When it comes to HIPAA violation fines, the penalty can range from $50,000 to as high as a few million dollars.
Recently some healthcare entities were forced to pay $5.5 million for violations.
In other words, not being HIPAA compliant can be detrimental to your organization.
There are many different ways one can violate HIPAA, and today we're going to talk about five of the most common. In addition, we'll provide solutions on how to avoid them in your medical practice.
According to HIPAA Journal, here are the five most common HIPAA violations:
Employees Snooping on Healthcare Records
There are situations in which you would expect your nurses, doctors, and hospital or clinic staff to look at patient records. For example, treatment solutions, payment information, and day-to-day healthcare operations.
However, there are times when hospital staff should not be looking at healthcare records — particularly when they do not have the proper authority to view them.
The most popular case involving this type of violation involves the University of California Los Angeles Health System, where a doctor accessed the records of patients without authorization over 300 times. This violation resulted in fines of nearly $1 million and prison time for the doctor.
The Solution: While you should trust every employee working at your healthcare practice, you still need to implement the proper precautionary measures to ensure this doesn't happen at your practice.
First, you need to make sure that patient information is only available for those who need it and have the authority to access the medical records.
Second, it's essential to teach your employees not to try and look at patient data that they don't have the authority to do so. Specifically, make sure to address the ethics behind this and how it is wrong to do so — as well as the penalties that come with it, including prison time.
Failure to Perform an Organization-Wide Risk Analysis
Medical practices must also regularly check for vulnerabilities and inefficiencies in their security. This means conducting a risk analysis, which is essential for ensuring that your HIPAA security is up-to-date.
Failure to perform an analysis means that you won't be able to catch any vulnerabilities that may be present in your current operations.
Plenty of healthcare practices have been found guilty of this violation, including the Oregon Health and Science University and Cardionet, who were each fined well over $2 million for their failure to conduct an enterprise-wide risk analysis.
The Solution: For this violation, the solution is pretty simple — make sure you're regularly performing a risk analysis or assessment.
If you're looking for assistance with your risk analysis, contact Medicus IT today. We offer risk assessments, which are required under the security rule implemented by the Department of Health and Human Services.
Our risk assessments will help you remain confident that your organization is HIPAA compliant across the board — including your administrative, physical, and technical safeguards.
Contact us today to get started!
Failure to Manage Security Risks
Identifying the risks and gaps in your security is one thing, but actually solving those issues is another.
Many organizations are too slow when it comes to solving these problems, and as a result, they are fined heavily. In fact, the University of Massachusetts Amherst was once fined $650,000 for risk management failures.
The Solution: Not all security risks can be resolved in a single day. But, you do need to prioritize the risks and address them in a reasonable time frame.
So, when you do find issues, do not put off remedying the situation. Instead, make it your goal to solve the problem as soon as you and your team can.
Failure to Enter into a HIPAA Compliant Business Associate Agreement
When working with vendors outside of your organization that is provided with access to protected health information (PHI), you need to enter a HIPAA-compliant business associate agreement.
The Solution: To avoid issues with this violation, make sure you have the proper systems in place to ensure that if anyone in your organization wants to work with an outside vendor or contractor, that they first create a through HIPAA compliant business associate agreement first.
Insufficient ePHI Access Control
This one ties back to the first violation of employees looking at information they shouldn't. When it comes to making sure your electronic protected health information is safe from prying eyes, you need to put in place security systems so that only those with authorization can access the information.
The Solution: To ensure that your ePHI is secure, put in place systems that allow access only to those who should have access.