might also be considered theft, and the penalties for theft of records are far worse than just the termination of employment. A conviction for this offense could involve some jail time.
Regardless of your intentions, never remove PHI from a healthcare facility or email ePHI to a personal email account. It’s not worth the risk. Your practice is better off facing a backlog of work than dealing with litigation, penalties, and reputational damage.
Insufficient ePHI Access Controls
Insufficient access controls for ePHI is another leading source of HIPAA breaches. Whether they occur at the email or network server level, access control breaches constitute 23 percent of all HIPAA violations, affecting more than 3.3 million individuals.
Section 164.312(a)(1) of HIPAA calls for access control measures to be implemented across all levels of a healthcare organization. Role-based access ensures individuals can access data on a strictly need-to-know basis.
These access controls can be implemented in several different ways. Physical copies of PHI can be stored in rooms that use security devices like card readers or finger scanners. Unique usernames and strong passwords for each employee will also prevent unauthorized access to digital records.
Healthcare facilities are required to train their employees on the importance of observing access controls. This training should be included in the onboarding process for new staff and reiterated whenever there is a change to the rules or as deemed necessary. Your IT team has an essential role in ensuring that digital access controls are fit for purpose and rigorously observed. But data security is everyone’s job.
Improper Disposal of ePHI
HIPAA does not specify a standard retention period for patient records, deferring to state patient privacy laws instead. Nevada requires healthcare providers to keep medical records for five years or until a minor patient reaches 23. Florida requires physicians to maintain records for five years after the last patient contact, and hospitals to retain them for seven years. Familiarize yourself and your team with your state’s laws.
HIPAA-related documents that are covered by the regulations have specific retention and disposal requirements. These include authorizations for the disclosure of ePHI, physical security maintenance records, logs recording access to ePHI, employee sanction policies, and information security and privacy policies. In addition, other regulatory bodies have their own retention periods.
As soon as the retention period for patient medical records and HIPAA documentation has expired, HIPAA requires that they are disposed of using secure methods:
- Paper records may be shredded, burned, turned into pulp, or pulverized before being placed into a garbage receptacle.
- Labeled prescription bottles and other PHI may be stored in an opaque container to be picked up by a disposal vendor and destroyed.
- Electronic records may be overwritten with non-sensitive media or degaussed using a strong magnetic field. The storage devices themselves may be destroyed by incineration, shredding, or pulverization.
If in doubt, healthcare providers should follow state-mandated retention periods and use HIPAA-approved disposal methods.
Denying Patients Access to Their Health Records
The HIPAA Privacy Rule allows patients to request ePHI in the form of a “designated record set.” This covers electronic health records and billing records maintained by a healthcare provider; enrollment, payment, claims, or case management records kept by a health plan; and other records used to make decisions about individual cases.
This means that the patient has the right to demand their X-ray images and readings, clinical laboratory test results, clinical case notes, insurance information, and wellness management files. An authorized personal representative may also ask for the designated record set if the patient is unable to make the request.
While care must be taken that the requesting party’s identity is verified before the records are made available, a healthcare provider must provide access to the records no more than 30 days after the request is received. Using an email verification solution can help expedite the process of confirming the requestor’s identity.
HIPAA allows an extension of up to 30 days when the data is stored offsite or otherwise not immediately accessible. The records issuer must inform the requesting party in writing about the cause of the delay and the expected date of record availability within the first 30 days.
However, HIPAA makes exceptions to this rule for particular scenarios, including:
- psychotherapy notes for use in a legal proceeding.
- a prison inmate’s request that would jeopardize the lives of other inmates or the safety of correctional officers.
- clinical trials still in progress if the patient has agreed to the suspension of the right to access. However, once the research is completed, the patient’s access rights are reinstated.
- when the access requested is reasonably likely to cause substantial physical harm to another person.
In these cases, the healthcare provider must deliver a written denial to the requesting party no later than 30 days after receiving the request. Another authorized official may review a denial.
Leaving Portable Electronic Devices and Paperwork Unattended
The HIPAA Security Rule specifies that PHI and ePHI must be secured at all times. This rule applies to paper records, electronic storage media, and portable electronic devices where ePHI is stored or which have applications used to access ePHI from the cloud.
If paperwork is left unattended, it could be viewed or obtained by an unauthorized individual such as a staff member, visitor, another patient, or a relative. This situation would be considered an unauthorized disclosure of PHI, even if it were not the intention of the data holder or the accessing party.
The same principle applies to electronic devices, such as mobile phones, tablets, or wearables. A lost or stolen device, or one left unsecured and unattended could result in unauthorized access to records. Any electronic devices carrying sensitive data must be encrypted and protected with a password, swipe pattern, or facial recognition.
Both electronic devices and paper records must be kept in safe and secure locations at all times. A locked room or locking storage cabinet is ideal. Portable devices should never be separated from their owners unless they are also stored securely.
Reducing Your Exposure to HIPAA Violation Risks
We all understand the importance of medical privacy and would reasonably be terribly upset if our information fell into the wrong hands. If you work in healthcare, you undoubtedly know the importance of HIPAA and the seriousness of a breach. However, the majority of HIPAA violations occur as a result of negligence as opposed to malice. Therefore, you must be vigilant to guard against it.
Compliance with HIPAA regulations starts with each employee. It should be included in your onboarding process and reiterated as necessary.
The burden of HIPAA compliance does not solely fall upon the executives, your employees, your compliance and governance office, your legal department, or HR. Rolling out HIPAA-compliant standards and practices involves everyone, from the orderlies and maintenance crew, to the nurses and doctors, and IT and security.
Ensuring HIPAA compliance requires an investment of time and resources. It is also an ongoing process, not a one-time task. The price for not observing HIPAA rules is high, and a serious breach could cost your organization its success. Do not take the risk.
Owen Baker is a content marketer for Voila Norbert, an online email verification tool. He has spent most of the last decade working online for a range of marketing companies. When he’s not busy writing, you can find him in the kitchen mastering new dishes.
Want to write an article for our blog? Read our requirements and guidelines to become a contributor.
Originally published at AltexSoft tech blog “Top 5 HIPAA Violations to Watch Out for”