Photo by Marek Levák on Unsplash
For any company that handles electronic protected health information (ePHI), understanding HIPAA violations is paramount to keeping your reputation and data safe and secure.
HIPAA, of course, is an acronym for the Health Insurance Portability and Accountability Act of 1996. It’s a federal law for organizations to protect sensitive health information by not disclosing patients’ consent or knowledge.
Today, a HIPAA violation not only comes with a hefty price tag but can cause reputational damage if it ends up in headlines.
The first step in avoiding such threats is by first understanding what a HIPAA violation is and what those violations may look like.
Ready to learn more? We dig into the specifics of HIPAA violations (and how to avoid them in a terrific infographic from Secureframe.com).
What Is a HIPAA Violation?
A HIPAA violation is the failure to comply with any of the provisions outlined in the HIPAA Privacy, Security, or Breach Notification Rules.
The main rules of HIPAA:
● Privacy Rule: Organizations can’t share a patient’s personal health information without their knowledge or permission.
● Security Rule: Organizations must have physical, technical, and administrative measures to protect health information.
● Breach Notification Rule: Organizations must notify affected individuals within 60 days of a data breach.
● Omnibus Rule: Individuals have greater rights over access to their protected health information.
5 HIPAA Violations to Avoid
To ensure your organization doesn’t end up in the headlines for a costly and reputation-damaging HIPAA violation, it’s helpful to understand a few of the most common violations.
We outline five common violations and offer tips for how you can avoid them yourself:
Improper disposal of PHI
HIPAA mandates that you must securely and permanently destroy PHI when it’s no longer needed. It’s important to train all staff members on the proper disposal and destruction protocols.
If sensitive information like a patient’s social security number or medical prognosis is left in a trashcan or on a computer’s recent downloads, it can get into the wrong hands.
How to avoid this: Offer extensive and regular training for all staff that handle PHI on the proper handling and disposal methods. It’s also helpful to teach your team about the consequences of improper PHI disposal so they understand what a serious issue it is.
Exceeding the 60-day deadline for breach notifications
If your organization discovers a data breach, you must notify the affected individuals in writing within 60 days. Failure to do so puts businesses at risk of financial penalties from state attorneys general and the HHS’ Office for Civil Rights.
How to avoid this: Have a detailed plan in place for how your organization will handle a data breach. It can help to appoint a HIPAA compliance team to handle all HIPAA-related trainings and to handle reporting a breach if and when it should happen.
Failure to use encryption or equivalent security to safeguard ePHI
Encryption is not mandatory under HIPAA, but equal security measures must protect ePHI.
How to avoid this: Encrypt your ePHI. Under the Breach Notification Rule, encrypted ePHI that is “breached” is not actually considered a breach.
This is because ePHI that is encrypted cannot be read or used without the key required to decrypt it. So you can sleep more peacefully when you know that your ePHI is properly encrypted.
Failure to enter into a HIPAA-Compliant Business Associate Agreement
Any third-party vendors with access to PHI must also observe HIPAA compliance. To do this, a business associate agreement must be created that outlines each party’s specific responsibilities when it comes to handling PHI.
How to avoid this: Ensure all your business associates and business associate subcontractors have signed business associate agreements with your organization. There are online templates you can use to build business associate agreements or you can consult with an outside compliance organization.
Denying patients access to their health records
Organizations are required to provide patients with access to their medical records upon request and without delay.
If a business is unable to provide access within 30 days of the request, the business may extend the time by no more than an additional 30 days. To extend the time, they must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date that the information will be provided.
How to avoid this: Ensure your staff understands the timeline for providing access, as well as the grounds for denial of access. For more information on these unreviewable and reviewable grounds for denial, consult the HHS.gov website.
For more information on HIPAA violations and real-life violation examples, Secureframe has created the following helpful infographic. It outlines the civil and criminal penalties and violations as well as important statistics to highlight the importance of HIPAA compliance.
From the Coach’s Corner, here are links to vital human resources articles:
COVID-19 Workplace Safety Guidelines for Your Business — While it’s challenging for businesses just to keep the doors open, the coronavirus makes it difficult to maintain workplace safety. Here are some solutions.
Human Resources Tips – Checklist to Prevent Legal Issues — To be successful in management or as a human resources professional, you know the importance of staying current in possible legal issues.
Vital Strategies to Avoid EEOC Discrimination Suits — Federal employment discrimination complaints are sky-high — a sad commentary for businesses and public agencies that are large enough for a human resources department. Here’s what you need to know.
Employees – Overtime Pay Issues and FLSA Exempt Status — Many employers continue to violate wage and hour rules. To avoid costly and time-consuming legal hassles, you might want to review your overtime pay policy and all your exempt-employees’ status to comply with the Fair Labor Standards Act (FLSA).
HR — Avoid the 10 Most Common Background Screening Gaffes — In human resources, all background checks are not equal. It’s important to avoid the 10 most-common background-screening errors.
“Employees who believe that management is concerned about them as a whole person – not just an employee – are more productive, more satisfied, more fulfilled. Satisfied employees mean satisfied customers, which leads to profitability.”
-Anne M. Mulcahy
__________