HIPAA violations are a costly reality in the workplace. The entire organization—employees and employers alike—can receive heavy penalties for HIPAA violations. Careful attention by internal staff and the management is needed to avoid any violations of the health insurance portability act. A misstep in a medical office can lead to some devastating results. As a health care provider, understanding HIPAA violations should therefore be a priority.
This article will try to explain what a HIPAA violation is and explore some of the most common violations.
What is a HIPAA Violation in the Workplace?
HIPAA is an acronym for the Health and Insurance Portability and Accountability Act. In its essence, it’s a set of regulations put in place to minimize cases of health care fraud. It aims to prevent workers from disclosing protected health information (PHI) to other people who don’t need to access that information.
A HIPAA violation in the workplace refers to a situation where an employee’s health information has fallen into the wrong hands, whether willfully or inadvertently, without his consent.
Basically, for you to stay free of workplace HIPAA violations, you need to guard PHI properly. PHI refers to a patient’s personal data. Think of the health-related treatments they’re receiving, current health plans, or health insurance coverage. Such information leaking can lead to severe consequences for a covered entity, as we’ll see later. Covered entities can include health care providers such as doctors, nurses, and pharmacists. Even organizations like law firms, medical insurers, and clearinghouses are also legally required to comply with HIPAA rules
What is the Cost of HIPAA Violations in the Workplace?
A HIPAA breach in your company can attract a hefty fine, costing you thousands of dollars and possible jail time. How much you pay in fines generally depends on the number of people affected by your violation and the type of crime committed. Other factors that the Office for Civil Rights (OCR) -- the organization that enforces HIPAA guidelines
-- takes into account include:
- Were you aware that your company committed a violation?
- Did you do anything to correct the HIPAA breach?
- In what manner was the HIPAA violation carried out?
- Did you cause any harm?
- Was your breach accidental, or did you have some malicious intent?
The Office for Civil Rights imposes fines that range from $100 to $50,000 for every violation by covered entities. The penalty amounts skyrocket if your actions were intentional. You risk attracting a fine of up to $250,000 and a ten-year jail sentence if you leaked PHI with intent to sell or for personal gain.
Intentional or not, HIPAA non-compliance can drain your organization’s finances and even lead to closure for small medical companies. Keep in mind that these penalty amounts also include expenses for hiring investigative IT professionals, offering credit monitoring help to patients, and restoring the public’s trust in the practice. What’s worse is that some insurers don’t provide coverage for HIPAA violations to covered entities. Other insurance providers reduce coverage depending on the weight of your breach.
That said, there’s more to HIPAA penalties than just money-draining fines; a tarnished reputation is something you should be wary of. For fines exceeding $100, you are required to inform the local news publications of your HIPAA violation. Regardless of how you handle your breach, you can’t control how the public reacts to your incident.
How to Report HIPAA Violations in the Workplace
Employees who suspect a HIPAA violation has occurred should report the incident to either the workplace’s supervisor, the Privacy Officer, or any person tasked with ensuring the company is HIPAA compliant. The supervisor should then investigate the violation.
This investigation helps the supervisor determine whether the HIPAA violation is worth reporting
. Note that not all breaches are reportable. Some minor incidents may not directly cause any harm.
Consider a case, for instance, where an employee accidentally discloses protected health information to another authorized employee in a covered entity. In this scenario, the HIPAA Privacy Rule is hardly breached, so you don’t have to report the incident.
Another case would be the sharing of protected health information with a person who can’t retain the information. If the investigating supervisor truly believes that the person can’t recall anything, then they may not forward the case to the Office for Civil Rights (OCR).
Once the investigations are complete, your business should take steps to prevent employees from breaking HIPAA rules. Identify the cause of the HIPAA Privacy Rule breach, and ensure the problem never arises again. For instance, you can undertake employee HIPAA compliance training or implement strict policies.
HIPAA Workplace Risk Assessment
HIPAA breaches can go unnoticed for years. The problem is that the longer you go without dealing with your breach, the more your penalty steepens. When your violation finally comes to light, you’ll end up shelling out thousands of dollars in fines.
To prevent such an unfortunate incident, your organization should carry out regular HIPAA workplace risk assessments. Conducting these assessments helps you correct your company’s breaches before regulators uncover them, ensuring you’re free from hefty punishments. Your organization will also remain on the good books of the Department of Health and Human Services (HHS), given that conducting risk assessments is a HIPAA compliance requirement, introduced in 2003 as part of the Privacy Rule.
Note that the requirement doesn’t apply to medical centers only. Anyone who has access to PHI -- from a vendor, business associate, to an insurance consultant -- should employ risk assessments in their breach-prevention strategy.
How to Conduct a HIPAA Risk Assessment
Although the HHS doesn’t specifically require organizations to carry out assessments after specific intervals, you should regularly organize them, preferably after every year. An assessment shouldn’t be a one-time thing; conduct one when you implement new workplace policies or when you introduce new cybersecurity devices.
According to the HHS, for an assessment to be effective, it needs to:
- Discover potential threats and document them
- Determine how the organization's stores and transmits health information
- Analyze the measures taken to prevent crucial personal data from leaking
- Determine whether the company implements its security policies properly
- Find out the potential consequences of a HIPAA Privacy Rule violation
- Document all assessment steps, and provide compliance suggestions.
Common Health and Insurance Portability and Accountability Violations
HIPAA violations can occur in so many ways. There are, however, three common workplace violations that often happen in most organizations. They include:
In most industries, losing a work phone may not be a big deal. But for healthcare facilities -- where critical health information is stored -- a lost mobile device can translate to huge losses.
In fact, breaches due to stolen phones are more common than you may think. Healthcare facilities are increasingly using mobile phones to communicate information about patients -- a major reason why losing phones is the leading cause of HIPAA violations.
According to a recent Bitglass survey:
- 68% of information breaches in healthcare organizations occurred to theft and loss of mobile phones.
- Laptops, desktops, and mobile devices stored almost 48% of the data lost.
- Hacking accounted for only 23% of the information leaks, as opposed to theft or loss of devices.
Unsecured Patient Information
Failing to securely safeguard crucial healthcare information, either physically or digitally, is among the leading causes of HIPAA violations. Healthcare employees need to know where the records are stored at all times.
A simple mistake can cause damaging data leaks. For instance, if your employee leaves the medical records of several patients unattended anywhere in the health care facility, third parties can easily get access to them, and that’s enough to break HIPAA rules. Also, if the employee doesn’t protect the medical records with a strong password on their devices, a simple breach can happen whenever someone gets access to their device.
Failing to train employees
There are several ways employees can unknowingly leak PHI. Consider these scenarios where your employee:
- Discusses a patient’s information with another employee in a public space such as the reception, lobby, or elevator
- Sends a patient’s bill to a wrong mailing address
- Talks about crucial health information on social media
It’s for these reasons that your employees need comprehensive training on HIPAA rules. Their incompetence may not only cost them their employment but may also cost the organization truckloads of dollars in the form of HIPAA fines.
Surprisingly, many healthcare workplaces don’t offer HIPAA compliance training, despite the possible severe punishment. A recent Kaspersky Lab survey -- that featured over 1700 healthcare providers in the US and Canada -- uncovered the following findings:
- 32% of healthcare employees have never received cybersecurity training
- 18% of US healthcare workers aren’t aware of the HIPAA security rule and don’t know what it means
- 40% of employees have no idea of the compliance measures put in place to prevent data leaks through IT devices in their workplaces
Comply with HIPAA law by offering comprehensive training to your workers (try our compliance training company
to avoid any hefty fines!). Besides training your employees after hiring them, you can also train them whenever you change policies or offer refreshers to ensure they always remain updated.
HIPAA violations are serious business for a healthcare provider. What may start out as a simple oversight can, in fact, lead to a tarnished reputation and devastating losses. Hopefully, this blog post will help you steer clear of the violations.