With HIPAA violation fines up to $50,000 per occurrence and a maximum yearly penalty of $1.5m per violation, it’s never been more important for medical practices to make sure that they are compliant with HIPAA at all times. And while all possible HIPAA violations are a threat, some are more common than others. Here are some of the most common causes of HIPAA violations that all medical practices should be aware of and take steps to prevent.
Unsecured Records:
All employees should be given adequate training on securely storing patient records. Records should be securely locked away in an office, desk, or filing cabinet. Any digital files should require secure credentials in order to access them and they must be encrypted wherever possible.
Unencrypted Data:
There are many risks of not encrypting patient data that is stored online or digitally. Encrypting the data will add an extra layer of security if a device on which the patient’s records are stored is lost or stolen, or if a password protected device is hacked into. Although it is not required for strict compliance with HIPAA standards, it is highly recommended and some states have passed laws for certain data to be encrypted.
Hacking and Data Breaches:
While most people would like to think that it would never happen to them, cybercrime has become a real threat to medical records. There are hackers out there who want to use this information for malicious purposes, so it’s important for medical practices to take steps to protect against hacking.
Keep antivirus software active and up-to-date on all devices that access the network, particularly those that are used to store patient records – even if the data is password protected or encrypted. Using a firewall will add another layer of protection, and you should always use unique passwords that are not easily guessed and change them frequently.
Theft or Loss of Devices:
In June 2016, a case was settled where an iPhone containing a vast amount of patient data, including medications, treatment and diagnosis information, and social security numbers was stolen. The phone was neither password-protected nor encrypted, which left all the data vulnerable to access by anybody who had access to the phone. A total of 412 people were affected and the facility was fined $650,000.
Any devices containing patient information should be stored in a secure location at all times, and an extra layer of protection should be added through password-protection and encryption.
Lack of Employee Training:
It’s important that every employee who comes into contact with patient information and records is thoroughly educated and given regular refresher training on HIPAA regulations and compliance. Employees’ HIPAA training is required by law and all staff members should be well-trained on what is required of them, along with any particular procedures and policies put in place by the individual practice at which they work.
Sometimes the simplest of mistakes or misjudgments can end up being a massive HIPAA violation, so it’s important that medical practices are aware of these common HIPAA breaches and take steps to prevent them.