Data breaches and HIPAA violations are now more predominant than ever. Even with the most potent cybersecurity barricades protecting your patient information and accounts, hacks and data breaches are still something to be concerned about. In online fraud and data breaches, the most common HIPAA violations may be the most disquieting.
The HIPAA Privacy Rule requires that you put in place the proper safeguards to protect your patient’s Protect Health Information (PHI), such as their medical records or anything else that could individually identify them. This means technological, physical, and administrative safeguards need to be put in place to be HIPAA compliant.
Some of the most common reasons a business or healthcare organization would be assessed a HIPAA violation is because a data breach or hack occurred. Hackers seek PHI with malicious intent because they can sell this information or potentially hold your business hostage.
A few examples of HIPAA violations that are a result of data breaches may include stolen or lost tablets or phones, malware email hacks, improper keeping of unsecured patient records, lack of employee training, sharing disclosure of PHI, improper disposal of PHI records, unauthorized access release of information, and the sending of unencrypted sensitive data.
The Blue Cross Blue Shield of Tennesse HIPAA Breach
The first example of a HIPAA violation that resulted in penalty enforcement from a breach report by the HITECH Act Breach Notification Rule, stemmed from an incident regarding Blue Cross/Blue Shield of Tennessee, which agreed to a $1.5 million fine. This was a direct result of an investigation that confirmed the theft of 57 unsecured computer hard drives, which contained over 1 million individuals’ private health information.
“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.”
The HHS Office gave the statement regarding this HIPAA violation to Civil Rights Director, Leon Rodriguez.
Rodriguez explained, “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program, The HITECH Breach Notification Rule is an important enforcement tool, and OCR will continue to vigorously protect patients’ rights to private and secure health information.”
To read the entire press release from the HHS, visit the following link: HHS settles HIPAA case with BCBST.
Criminal Conviction for a Respiratory Therapist
This HIPAA example states why it’s critical to make sure your HIPAA compliance is ingrained in your healthcare operations and that all healthcare workers are trained in HIPAA compliance.
Jamie Knapp, a respiratory therapist at ProMedica Bay Park Hospital in Ohio, was required to review her patient’s medical information. However, when accessing this data, she didn’t stop there. Knapp accessed nearly 600 medical records over 10 months before being fired and convicted of criminal HIPAA violation in court.
The ProMedica Bay Park Hospital could have prevented this by limiting healthcare employees’ access to only be able to review patients that pertained to patients whose health information they had permission to access.
6 Steps on how to Avoid HIPAA Violation Fines
1. Start by familiarizing yourself with HIPAA requirements and HIPAA regulations.
2. Review your organization’s policies and procedures related to electronic Protected Health Information (ePHI). You can also hire a qualified HIPAA/HITECH consultant to monitor HIPAA violations; we highly recommend hipaasolutions.org. These consultants specialize in identifying potential violations and coming up with a plan to take corrective action and prevent them from happening in the future.
3. Annual HIPAA Training: Train your healthcare employees annually on their responsibilities related to HIPAA Security Rule and patient privacy laws; make sure policies and procedures are accessible for employees to review. Staff members must know that there are criminal penalties associated with these violations.
4. Make sure all partners and vendors that deal with ePHI sign a business associate agreement that they will abide by HIPAA violation laws. This agreement should be signed by any individual that handles ePHI.
5. Be aware of all State and Federal HIPAA laws; a good practice is to do your research quarterly on changes to HIPAA/HITECH violation laws that may have taken place. If you do not have the staff to do your research, hire a HIPAA/HITECH consultant internally.
6. No single policy, procedure, or product can ensure HIPAA/HITECH compliance. So, make sure that everyone in your organization understands the laws regarding HIPAA and ePHI. Consider having a third-party risk analysis and risk assessment professional review your organization. They will be able to help you implement security practices like shredding old documents that contain sensitive information (like social security numbers and patients’ names) before discarding them.
When sending sensitive information by email, use a Secure Email Encryption product, such as NeoCertified. For a consultation about different secure email products, call us at (877) 613-5036 or send an email to firstname.lastname@example.org.