5 Common HIPAA Mistakes
June 6, 2017
Now more than ever, HIPAA compliance is a must. It’s hard to believe, but HIPAA violations can soar to over several million dollars and can even include jail time! We know HIPAA can be confusing. The devil’s in the details – there are a lot of rules to follow, which means a lot of mistakes you can make! While we can’t cover them all, this list of 5 common HIPAA mistakes and ways you can prevent them is a smart place to begin.
1. Lost or Stolen Devices
In January 2012, Pennsylvania –based CardioNet reported to HHS’ Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The outcome? A crippling 2.5 million dollar settlement.¹
Mobile devices like mobile phones and laptops or tablets are particularly vulnerable to theft and loss due to their size and – well – their ease of mobility! When covered entities and business associates don’t implement mobile device security, people’s sensitive health information is put at risk. Ignoring security can result in a serious breach, which affects each individual whose information is left unprotected.
What can you do today to safeguard your devices? Here’s what the U.S. Department of Health and Human Services recommends:
- Use a password or other user authentication
- Install and enable encryption
- Install and activate remote wiping and/or remote disabling
- Disable and do not install or use file sharing applications
- Install and enable a firewall
- Install and enable security software
- Keep your security software up to date
- Research mobile applications (apps) before downloading
- Maintain physical control
- Use adequate security to send or receive health information over public Wi-Fi networks
Getting hacked is something we all fear, and for good reason. It seems like a new hacking technique is born every day. You’ve heard of some – phishing, viruses, ransomware – and maybe not of others – Fake WAP, Waterhole attacks. Hacking can happen to anyone, any time, any place, any… Let’s just say it’s serious business.
Check out this statistic on ransomware, specifically: A recent report from a U.S. Government interagency shows that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a whopping 300% increase over the 1,000 daily ransomware attacks reported in 2015.²
What to do? Use these high-level tips as first steps:
- Conduct a full risk assessment to discover all security vulnerabilities
- Use strong passwords and two-factor authentication.
- Read our “Creating and Managing Passwords” blog article for more info
- Install all software patches promptly and ensure databases are up-to-date
- Keep anti-virus definitions updated
- Scan for viruses regularly
- Check out this article for more info on ransomware: “WannaCry Ransomware Protection with HIPAA“
3. Employee Dishonesty
In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.
Employees accessing patient information when they are not authorized is a common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for another person, unauthorized access is illegal and can cost an organization substantial amounts. Also, people that use or sell PHI for personal gain can be subject to fines and even prison time. Staff members that gossip about patients to friends or coworkers is also a HIPAA violation that can result in a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients/clients to private places, and avoid sharing any patient information with anyone else.
Take a look at these ideas for keeping staff compliant:
- Establish and enforce sanction policies
- Train and retrain staff on HIPAA
- Monitor employee compliance:
- Check work areas for obvious violations
- Listen for any discussion in the workplace that includes PHI
4. Improper Disposal
In 2009, CVS paid $2.25 million to settle a violation of throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters.
HIPAA requires that you protect the privacy of PHI in any form when disposing of information (45 CFR 164.530(c)). This not only includes tangible documents like x-ray films or patient charts, but also electronic media like old laptops or external drives.
The U.S. Department of Health and Human Services has defined these proper disposal methods:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
- Further, covered entities, business associates and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴
5. Third-Party Disclosure
North Memorial Health Care of Minnesota paid a fine of $1.5 million to settle HIPAA violation charges in 2011 after a business associate was given access to ePHI before a signed copy of a HIPAA-compliant Business Associate Agreement (BAA) was obtained.⁵
Under HIPAA law, covered entities must have a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that has access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.
Remember, your business associates’ HIPAA shortcomings impact you! Period.
Be sure to:
- Establish who your Business Associates are, considering their subcontractors and your own contractors. (Read our own “Preparing Contractors for HIPAA Compliance” blog)
- Obtain a Business Associate Agreement before your BA has access to any client/ patient health data
- Ask for verification of HIPAA compliance for each and every BA, including their subcontractors
- Read some of the previous articles we’ve written about Business Associates for smart ways on working with them:
Register for your free Business Associate/Subcontractor Audit Checklist to help monitor your business associates or subcontractors.