Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

The Top 10 HIPAA Violations and How to Prevent Them

This is a guest post we did for our friends over at NeuMD. You can see the original article here

Wouldn’t it be great if there weren’t hackers, lost devices were always returned intact, and employees followed the rules? Unfortunately, that is not the case. Everyday we are running into a growing list of HIPAA Violations, and I thought this would be a great opportunity to talk about 10 of the most common violations. We are going to start-off with the first five; without further ado…

1. Lost or Stolen Devices
We frequently hear about stolen electronic gadgets, and while this is unfortunate, people compound the problem by not encrypting and password protecting these devices. While encryption is technically not required by HIPAA, we consider it your “Get Out of Jail Free” card. (Technically, encryption is considered addressable under HIPAA. Though, I’ve yet to see an instance where a system shouldn’t be encrypted.)

According the Federal Register:

……encryption and destruction [are] the two methods for rendering Protected Health Information unusable, unreadable, or indecipherable to unauthorized individuals—or ‘‘secured’’—and thus, exempt from the breach notification obligations.

A recent example of a stolen device is a theft from Concentra Health Services. In April of 2014, they reported to OCR an unencrypted computer had been stolen from one of their facilities. This incident resulted in an OCR audit of the company’s security policies for electronic devices. OCR found insufficient encryption throughout the company on a variety of electronic devices, and ultimately levied a $1.7 million dollar fine against Concentra Health Services.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s Deputy Director of Health Information Privacy on the Concentra Health Services Investigation. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

2. Hacking
Data from the “The Wall of Shame,” a database of breaches kept by OCR, shows that hacking makes up 23% of HIPAA breaches. It doesn’t always have to be an elaborate scheme. Hackers are often looking for the path of least resistance and can be done many ways. Some popular methods are by exploiting a user profile with a weak password, using malware, or a software exploit like the much-publicized HeartBleed bug that was discovered last year.

There are a few easy ways to make sure your systems are less vulnerable to hacking.

  • Update all passwords. Cracking weak passwords is one of the easiest ways to hack a system. Make sure you are using different passwords for all sites. This is where a password management program can come in handy. Just make sure that your master password is very difficult, and change that regularly.
  • Turn on software firewalls in your operating system, and make sure it is set to whitelist all traffic. For your company, a hardware firewall appliance is also a good way to restrict traffic on your network.
  • Install malware-scanning software. There are many great choices out there that regularly update to look for viruses, Trojan Horses and other programs that may compromise your systems.
  • Routinely update your software. You should have a regular schedule to check for updates for systems and programs. This will go a long way to patching vulnerabilities on your devices.

3. Employee Dishonesty
In the past few years we’ve seen everything from owners to volunteers stealing PHI and using it for nefarious reasons, or simply accessing it out of curiosity. Whatever the reason, accessing files that you are not allowed to see is wrong and is worthy of disciplinary action. Using or selling PHI for personal gain is illegal, and you are subject to fines and prison time.

A recent example of employee curiosity was in Nebraska 2014. It was determined in a routine audit that two employees inappropriately accessed an Ebola patient’s record. They were immediately fired for this access.

In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.

4. Improper Disposal
Did you know your photocopier could be the cause of the next HIPAA violation? Many photocopiers default to save copies on their hard drive, and if you return that copier to the leasing company without properly wiping the drive, you have a HIPAA violation on your hands. This happened to Affinity Health Plan, Inc., and they were stuck with a $1.2 million dollar fine from HHS.

Any information, whether digital or paper, needs to be shredded or destroyed so that others cannot access it. As I like to say, put a nail in it. I recommend putting a nail right through the middle of that old hard drive or thumb drive to ensure it cannot be recovered, and be sure to wipe all data from phones and mobile devices before releasing them from your business.

5. Third-Party Disclosure
Improper Disclosure of PHI to third parties finishes out part one of our Top 10 HIPAA Violations. Most businesses have Business Associates and Business Associate Subcontractors. These third party entities are responsible for protecting PHI and, with the Common Agency Provision in the HIPAA Omnibus Ruling, you are now responsible for your Business Associates’ HIPAA Compliance. Ask to see their Compliance Plans before you allow them to sign those required Business Associate Agreements. If you don’t have a Business Associate Agreement in place before you disclose information, you have a Breach on your hands.

Click here to see the next 5 in our list of the top 10 HIPAA violations!

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)