The Top HIPAA Violations and How to Prevent Them
By Meghan Franklin
2018 saw the largest Health Insurance Portability and Accountability Act (HIPAA) settlement since the Act was established over two decades ago in 1996. HIPAA sets national standards for the confidentiality, security, and transmissibility of personal health information.
In the settlement, Anthem paid the U.S. Department of Health and Human Services (HHS) $16 million and an additional $115 million to plaintiffs affected by cyber attacks in 2015 that compromised the protected health information (PHI) of 79 million people. During the cyber attacks, hackers gained access to sensitive information including social security numbers, medical identification numbers, and email addresses.
While Anthem’s HIPAA violation was major news in 2018 – it was one of the costliest consumer data breach settlements in history – penalties for HIPAA violations are not uncommon. Just look at HHS’s reporting of resolution agreements to get a sense of the variety of HIPAA violations a healthcare entity can commit and how serious the financial implications for that entity can be.
In 2018 alone, healthcare entities were fined for HIPAA violations ranging from disclosing PHI to news media to failing to terminate former employees’ access to electronic medical records.
In addition to the financial implications of HIPAA violations, they can severely degrade an organization’s reputation. (Which, of course, has its own financial implications).
Training on HIPAA continues to be of the utmost importance for all those who have access to PHI. Often violations are not intentional or malicious, but rather the result of employee carelessness, lack of knowledge or an organizational failure to conduct appropriate risk assessments.
So, what are some of the top reasons for HIPAA violations? Awareness of how other healthcare organizations have fallen short in safeguarding PHI can help your practice avoid their mistakes.
- Employee disclosure of information: Two of your all-star nurses meet at your hospital’s popular coffee shop during a break. Nurse Katie shares that she is struggling with a certain family’s resistance to the healthcare team’s recommended care plan. Wanting to help, nurse Emily asks what room number the family is in; maybe she has worked with them, too. Harmless, right? Not so much. It just so happens that the grandmother of the patient your nurses are discussing is picking up a latte before visiting her grandchild and overhears their conversation. It doesn’t matter that your nurses were discussing a patient in a context of soliciting and sharing professional feedback; employees should never discuss anything that could even identify a patient as being in their care in public places.
This type of violation can also happen if a patient’s family members or friends innocently inquire about the patient. While providers may want to be helpful and share information like a room number or other private information, all employees should be trained on an appropriate response to these type of inquiries so as to safeguard PHI. In general, HIPAA violations related to employee disclosure of information can be avoided if employees are reminded to pause and consider their environment before discussing any patient information.
- Carelessness with medical records: Whether electronic or paper, medical records are chock-full of PHI and should always be handled with the utmost care. For example, employees should not complete electronic medical record (EMR) documentation on public-facing computers or print and leave PHI on printers in public areas. While most organizations that use EMRs can restrict access to PHI by assigning EMR users to appropriate security profiles, organizations using paper records should also set clear expectations about who can handle PHI. All organizations should set and clearly communicate penalties for employees who access PHI without authorization.
- Accessing PHI on lost or stolen devices: A lost or stolen laptop, smartphone or other devices that contain PHI can put an organization at risk for HIPAA violations. Your organization’s information technology team can play a critical role in helping to avoid this violation risk by preventing unauthorized access to PHI on lost or stolen devices through password protection and data encryption.
- Unsecure texting: While texting can be an efficient way for providers to communicate important patient information on-the-go, it can also put PHI at-risk. Encryption programs can safeguard information transmitted via text, but both parties must have the program installed on their devices for it to work. Your organization should set clear expectations about if/when texting patient information is appropriate and what safeguards must be in place before texting can be used to transmit PHI.
- Social media: Facebook wasn’t in our lexicon in 1996, when HIPAA was established. Now, it’s likely that the majority of your employees who access PHI use Facebook or other social media channels. A post with a picture of a favorite patient celebrating their last chemotherapy treatment may seem harmless, especially if a name is not mentioned, but posting patient photos without explicit consent is a HIPAA violation. Your organization’s social media policy should help your employees understand the serious implications of inappropriate social media use
- Unauthorized access of patient files: Employees can only access PHI if necessary to do their job. While an employee may be tempted to look up the medical record of a family member or friend being treated at their practice or facility, if it’s not necessary for their job, it’s illegal.
- Unauthorized disclosure of PHI: Written consent is required for the use or disclosure of any PHI not used for treatment, payment, healthcare operations or permitted by HIPAA’s Privacy Rule. Employees should be trained to obtain written consent before releasing PHI if there is any doubt about whether it’s permitted.
- Using home computers to access patient information: Many providers use home computers or other devices to complete documentation, prepare for tomorrow’s caseload, etc. This can put an organization at-risk if personal devices are not password protected and family members/friends can access PHI.
Lack of knowledge: Again, most HIPAA violations aren’t the result of malicious intent. Many employees with access to PHI simply may not be sufficiently trained on HIPAA and how their work may make them vulnerable to committing a HIPAA violation. One of the best things an organization can proactively do to reduce the chance of HIPAA violations is to train employees comprehensively and frequently on HIPAA compliance.
Does your organization have a sufficient HIPAA compliance training program? If not, make it a priority to educate your employees. Investing in education today could prevent costly mistakes down the road.
Meghan Franklin is a freelance writer who has worked extensively in healthcare, both as a writer and as a project manager.