HIPAA VIOLATIONS | May 9
The 5 Most Common HIPAA Violations Healthcare Organizations are Guilty Of
Violations of HIPAA protocol are all too common in the healthcare industry. Here are a list of the five violations most cited by the OCR.
As the owner or manager of a healthcare organization, one of your top priorities is staying in the good graces of the Office for Civil Rights (OCR) by maintaining compliance with HIPAA rules and regulations.
To ensure your organization remains under HIPAA compliance, it’s essential that you know which violations are most likely to occur, as well as how they occur in the first place.
Before we dive into the potential circumstances that could lead to these common HIPAA violations (and how to prevent them from occurring), let’s take a look at the negative effects such violations can have on your patients and your organization.
Risks Associated with HIPAA Violations
The implications of violating HIPAA are far-reaching, no matter how minor the violation may at first seem.
As you may or may not know, the reason HIPAA laws exist in the first place is to “ensure the security and confidentiality of patient information (and) data.” Simply put: your patients have a right to privacy when it comes to their health and other personal records. And they also have a right to feel comfortable providing you with this sensitive information, and be confident that your organization will keep their info safe and secure.
Exposure of a patient’s protected health information (PHI) to the wrong party - be it a family member, colleague, employer, or stranger - could potentially result in adverse effects on the patient’s personal or professional life. Because of this, it’s of the utmost importance that your healthcare organization ensure HIPAA protocol is followed at all times.
In the following section, we’ll discuss the details surrounding the most commonly-occurring HIPAA violations, and provide suggestions as to how your organization can prevent them from happening under your watch.
The 5 Most Common Types of HIPAA Violation (and How to Prevent Them)
Though the details of each violation are unique to that specific circumstance, the most common violations fell within the same five categories:
- Impermissible use and disclosure
- The Minimum Necessary Rule
- Notice of Privacy
Let’s take a look at each of these potential pitfalls in more detail.
Impermissible Use and Disclosure
Impermissible use and disclosure falls under the HIPAA Privacy Rule, and essentially refers to instances in which a healthcare-related organization either uses a patient’s PHI reasons outside of the scope of its duties or releases said information to a third party without the patient’s consent.
Though avoiding a violation in this regard might sound pretty straightforward, doing so requires due diligence and awareness at all times. Even the slightest bit of carelessness can lead to major consequences, both for your patient and for your organization.
For example, talking with a patient about their diagnosis or treatment options within earshot of other patients is a direct violation of the HIPAA Privacy Rule - even if nothing comes of you doing so.
Other examples of impermissible use and disclosure are:
- Disclosing PHI to a family member who the patient has not specified to be privy to such information
- Disclosing PHI to a patient employer without patient authorization
- Providing batches of PHI and identifying information to a research organization without authorization from each patient on the list
To prevent such violations from occurring within your organization, you might choose to do any (or all) of the following:
- Hire an individual to monitor internal and external handling of PHI
- Train staff on proper usage and disclosure of PHI
- Create protocol for ensuring patients provide authorization before their PHI is released for research or other third-party uses
Disclosure of PHI to those who should not have access to it is perhaps the most obvious example of a HIPAA violation. However, although this type of violation is relatively common, that doesn’t make them any less damaging to affected patients - and it doesn’t make it excusable, either. In fact, because they’re so common, you should focus even more effort on avoiding these violations at all times.
As the heading implies, safeguard violations fall under HIPAA’s Security Rule.
Under the Security Rule, there are three branches of safeguards your organization needs to comply with:
- Administrative safeguards, such as security management processes, information access management, and workplace training
- Physical safeguards, such as facility access and control and workstation/device security
- Technical safeguards, such as access control, audit control, and transmission security
Administrative safeguards focus on an organization’s policies and procedures regarding how it ensures the security of patients’ PHI. For example, it’s not enough to simply keep PHI secured; organizations must have an established protocol for how their employees gain access to it, as well.
Physical safeguards refer to the actual manner in which PHI is stored, both in physical and electronic form. A simple example: PHI must always be kept in a locked room that is completely inaccessible to the general public.
Technical safeguards mandate who is able to access an organization’s PHI, as well as how PHI is handled when being transferred (again, both physically and electronically). When transmitting or transferring PHI to a different location, the Security Rule dictates that a chain of custody be recorded to ensure proper handling at all times until the data has reached its intended destination.
Some of the most common HIPAA violations relating to safeguards include:
- Flaws in a computer program resulting in a lack of security
- Accidental transmission of electronic PHI to an incorrect email address
- Computer screens being placed in a way that makes information visible to the public
Safeguard breaches can be prevented (or, at the very least, minimized) by:
- Retrofitting old software with upgraded security measures (and keeping security software up to date)
- Ensuring chain of custody is recorded when transferring or disposing of PHI or devices which hold PHI
- Maintaining physical locks on doors, and setting a schedule for routine maintenance
- Ensuring physical data is kept hidden from public view
A lapse in security could result in impermissible use or disclosure - but even if it doesn’t, the security lapse is in itself a violation. To minimize the chances of your organization committing multiple, simultaneous violations, you need to ensure you have proper safeguards in place whenever PHI is involved.
Under the Privacy Rule, healthcare organizations are required to provide patients with any and all of their PHI upon request. The Privacy Rule also mandates that organizations provide numerous possible ways for patients to access their PHI, as well.
The OCR has cited numerous occasions in which an organization has withheld PHI from a patient for various reasons. Whether such withholding is due to negligence (such as a receptionist not providing a legal guardian information regarding their child) or is intentional (such as a manager withholding information until a patient pays his bill), it is a violation nonetheless.
Organizations also need to be able to provide PHI through multiple means, as well. For example, it’s unacceptable for an organization to deny a patient’s request for a physical copy of their PHI - even if the organization has previously provided such in electronic form.
To ensure compliance with HIPAA rules regarding patient access to information, an organization should:
- Provide as many options as possible for patients to access their PHI
- Implement proper protocol to determine who is and is not eligible to access an individual’s PHI
- Never allow outside factors - such as a lapse in payment or denial of services - dictate whether or not it will provide patient access to PHI
A patient’s PHI is their information; they’re simply entrusting you with it. If they request to view it, in part or in whole, you’re bound by HIPAA to provide it for them. If confusion arises as to who else is privy to a patient’s PHI (in the case of a minor or a disabled individual), protocol must be in place to ensure the right person is receiving the information.
Minimum Necessary Rule
Again falling under the Privacy Rule, the Minimum Necessary Rule dictates exactly which pieces of information should be disclosed in a given circumstance.
The rule states that PHI “should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.” In other words, if an individual requires a portion of a patient’s records to complete a specific task, only that portion should be released to the individual.
For example, the billing department of a healthcare organization might need to know the type of appointment a patient was scheduled for, but would not need to know what the patient’s diagnosis was. Though this extra information is likely of no concern to the billing department, it should not be included in the patient’s billing file.
The Minimum Necessary Rule also protects patients when filing claims through their job’s insurance program. Though employers will be privy to information regarding compensation, they are not allowed to access (or be given access to) information regarding the patient’s treatment or progress.
The best ways for an organization to prevent violating the Minimum Necessary Rule are to:
- Train staff members to include only pertinent information in voice messages, emails, and other forms of communication
- Create segmented profiles or accounts for patients in different departments, or restrict personnel access to PHI to an as-needed basis
- Define what information is to be shared with specific departments within the organization and third-party organizations (such as business associates)
When it comes to sharing PHI, the less you share, the better. If the organization you’re sharing information with needs more from you to complete a specific task, let them come to you first. But if you accidentally provide more than they need - even if nothing bad comes of it - you’ll still be held liable for doing so.
Under the Omnibus Rule, all healthcare organizations are required to notify their patients of various policies and procedures pertaining to PHI. Organizations must also offer supplemental information and explanations as necessary upon request. Furthermore, organizations are required to provide multiple options for patients to access this information as best as possible.
The most common ways in which the Notice rule is violated are by organizations:
- Not providing individual notice of privacy practices to patients and guardians upon initiation of services
- Not having policies posted within patient view within the organization’s physical location
- Not explaining policies diligently and satisfactorily upon request
Besides posting privacy notices prominently throughout an organization and within intake documentation, organizations can also:
- Provide privacy notices in electronic form upon request
- Present notices in multiple languages
- Post notices on the organization’s website and/or mobile app
Though your patients likely assume your organization handles their PHI safely and securely, HIPAA law requires you inform them of such in as many ways as will be effective. It’s best to err on the side of caution, and provide as much information as you possibly can - even before your patients ask for it.
Even though the HIPAA violations mentioned above are fairly common throughout the healthcare industry, that doesn’t mean the OCR expects or accepts them if discovered.
As the owner or manager of a healthcare organization, it’s your duty to proactively implement policies and procedures to minimize the chances of such violations occurring. The more diligent you are about adhering to HIPAA laws and mandates, the more efficiently your organization will run.
Accountable can help you stay HIPAA compliant in all areas of operation. Check out our free demo, and contact us for more information.