All readers of The Health Record understand the importance of complying with HIPAA’s Privacy, Security and Breach notification rules. But where do violations most often occur?
1. Forgetting the obligation to perform an organization-wide risk analysis. HIPAA rules require covered entities to regularly perform an organization-wide risk analysis and the Office of Civil Rights will issue financial penalties to employers, often in seven figures, for the failure to do so. Do not skip this critical analysis to see where your systems and processes are potentially vulnerable to leaks of personal health information (PHI). If you have not done one recently, schedule it now.
2. Not following up on identified security risks. Even if you check the box and perform the risk analysis, it does you no good if you do not address the risks that were identified in the analysis and make efforts to fix them. Knowing about risks and failing to take action to address them has resulted in substantial six and seven-figure penalties for health systems. Remember, the analysis is just the first step.
3. Denying patient access to health records. HIPAA gives patients the right to access their medical records and obtain copies of those records. Denying or delaying that access or overcharging for copies is a violation of HIPAA that can result in a substantial penalty from the Office of Civil Rights. Make sure patient requests are treated as a priority and ensure that the fees charged are either the actual allowable costs to fulfill each request, or based on a schedule of costs based on average allowable labor costs to fulfill standard requests. For electronic requests, you may charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage).
4. Not having a HIPAA-compliant business associate agreement. All vendors that are provided with, or given access to, PHI must enter into a HIPAA-compliant business associate agreement. If your standard business associate agreement has been used for a lengthy period of time, now is an ideal time to make sure it complies with the latest omnibus final rule.
5. Failing to have proper electronic PHI access controls. The HIPAA security rule states that access to electronic PHI (ePHI) must be limited to authorized individuals. The failure to implement appropriate ePHI access controls is a common violation that has resulted in financial penalties ranging into the millions of dollars.
6. Failing to encrypt PHI. A vital part of preventing data breaches is to encrypt PHI. While encryption is not yet mandatory under the HIPAA rules, encrypting PHI can prevent potential reportable violations. The failure to do so has resulted in six and seven-figure civil money penalties from the Office of Civil Rights.
7. Untimely breach notifications. The HIPAA Breach Notification Rule requires notice of a breach without unnecessary delay and sets a 60-day limit following the discovery of a data breach. Exceeding that timeframe is a common HIPAA violation that has resulted in significant financial penalties. Make sure you have a protocol in place for the inevitable data breach.
8. Improper disposal of PHI. HIPAA rules require that PHI be securely and permanently destroyed. For paper records, this would involve shredding and/or pulping and for ePHI, degaussing, securely wiping or destroying the electronic devices in which the information is stored. Routinely confirm that these requirements are in place and being followed.
9. Impermissible disclosures of PHI. While obvious, there are a number of ways entities can run afoul of this rule, often inadvertently.
- Disclosures following the theft or loss of unencrypted computers or portable devices or careless handling of PHI.
- Emailing ePHI to personal email accounts regardless of the intention (such as to get help with a spreadsheet or work from home).
- Removing PHI from a healthcare facility to work on a project at home.
- Leaving portable electronic devices and paperwork unattended.
- Releasing patient information to an unauthorized individual, including where the authorization has expired.
- Accidental disclosures such as inadvertently discussing patient information in public areas,
- Sending an email with PHI to an incorrect email because of an auto-complete mistake or selecting the incorrect recipient.
- Faxing PHI to a wrong fax number by mistake or where it can be viewed by unauthorized individuals.
10. Prying eyes on healthcare records. There is a temptation to review and access the health records of patients for reasons not permitted under HIPAA. It is one of the most common HIPAA violations and frequently will result in termination of employment. But there is also the specter of penalties as the University of California Los Angeles Health System learned when a physician accessed patient records without authorization more than 300 times after learning that he would soon be terminated. The doctor was later sentenced to four months in federal prison and the health system was fined nearly $1 million. The lesson: Be very careful to restrict access to records of employees who have a lessened right to know the information. These common HIPAA violations may continue for many months or even years before they are discovered, which increases the risk for a more significant penalty when they are eventually discovered. Accordingly, healthcare institutions must conduct regular HIPAA compliance reviews in order to discover violations and risks so they can be corrected before they are identified by regulators.
