While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to safeguard patients’ information, there are HIPAA violation examples that still happen regularly. Non-compliance with these regulations can cause serious damage not only to patients but to your organization, so it’s important that all employees are aware of the different policies that come with them. To help give you a better picture of the importance of HIPAA, let’s look into ten HIPAA violation examples to learn how they can be avoided.
1. Unencrypted data
When devices containing protected health information or PHI are lost or stolen, there’s a high risk that information will be placed in the wrong hands. To prevent this HIPAA violation example from happening, HIPAA requires having devices encrypted to add an extra layer of security to your data. This is mandatory for devices at rest, which means that data is stored on devices, such as hard drives and flash drives. In the event of theft, loss, or improper disposal, information is still secure and cannot be accessed easily.
2. Being hacked
Being hacked is an unfortunate event that can happen to anyone, but is also considered a HIPAA violation example. This instance doesn’t get anyone off the hook, as it doesn’t mean that we bear no responsibility at all since there are measures that can be taken to prevent it from happening. Some of them include installing reputable antivirus software, using encryption, and creating secure passwords.
To help you raise awareness about cyber threats and attacks, you can check out the cybersecurity courses offered in EdApp’s content library. These courses can be edited with ease and customized as you see fit, thanks to EdApp’s drag-and-drop authoring tool. This way, you can add content in accordance with HIPAA guidelines aside from fundamental knowledge.
3. Sharing information on social media
Sharing photos and videos on social media is a no-no, especially if it’s without the patient’s consent or authorization. This also holds true for other information that can be identified with people, such as PHI included in posted photos. Health recommendations, event details, new medical research, staff bios, and marketing messages can all be shared on social media channels, as long as no PHI is contained in the posts.
To help reinforce this to your employees and avoid this HIPAA violation example, you can take advantage of social media training programs that will contain the policies that they need to remember. With courses in EdApp, such as the Social Media Policy and Social Media and Electronic Communication, they can learn how how to conduct themselves properly online and know the importance of complying with social media policies.
4. Improper disposal of records
PHI that becomes obsolete, no longer required, or no longer usable should be properly disposed of. This can be done in several ways, such as shredding, burning, pulping, or pulverizing the records, rendering them unreadable, undecipherable, and unreconstructible to protect patient privacy. This means that records can’t be simply thrown away in easily accessible public places, such as dumpsters and recycling centers. Doing so poses a serious breach of privacy as sensitive information can be easily leaked and can be used for fraudulent activities.
An incident back in 2021 where hard drives weren’t properly disposed of caused the data of over a hundred thousand patients to be leaked in the US, which included sensitive information such as their names, social security numbers, birthdates, and addresses. Failure to follow HIPAA standards for disposing of PHI can result in exorbitant fines, patient lawsuits and poor press. This can also give you a bad reputation with your clients.
5. Unauthorized sharing of information
Patient information is one that can be easily shared, whether inadvertently or not. It’s not uncommon to see healthcare workers discussing their patients with each other in casual conversations at work. It can also take the form of information being shared with family members of patients, which might seem harmless at first. However, this information should only be made known to authorized individuals and should be discussed behind closed doors.
6. Inadequate employee training
HIPAA compliance training is required by law for anybody who handles protected health information. This is not only limited to doctors and nurses, but should also be taken by health insurance employees, business entities, and even front desk personnel. As a rule of thumb, if you’re exposed to any form of PHI as part of your job, you should undergo HIPAA compliance training. The HIPAA Privacy Rule requires training upon hire or when there is a change in policies and procedures.
As there are several different rules under HIPAA, it’s important to provide the proper training to new hires and provide refresher training to tenured employees. Learning this complex information can take up a huge chunk of time, but with free HIPAA training like EdApp’s HIPAA Compliance Training course, employees can complete their training anytime and anywhere on their smartphones and it can even be downloaded for offline access.
On top of this, EdApp’s Brain Boost spaced repetition feature compiles key concepts that learners have a hard time understanding and repeats them until they demonstrate that they’ve been locked into their long-term memory. Using the principles of the “Forgetting Curve” where learners tend to forget more than half of newly learned material 20 minutes after a lesson ends, Brain Boost ensures that they are only spending time on areas that they need further development.
7. Not reporting a breach or violation
No matter how experienced or tenured employees are, HIPAA violations can still occur at work. As these violations can cause great damage with equally massive repercussions, there may be times when employees or organizations are hesitant to report them. However, when there’s a violation of HIPAA regulations in the workplace that compromises the security or privacy of protected health information, an employee’s supervisor or HIPAA officer must be notified. Once reported, immediate action must be taken to rectify the situation and prevent further damage. Within 10 days of the data breach, the Department of Health and Human Services mandates notification with substantial documentation. Additionally, affected individuals must be notified within a 60-day period of a data breach.
8. Releasing information to unauthorized persons
Providing incorrect information to a patient can cause a lot of headaches, not just for the patient but for your organization. This can happen if patient records are shown or sent to someone else who isn’t the intended recipient. These accidental violations are likely to happen when patients have the same name, which is why it’s important that other verification procedures are done to prevent this from happening. In such an event, the patient must be notified of what happened and what information was disclosed. Additionally, people authorized by the patient, such as family members, are the only ones who should be able to see their information, which should be strictly enforced through a consent form.
9. Refusing patients’ access to their records
A patient’s medical records contain all the information about their health and well-being, which is why it’s vital that they have access to them. This gives them control over their situation by being able to monitor their health, view medication, track their progress, and amend any discrepancies in their records. While there are a few exceptions to this, such as incriminating information or psychiatric information, the Privacy Rule generally requires that covered entities provide this information when requested.
10. Not performing risk assessments
Failure to recognize vulnerabilities to the integrity of PHI is another HIPAA violation example. HIPAA requires covered entities and their business associates to conduct a thorough risk assessment in order to identify and document risks to PHI. Doing so not only means doing due diligence but also helps in identifying flaws and enhancing information security. Performing a risk analysis assessment can save you from a lot of headaches caused by the previous HIPAA violation examples, such as hacking and data breaches.