HIPAA, or the Health Insurance Portability and Accountability Act, was created in 1996 as a means of protecting individuals’ private health information. The regulations apply to three different types of Covered Entities: Health care Providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit health information in an electronic format), Health Plans (health insurance companies, HMOs, company health plans, and government programs that pay for healthcare such as Medicare and Medicaid), and Health Care Clearinghouses (entities that process nonstandard health information that they receive from outside sources and convert it to a standard electronic format and vice versa). There are two rules that assist in enforcing HIPAA laws, the Privacy Rule and the Security Rule. The Privacy Rule’s purpose is to provide a safeguard for patient personal health information (PHI) by implementing regulations on the covered entity’s ability to use or disclose PHI without the knowledge and consent of the patient. This rule also gives patients more control over their health records, allowing them to request the information at any time. The Privacy rule began to be enforced in 2003, amassing a documented 1,516 violations. By 2010 the number of HIPAA violation incidences had multiplied to over six times the 2003 figure, coming to a total of 9,158. The second rule, the Security Rule, was first enforced in 2005. The implementation of this law led to a substantial increase in HIPAA violations during this year until the present. The Security Rule protects patient information by requiring covering entities that are subject to HIPAA laws to acquire acceptable administrative, physical, and technical safeguards to ensure the security of patients’ PHI.
How are HIPAA regulations most commonly violated?
- Unencrypted data- Any PHI that is left unencrypted has the possibility of being stolen or lost. A common way in which this happens is when personal health information is stored on backup tapes in the medical facility. During busy office hours this unprotected information can more easily be willingly pilfered or accidentally misplaced. The best way to prevent this is by using a secure web-portal to back up all of your patient information electronically, eliminating the need to physically keeping the information in an unsecure location.
- Employee Error- Whether disclosed intentionally or not, the release of PHI by employees presents a major threat to maintaining HIPAA compliance. Your staff is consumed with distracting tasks throughout the day that make it easy for them to unintentionally release health information by sending an e-mail to an incorrect address, posting private health information on social media sites, or even just leaving patient health records visible in their cars. The best way to prevent this type of violation is by keeping your staff informed and trained on how to avoid these violations. Another important aspect is making sure that any other covered entities with which you share patient information are likewise keeping their employees informed.
- Data stored on devices- Nearly half of all HIPAA breaches stem from devices that contain unprotected PHI like smartphones, laptops, etc. getting stolen or lost. If patient information is not being protected by passwords, pins, or other security features then anyone who comes across your device can gain access to your PHI. The most effective way of preventing these types of breaches is by employing a HIPAA compliant data center with the appropriate physical, technical, and network security to store your PHI in a separate location distinct from your personal devices.
- Business Associates- This particular form of violation comes from choosing the wrong vendor to help you achieve HIPAA compliance. You should request a HIPAA audit report that verifies that the data center’s prevention methods will stand up to testing by a certified HIPAA Practitioner and a HIPAA Security Specialist, ensure that they have the essential services (OS patch management, antivirus software, a virtual or dedicated firewall, and offsite backup), documentation of their training methods, as well as a signed business agreement that meets the specifications of the HIPAA laws. Any data company that cannot meet these standards presents the possibility of violation.
- Lapse in Notification- another means of being penalized for a HIPAA breach is due to failure to alert the department of Health and Human Services as well as any individuals affected by a violation of HIPAA violations within the 10 days following the data breach. If the error is handled appropriately according to government procedure within the 10 day period and the necessary security features are put into place to prevent a violation from occurring in the future, then often the violator will have the charges dropped against him/her without having to pay any fine. To avoid these lapse in notification violations you should simply get a copy of the checklist of the “OCR Audit Requirements Following a Self-Reported HIPAA Breach” and understand what you need to do should an unforeseen violation occur.
What are the penalties for violating any HIPAA regulations?
The current government administration is taking a hard stance on these PHI violations. If you violate any of the regulations, whether knowingly or not, you are considered liable and face the possibility of heavy fines. If you willingly violate any HIPAA laws by disclosing, transferring, or selling patient information for the purposes of personal or monetary gain, or malicious purposes, you not only face the possibility of large fines (up to $250,000) but also a maximum sentencing of 10 years in prison. However, most individuals who find themselves culpable for violations do not actively seek to disobey HIPAA regulations, but instead unintentionally find themselves guilty of the violations. The table below indicates the different punishments for various types of HIPAA violations and is taken from the American Medical Association’s official website: