Anybody who has worked in the medical field has encountered tricky situations when complying with the Health Insurance Portability and Accountability Act guidelines. HIPAA policies are vast in complexity, and they keep changing thanks to the updated Omnibus Rule, which was issued in 2013. The maximum HIPAA fines have also increased to $50,000 per violation, capping at $1.5 million. This means abiding by the updated policies is more crucial than ever. To protect patients and hospitals alike, nurses, doctors and other medical staff need to ensure that security measures and employees are up-to-date on HIPAA’s changes. And one way to do that is by being aware of the most common HIPAA violations.
Common HIPAA Violations
It’s natural for us to innately trust our coworkers; after all, fellow nurses and doctors want what’s best for patients too, right? Sadly that isn’t always the case. Medicare fraud is an often-cited violation of HIPAA policy, such as in 2012 when the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA violations, which netted her 12 years in prison and a $1.3 million fine. But less obvious—and much less nefarious—cases of employee dishonesty can also violate HIPAA policy, such as accessing a patient’s file when you’re not involved in the treatment process.
The adage “loose lips sink ships” is quite true when it comes to HIPAA. Chatting about patients with friends or family, or even co-workers who are not privy to that patient’s medical information, can violate HIPAA policies. One example that recently landed a nurse in hot water was with Carolina Panthers quarterback Cam Newton’s ankle rehabilitation. The nurse’s husband called into The Drive NC, a CBS syndicate sports talk show, and disclosed that his wife told him the date of Newton’s surgery, which up until then was private information. There isn’t information whether the nurse was sanctioned, but by telling her husband about Newton’s surgery, even in confidence, she clearly violated HIPAA privacy and removed any privacy rights her patient had. A simple mistake like this puts a nurse’s or doctor’s career at risk and harms their patient.
Remember, unless the patient has signed a release of information, the general rule is nobody but the patient and direct caregivers can access those records.
It’s an unfortunate that we live in a world where hacking is commonplace, but if the recent Office of Personnel Management hacking scandal and Heartbleed bug have taught us anything it’s that there are people who want to steal protected health information for nefarious purposes. Protecting against hackers can be difficult and costly, but it’s a necessary task in today’s cyber society—especially as electronic health records become a standard industry practice.
Basic ways to protect from hacking include routinely updating computer and device software, enabling firewalls and having a full suite anti-virus software system, such as Avast, which is standardized on all of the networked systems, and updating passwords with proper passcode strategies.
Poorly disposing of protected health information is easy to avoid, yet it’s also surprisingly common. Many photocopiers will have a hard drive that saves a certain amount of recent files. If somebody should access that memory who isn’t supposed to have that information it’s a HIPAA violation. Same goes for improperly shredded documents. The basic rule to keep in mind when discarding anything that has protected health information is to thoroughly destroy or wipe the device hard drive or cross-shred the documents.
Lack of Training
Knowing the intricacies of HIPAA policies is tough, and a study by NueMd and the Daniel Brown Law Group show that 36 percent of medical office professionals lack vital understanding of HIPAA’s regulations, with an additional 33 percent failing to comprehend the audit strategies OCR uses. They found that employees have a misconception that only managers or owners need to know or abide by HIPAA and so they neglect proper training. But that’s far from true. Any person who comes in contact with protected health information is required to abide by HIPAA policies, or they’ll face major fines or in severe cases even jail time. Be sure every employee, new and old, knows about the updated HIPAA policies and can show proof of their training in case of an OCR audit.
Lost or Stolen Devices
In an ideal world, every device that has patient data is encrypted and in a secure location. The computer, phone or tablet only gets accessed or moved for important, temporary needs and then it’s returned back to its secure location. But in the real world these items have a tendency to occasionally get lost or even stolen. And that leads to massive problems.
For example, in April 2014 an unencrypted laptop was stolen from Concentra Health Services’ Springfield Missouri Physical Therapy Center. The company reported the theft to the U.S. Department of Health and Human Services Office for Civil Rights, and after an OCR audit Concentra was fined $1.7 million.
Third Party Disclosure
Third parties are often billing companies or other businesses that help the hospital or small practice run smoothly. Any company that comes in touch with patient information is responsible for abiding by HIPAA policies, and the Common Agency Provision in the HIPAA Omnibus Ruling means that hospitals and medical staff are now the ones responsible for your third party HIPAA compliance. A business partnership where a third party causes mistakes can come back to haunt the health care provider, so make sure everybody who has access to protected health information is HIPAA compliant.
In order to prevent theft and unauthorized access, HIPAA requires all electronic and paper documents or other files containing PHI are stored in a secure area. This means any type of filing cabinet needs to be locked, the office or building needs to be locked or secured when staff isn’t around. These seem like simple things to remember, but mistakes do happen.
In 2014, Parkview Health Systems was hit with an $800,000 fine because employees left 71 boxes with 5,000 to 8,000 patient records on a physician’s porch. These boxes also happened to be within 20 feet of the road, and nearby a busy public shopping mall.
If you’re looking to brush up on your HIPAA knowledge the OCR has six educational programs for health care providers about compliance with several aspects of the HIPAA Privacy and Security Rules. The OCR offers each of these programs for free via Continuing Medical Education credits for physicians and Continuing Education credits for health care professionals. One module also focuses specifically on mobile device security: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training
What HIPAA violations do you think are most common?