Theres arguably no type of information more sensitive than that which relates to personal health care or medical records. Whether its a hospital, clinic or personal physician, entities that provide vital healthcare services are often the targets of hackers, cyber criminals, and other malicious actors that might seek to gain access to private medical information. Which is exactly why the Healthcare Insurance Portability and Accountability Act (HIPAA for short) was enacted in 1996, with stiff penalties and fines for HIPAA violations. If you are unsure whether your business is violating the HIPAA regulations, you’ll need to seek out cybersecurity consulting firms who are highly specialized in hipaa compliance solutions to foster covered entities.
But the question for healthcare providers of all shapes and sizes remains the same to this day: How do I know for sure that my organization is 100 percent HIPAA compliant? The HIPAA penalty for violations are quite onerous, and seemingly simply oversights or missteps can result in immense costs if you’re caught in any violations of HIPAA.
Also Read: Top 5 Components of HIPAA Privacy Rule
The first step is recognizing the common mistakes, missteps, and pitfalls that are most often associated with HIPAA law violations. You might not realize it, but one of the most common causes of common HIPAA violations is just good old-fashioned human error. From data storage to documented privacy practices, here are eight of the most common HIPAA mistakes that healthcare organizations make, and some quick tips on how to avoid them.
1 – Random Human Error
Whether its doctors, nurses, or administration staff, healthcare workers of all shapes and sizes have a lot on their plate. And in many cases, HIPAA compliance best practices tend to take a backseat to more urgent patient-related matters. One of the most common random human errors that is in clear violation of HIPAA is records mishandling. To comply with HIPAA its required that all patient information be kept strictly confidential, so leaving an open file in a waiting area or in clear view of other employees can result in a fine (if caught or reported).
In todays digital and always-connected world, at times HIPAA violations occur through seemingly innocuous communication channels such as SMS text message and social media. While some medical professionals might see these avenues as more convenient and effective ways of communication, exposing patient data in such a way is also a common HIPAA mistake. Texting between authorized employees can be HIPAA compliant, only if both parties have HIPAA specified encryption software on their mobile devices. Unfortunately, this is not the case in most instances of SMS texting confidential information.
Quick Tip – Establish clear procedures for how physical folders are handled on-site. Conduct a clear and thorough training on what info can be sent via text and social media that wont result in a HIPAA violation.
2 – Cloud Data Storage Practices
From an information technology perspective, every healthcare organization would at least like to think that their data storage infrastructure is as close to hack-proof as humanly possible. The problem is, many organizations fail to cross-reference their data storage practices, systems, and infrastructure with that of HIPAA requirements. In fact, HIPAA just recently released new guidance and guidelines covering organizations that use cloud computing to manage patient data.
Most organizations use a third-party, like Amazon Web Services or SalesForce.com, to provide their cloud-based data storage. This practice is wholly permitted under HIPAA, but they must be in-line with HIPAAs cloud service provider (CSP) regulations. This includes compliance in areas such as system availability, data backup and recovery, and security responsibility. The healthcare organization and CSP must also provide a HIPAA compliant plan that covers response to any potential data breaches.
Quick Tip – Cloud computing has made working with patient data much easier. But make sure to work with your CSP and a HIPAA compliance expert to make sure all your bases are covered.
3 – Ignoring State Privacy Laws
This makes state compliance one of the more common HIPAA mistakes that organizations make. Just because providers are in compliance with HIPAA on the federal level, all too often they let their guard down and fail to recognize statewide regulations that supersede federal, resulting in fines and penalties from the local state. That being said, a state law cannot legally contradict HIPAA. So, if there is any direct conflict, HIPAA law takes precedence.
Quick Tip – States often guard their own laws against federal equivalents, so it may be worthwhile to request official records, or at the very least solicit your state for advice on training employees to be compliant.
4 – Lack of Procedure for Complaints
Its an unfortunate inevitability for healthcare providers, but at some point either patients or health plan participants are going to complain that their private data isn’t adequately protected. And (obviously), while each complaint doesn’t mean a HIPAA violation has taken place, the lack of a written procedure to monitor these complaints can be a HIPAA violation in and of itself.
Complaints can come in a variety of forms, such as a formal notice to the administering body, a letter to your Human Resources department, or a comment made by your staff. It doesn’t matter how the complaint is made, formal steps should be in place for its investigation. An employer should investigate any complaint where there is reason to believe that a violation of any of the terms of the HIPAA Privacy Rule had taken place, and document all the steps taken in the process.
Quick Tip – Don’t just receive a complaint and leave the person hanging. You may be investigating, but you should tell them you are, let them know how long it may take you, and when they can expect to hear from you next.
5 – Failure to Send Updated Privacy Notices
You must also provide up-to-date details of how patients may obtain a copy of records, and inform patients within 60 days of any planned changes to your privacy practices. Where privacy is concerned, HIPAA rules are particularly stringent, and general significantly more so than for other forms of patient notification. Its important that you pay particular attention to HIPAA compliance rules when it comes to privacy notifications, and update each and every patient when the time is right.
Quick Tip – Common reasons for non-compliance are forgetting to send the three year reminder, or omitting to reference updated changes made to privacy practices.
6 – Being HIPAA Uninsured
Being uninsured for HIPAA investigations can end up costing a great deal of money. In one instance, a civil monetary penalty of over $4 million was imposed on a business by the U.S. Department of Health & Human Services (HHS) for a breach of the HIPAA Privacy Rule requiring insurance covering any HIPAA investigations. You must fully understand what range of insurance coverage you currently have, and fill in any HIPAA-related gaps.
Not being covered for HIPAA non-conformance, or for complaints made against you by patients to the Office of Civil Rights (part of HHS), can result in stiff fines and even job loss depending on the situation. Make sure that you have an insurance policy to cover at least investigations and responses to claims and complaints under HIPAA by your patients or members. The premiums to cover you for this are generally small, and you will be glad of the cover should the need ever arise.
Quick Tip – Make sure that any equipment or systems that handle confidential information is insured against data breaches. This will make any HHS investigation a lot more painless from an insurance and compliance perspective in the event of a breach.
7 – Oral Privacy Violations
How often have you heard a doctor or nurse discuss another patient’s health details in a public location? Unfortunately, this practice is more common than it should be, even though it is part of human nature to share and even gossip about life on the job. Another common practice is that, in public wards containing more than one bed, consultants and professionals discuss private information within audible distance of another patient. Any of these, and in general any verbal sharing of private info, go directly against the HIPAA rulebook.
HIPAA clearly states that any covered entity including doctors, nurses, consultants and health facility managers, must respect a patient’s medical privacy. Its forbidden to orally discuss the patient’s care in a situation where the identity of the patient can be known by other parties. That being said, HIPAA does recognize the realities of hospitals, and does not require that health facilities provide things like soundproof rooms, or that doctors and nurses stop talking about their patients. However, they should provide reasonable security regarding their patient’s health information and carry out such discussion in public places where others cant overhear whats being said. .
Quick Tip – Make sure all staff know what kinds of information they can discuss, with whom, and under what physical circumstances. Oral privacy violations can largely be controlled through training and clear disciplinary standards.
8 – Not Consulting with a HIPAA Partner
HIPAA compliance is a critical issue, and not one that healthcare providers should tackle on their own. Simply put, its easy for providers to think they’ve dotted all the Is and crossed all the Ts, without realizing the glaring blind spots in their compliance practices. Thats why one of the most common (and costly) HIPAA mistakes is failure to consult with an expert partner or third-party to ensure compliance.
For example, your systems should be regularly audited by both trained internal auditors and occasionally a compliance partner. HIPAA compliance is not simply a one-and-done deal (as should be obvious from above), but is something that needs to be monitored on a continuous basis. HIPAA partners often also assist in public relations and damage control in the event of a breach. The value of this shouldn’t be understated, as bad press spreads like the plague in todays social media environment. You should look for a HIPAA compliance partner that provides most (if not all) of the following: HIPAA Security Rule audit, Network Penetration Testing, Vulnerability Scanning, Patient Data Environment Risk Analysis, HIPAA Awareness & Training Programs.
Quick Tip – Work with your partner to ensure you’re in HIPAA compliance with regards to business-as-usual (BAU) activities. Its a critical (and often overlooked) part of any entity’s overall security strategy and must be in place for HIPAA compliance purposes.
Closing Thoughts
By now, you should have a good idea of the core steps your business needs to take to avoid costly HIPAA fines, violations, or any other adverse actions from HHS or OCR. Many providers that think they’re HIPAA compliant, but fail to catch some of the common mistakes outlined above. Things like carelessly handling paperwork, not having a documented complaint response plan, and not having HIPAA compliant insurance happen all too often. And often to great financial detriment of the business, hospital, or healthcare provider. The good news is, you can start today by taking an inventory of where you are in terms of HIPAA compliance, and if you’re falling into one of the eight pitfalls we’ve outlined. But the most important takeaway is to make sure you enlist a HIPAA and/or cybersecurity expert partner from the very beginning. They’ll help you navigate the ever-increasing complexities of HIPAA, and ensure your fines and penalties are as close to the number zero as possible.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.