As a covered entity or business associate operating in health IT, understanding Health Insurance Portability and Accountability Act (HIPAA) regulations is critical to avoid potential violations. HIPAA violations can result in significant fines, reputational damage, and legal liabilities. In this blog, we’ll discuss common HIPAA violations and provide tips on how to avoid them.
Lack of Employee Training
Healthcare employees must be trained to protect physical and electronic patient information (PHI and ePHI) and to recognize and avoid areas of noncompliance with HIPAA regulations. Some examples of the most common violations resulting from lack of training include:
- emailing ePHI to personal email accounts
- removing PHI from a healthcare facility
- leaving portable electronic devices and paperwork unattended
- releasing patient information to an unauthorized individual
- disclosures of PHI to third parties after the expiry of an authorization
- impermissible disclosures of patient health records
- providing unauthorized access to medical records.
In 2021, a Laser Center in New England informed the Department of Health and Humans Services (HHS) Office for Civil Rights (OCR) of a privacy breach affecting the protected health information of over 58,106 patients (about twice the population of Texas). An employee at the laser center had discarded empty specimen containers, which had patients’ names, dates of birth, sample collection date, and the names of the providers that took the specimens, in an unprotected dumpster located in their parking lot. This resulted in a $300,640 penalty.
Tip: Provide training to all employees who handle ePHI, including new hires and temporary staff. An efficient way to do this is to incorporate HIPAA training into employee onboarding and ongoing professional development programs.
Failure to Issue Breach Notifications Within 60-days
The HIPAA Breach Notification Rule mandates that a covered entity must promptly notify the relevant parties (including individuals, U.S. Department of Health and Human Services (HHS), and the media (if over 500 patient records are involved) once the entity knows or could have known by exercising reasonable diligence (known is the “date of discovery”) that a breach has taken place. This notification must be made without undue delay or within 60 calendar days of the date of discovery, even if the entity was uncertain at the time of discovery whether PHI had been compromised.
Between 2013 and 2016, a Chicago area health care system agreed to pay a settlement of $475,000 to OCR for alleged HIPAA violations related to a reported data breach and a delayed notification process impacting 836 individuals and their PHI.
Tip: Develop a total Breach Response Plan so you can address the breach holistically. Establish clear lines of communication between all key personnel involved in the breach response process. Document all data breaches, including the cause, the response, and any corrective actions taken. Conduct a post-incident review and identify any areas for improvement.
Omission of Business Associate Agreements
A “business associate” refers to an individual or entity that carries out functions or services on behalf of a covered entity or provides services to them that require access to PHI, excluding those who are part of the covered entity’s workforce. The HIPAA Rules mandate that covered entities and business associates sign contracts with their business associates to guarantee the appropriate safeguarding of PHI. Although business associate agreements may be in place for all vendors, they may not meet HIPAA requirements, particularly if they have not been updated since the Omnibus Final Rule.
A specialized children’s care clinic in Illinois was fined over $30,000 in 2017 to settle potential violations of HIPAA after failing to produce a signed Business Associate Agreement with their business associate that stored records containing protected health information (PHI) on their behalf.
Tip: Ensure your business associate agreements are regularly checked for accuracy and rule changes.
Failure to Provide Patients with Access to Their PHI
Patients have the right to access their medical records and obtain copies upon request under the HIPAA Privacy Rule. This empowers patients to review their records for accuracy and share them with other entities and individuals. Refusing patients’ access to their health records, charging excessive fees for copies, or not providing records within 30 days violates HIPAA regulations.
In 2019, a care center in St. Petersburg failed to provide a mother access to records for her unborn child in a timely matter. A penalty of $85,000 was paid by the center to settle the potential violation of the HIPAA right of access provision.
Tip: If you are a covered entity, you must establish a plan for reviewing and addressing access requests, and it is crucial that workforce members are educated on the appropriate legal grounds for rejecting requests.
Neglecting to Conduct Regular Risk Assessments
Performing regular risk analysis is a crucial step in recognizing and implementing protective measures that conform to the standards and requirements of the Security Rule. If analyses aren’t performed regularly, organizations cannot determine whether any threats to the confidentiality, integrity, and availability of PHI exist. Consequently, the risks are likely to persist unaddressed, making it easier for violations to happen.
After a care center specializing in cancer care improperly disclosed ePHI of ~55,000 individuals, they received a penalty of $750,000. The penalty was levied to resolve the allegations of failure to conduct a comprehensive and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Tip: HIPAA Gap Assessments and Penetration Tests are effective measures to analyze risk.
Drummond’s HIPAA Gap Assessment helps you assess your current security control implementations against the HIPAA Security Rule to identify potential gaps in compliance with respect to the confidentiality, integrity, and availability of protected health information (PHI).
Ready to learn how Drummond can help you achieve HIPAA compliance?