Anybody who has worked in the medical field has encountered tricky situations when complying with the Health Insurance Portability and Accountability Act guidelines. HIPAA policies are vast in complexity, and they keep changing thanks to the updated Omnibus Rule, which was issued in 2013. The maximum HIPAA fines have also increased to $50,000 per violation, capping at $1.5 million. This means abiding by the updated policies is more crucial than ever. To protect patients and hospitals alike, nurses, doctors, and other medical staff need to ensure that security measures and employees are up-to-date on HIPAA’s changes. And one way to do that is by being aware of the most common HIPAA violations.
What Does HIPAA Stand For?
Although HIPAA is commonly referenced in healthcare settings and online communities (and often referenced incorrectly as HIPPA), many healthcare professionals are unsure what HIPAA stands for. According to medicinenet.com, the definition of HIPAA is:
HIPAA: Acronym that stands for the Health Insurance Portability and Accountability Act, a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers. Developed by the Department of Health and Human Services, these new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country. State laws providing additional protections to consumers are not affected by this new rule.
HHS.gov provides more details outlining specific HIPAA benefits for patients.
When Did HIPAA Start?
According to medicinenet.com, HIPAA took effect on April 14, 2003.
Common HIPAA Violations
It’s natural for us to innately trust our coworkers; after all, fellow nurses and doctors want what’s best for patients too, right? Sadly that isn’t always the case. Medicare fraud is an often-cited violation of HIPAA policy, such as in 2012 when the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA violations, which netted her 12 years in prison and a $1.3 million fine. But less obvious—and much less nefarious—cases of employee dishonesty can also violate HIPAA policy, such as accessing a patient’s file when you’re not involved in the treatment process.
The adage “loose lips sink ships” is quite true when it comes to HIPAA. Chatting about patients with friends or family, or even co-workers who are not privy to that patient’s medical information can violate HIPAA policies. One example that recently landed a nurse in hot water was with Carolina Panthers quarterback Cam Newton’s ankle rehabilitation. The nurse’s husband called into The Drive NC, a CBS syndicate sports talk show, and disclosed that his wife told him the date of Newton’s surgery, which up until then was private information. There isn’t information whether the nurse was sanctioned, but by telling her husband about Newton’s surgery, even in confidence, she clearly violated HIPAA privacy and removed any privacy rights her patient had. A simple mistake like this puts a nurse’s or doctor’s career at risk and harms their patient.
Remember, unless the patient has signed a release of information, the general rule is nobody but the patient and direct caregivers can access those records.
It’s unfortunate that we live in a world where hacking is commonplace, but if the recent Office of Personnel Management hacking scandal and Heartbleed bug have taught us anything it’s that there are people who want to steal protected health information for nefarious purposes. Protecting against hackers can be difficult and costly, but it’s a necessary task in today’s cyber society—especially as electronic health records become a standard industry practice.
Basic ways to protect from hacking include routinely updating computer and device software, enabling firewalls and having a full suite anti-virus software system, such as Avast, which is standardized on all of the networked systems, and updating passwords with proper passcode strategies.
Poorly disposing of protected health information is easy to avoid, yet it’s also surprisingly common. Many photocopiers will have a hard drive that saves a certain amount of recent files. If somebody should access that memory who isn’t supposed to have that information it’s a HIPAA violation. Same goes for improperly shredded documents. The basic rule to keep in mind when discarding anything that has protected health information is to thoroughly destroy or wipe the device hard drive or cross-shred the documents.
Lack of Training
Knowing the intricacies of HIPAA policies is tough, and a study by NueMd and the Daniel Brown Law Group show that 36 percent of medical office professionals lack vital understanding of HIPAA’s regulations, with an additional 33 percent failing to comprehend the audit strategies OCR uses. They found that employees have a misconception that only managers or owners need to know or abide by HIPAA and so they neglect proper training. But that’s far from true. Any person who comes in contact with protected health information is required to abide by HIPAA policies, or they’ll face major fines or in severe cases even jail time. Be sure every employee, new and old, knows about the updated HIPAA policies and can show proof of their training in case of an OCR audit.
Lost or Stolen Devices
In an ideal world, every device that has patient data is encrypted and in a secure location. The computer, phone or tablet only gets accessed or moved for important, temporary needs and then it’s returned back to its secure location. But in the real world ,these items have a tendency to occasionally get lost or even stolen. And that leads to massive problems.
For example, in April 2014 an unencrypted laptop was stolen from Concentra Health Services’ Springfield Missouri Physical Therapy Center. The company reported the theft to the U.S. Department of Health and Human Services Office for Civil Rights, and after an OCR audit Concentra was fined $1.7 million.
Third Party Disclosure
Third parties are often billing companies or other businesses that help the hospital or small practice run smoothly. Any company that comes in touch with patient information is responsible for abiding by HIPAA policies, and the Common Agency Provision in the HIPAA Omnibus Ruling means that hospitals and medical staff are now the ones responsible for your third party HIPAA compliance. A business partnership where a third party causes mistakes can come back to haunt the health care provider, so make sure everybody who has access to protected health information is HIPAA compliant.
In order to prevent theft and unauthorized access, HIPAA requires all electronic and paper documents or other files containing PHI are stored in a secure area. This means any type of filing cabinet needs to be locked, the office or building needs to be locked or secured when staff isn’t around. These seem like simple things to remember, but mistakes do happen.
In 2014, Parkview Health Systems was hit with an $800,000 fine because employees left 71 boxes with 5,000 to 8,000 patient records on a physician’s porch. These boxes also happened to be within 20 feet of the road, and nearby a busy public shopping mall.
If you’re looking to brush up on your HIPAA knowledge the OCR has six educational programs for health care providers about compliance with several aspects of the HIPAA Privacy and Security Rules. The OCR offers each of these programs for free via Continuing Medical Education credits for physicians and Continuing Education credits for health care professionals. One module also focuses specifically on mobile device security: http://www.hhs.gov/ocr/privacy/hipaa/understanding/training
High Cost of HIPAA Violations Infographic
Many nurses, doctors, and other healthcare workers have been taught to fear the HIPAA legislation. Hospital leaders strike fear in the hearts and minds of nurses everywhere when they start talking about HIPAA violations. Ok – Fear may be a bit much because the laws are meant to protect patients, and that’s what most healthcare providers seek to do. But considering that the Health Insurance Portability and Accountability Act (HIPAA) comes equipped with hefty fines, it easy to understand why many are struck with fear at its mention.
HIPAA was instituted to protect the personal health information (PHI) that resides in the hands of healthcare providers and organizations. Those involved in the line of care include, but are not limited to, nurse, doctors, healthcare information technology (HIT), pharmacies, patients and health insurance companies. And nearly everyone who touches a patient has some access to at least some portion patient’s PHI.
Working in healthcare comes with huge responsibilities. Patients trust us in their time of need and need to feel secure that their personal health information will not be misused. Because of this serious need, HIPAA violations come with huge fines. They can cost an individual or entity millions of dollars and can even land those responsible in prison.
Luckily, innovations in electronic medical records software (EMR) and other healthcare-related technologies are increasingly helping to prevent HIPAA violations. And every day more and more people are able to access their own electronic health records and have a greater understanding for the important role technology plays in their pursuit of good health.
We may get tired of hearing about it, but the reality is HIPAA is here to stay. The laws are only going to get more strict. And the public is only going to demand more when in comes to their healthcare.
It’s our duty to protect the patients we serve, and that means their PHI too.
Do you know what PHI that HIPAA says if off limits?
Are you familiar with the differences between EMR, EHR, and PHR?
More Resources for HIPAA
What HIPAA violations do you think are most common?