Compliance with the Health Insurance Portability and Accountability Act (HIPAA) can be complex due to the fact that there are multiple ways that sensitive patient information can be compromised in the course of a day. It is possible to avoid costly HIPAA compliance mistakes and prevent your organization from wasting time and resources.
In 2018, there were 1,610 total compliance violation cases investigated and only 9% were found to have no violation. For the other 91%, corrective actions, settlements with payments of fines, and other resolutions were required.
Excellent IT security strategies can help ensure that protected health information (PHI) isn’t accidentally or otherwise exposed and keep healthcare providers and associated businesses in compliance, which is why many use managed IT services for their HIPAA compliance.
HIPAA violations can come in all shapes and sizes and can be as innocent as a doctor and nurse discussing a patient’s health details in a public space in earshot of other patients. Violations can also happen due to record mishandling, like leaving a person’s test reports on a copy machine for others to see.
So far in 2019, there have been over $15 million in HIPAA fines assessed.
Violation of HIPAA rules can result in fines ranging from $100 up to $50,000 per each violation (i.e. each patient record that’s compromised), with a maximum penalty of $1.5 million per year for each violation.
HIPAA violations penalties come in four tiers, with the fourth having the highest penalties:
- Tier 1: The covered entity did not know and could not reasonably have known about a violation
- Tier 2: Although the covered entity knew or would reasonably know about the violation, they did not act with willful neglect
- Tier 3: The covered entity acted with willful neglect, but corrected the issue within 30 days
- Tier 4: The covered entity acted with willful neglect and failed to make a correction in a timely manner
How to Avoid the Most Frequent HIPAA Compliance Mistakes
The following pitfalls when it comes to HIPAA compliance are all too common, but if you and your staff are aware of them, that knowledge can help you take precautions against a HIPAA violation.
1. Accessing Patient Information on a Non-Protected Device
It’s common to work from home or on the road, which means you may be reviewing sensitive patient information on a home computer or personal mobile device. If that device doesn’t have the same security protections as your office devices, you could be risking a breach.
Likewise, if your personal device is accessible by anyone else or the screen can be seen by others as you’re reviewing protected health information, that’s a HIPAA violation.
Employing mobile device management that secures personal devices is a good safeguard when reviewing PHI away from the office. Additionally, ensure devices are secured to prevent accessed by anyone else.
2. Human Error
While in the dentist chair having a filling, a patient overhears an assistant who comes in to ask the dentist about another patient’s issue with a partial that they never took out. While they may not have realized it at the time, that’s a HIPAA violation, an avoidable HIPAA compliance mistake.
The mishandling of PHI through human error can take many forms. Most of the time it happens due to carelessness or lack of training on how to properly handle protected information. A few examples of human error include:
- Leaving files open in public areas
- Texting about protected health information to an unprotected phone
- Using unprotected communication channels to share PHI, like social media direct messages
- Discussing another patient’s details in a public space or in front of another patient
Ongoing HIPAA security training is vital to ensuring your team knows what your procedures are when it comes to protecting patient information, physically, orally, and digitally.
3. Choosing the Wrong Cloud Storage Providers
Using cloud solutions for storage of records is not in itself a HIPAA violation, however you need to ensure the cloud providers that you use have safeguards on their platforms that are HIPAA compliant and in line with HIPAA’s cloud computing guidelines.
Working with an IT provider when you choose your cloud solutions can help you avoid an expensive mistake if you subscribe to a non-compliant service.
4. Unsecured, Lost or Stolen Devices
One of the most common HIPAA compliance mistakes is accidentally leaving your laptop or mobile device behind. Laptops and mobile devices are easy to take with you wherever you go but they’re also more easily lost or stolen.
Make sure that data on these devices is encrypted and that the device has other security measures, like password protection, multi factor authentication, or the ability to remotely wipe data so you’re data is protected.
5. Not Notifying of a Breach within 60-days
Dealing with a data breach is hectic and can disrupt your entire operations while you’re trying to sort out what happened and keep it from happening again. Unfortunately, this can cause organizations to miss the 60-day requirement for breach notification.
As soon as a breach is discovered, you should put reminders in place to ensure you have time to prepare a notification to all affected parties and have it sent out within 60 days, per the HIPAA requirement.
Take the Pain Out of HIPAA Compliance
ZZ Servers offers affordable and reliable HIPAA compliance services that not only keep you protected from data breaches they also drive more efficient practice operations through smart use of technology.
If you are serious about becoming HIPAA compliant, download our FREE HIPAA checklist.