HIPAA, or the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure that patients’ medical records remained private and accessible only to the patient and the required healthcare professionals. Failure to comply with HIPAA can result in steep fines and even criminal penalties. The minimum penalty for non-compliance due to willful neglect–if it is corrected–is $10,000 for each violation and up to $250,000 per year. However, the maximum penalty is $50,000 for each violation, and up to $1.5 million in a year. Even if HIPAA regulations are violated out of ignotance, the maximum fines can reach $1.5 million. And what counts as non-compliance? The list of Top HIPAA Violations includes lost and stolen devices, hacking, lack of training, third party disclosure, and employee dishonesty.
Lost and Stolen Devices
According to the Texas Medical Association, mobile devices such as laptops, tablets, thumb drives, and smartphones are more likely to be lost or stolen than other pieces of equipment, thus causing HIPAA non-compliance . Even if employees do as little as check their work email on their smartphones, if the email contained any personal health information or PHI it can count as a serious breach of HIPAA compliance .
Theft, unfortunately, happens all too often, and a single laptop theft can result in huge fines if the device is not sufficiently encrypted so as to prevent access to PHI. While encryption is not mandated by HIPAA, encrypting sensitive data can prevent a breach of compliance should a device become lost or stolen.
Making up 23 percent of HIPAA violations, Hacking is the second most common cause of HIPAA non-compliance. Weak passwords, unintentionally downloaded malware, internet worms, phishing, and lack of sufficient firewall protection offer hackers a way into systems and thus a way of obtaining PHI. Hackers can be deterred by the use of strong passwords, frequent updates, and firewalls. All software should be kept up to date to avoid possible security breaches. Having a good anti-malware and antivirus checker running frequent scans will also help prevent possible security breaches.
Lack of Training
Lack of HIPAA compliance training is also a crucial reason why HIPAA violations occur. It’s not enough for just simply an owner or an upper management team to receive HIPAA compliance training. HIPAA violations frequently occur at a lower employee level, where office staff, contractors, volunteers, and others who have access to PHI may unknowingly violate HIPAA rules.
Third Party Disclosure
But It isn’t sufficient for a company or clinic simply to maintain their own HIPAA compliance. Under the HIPAA Omnibus Ruling, companies are also responsible for their business associates and even subcontractors for their business associates. So, if a business associate or one of their subcontractors violates HIPAA by putting the company or clinic’s PHI at risk, the company can be held liable. For this reason, it is crucial that a company’s owner or manager scrutinize his business associates’ compliance plans before partnering or entering into a contractual agreement with them.
Whether they are accessing PHIs with malicious intent or out of simple curiosity, if an employee does not have the right to access certain patient records, they can cause the company to be in breach of HIPAA compliance. Global Learning Systems can provide employees with HIPAA compliance training so that they fully understand the dangers and risks of accessing sensitive patient records without authorization. With our training, employees will learn that illegally accessing–not to mention stealing–personal health information can and will result in termination, strict fines, and even jail time.
HIPAA violations can occur anytime, which is why so crucial that companies and clinics be on guard when it comes to their patients’ sensitive information. In particular, they should guard against:
- The security of lost and stolen devices, with data encryption.
- Hacking, by insisting on strong passwords, up to date software, firewalls, and anti-malware and antivirus software.
- Lack of training, by having all employees, contractors, and volunteers participate in HIPAA compliance training.
- Third Party Disclosure, by ensuring all third parties and their contractors have proper HIPAA compliance plans.
- Employee dishonesty, by properly training employees in HIPAA compliance to deter violations.
What Can You Do?
You’re not alone in making your training plans for 2019. Global Learning Systems offers compliance training for these regulations and concepts: