Here is the second part of our 2 part series we did for NeuMD. If you would like to see the original article, you can view that
Welcome back! If you missed the first installment of our Top 10 HIPAA Violations blog, you can read it here.
Now, let’s take a look at the last 5 HIPAA Violations…
6. Unauthorized Release
The news media is notorious for releasing personal medical information—from the most famous pop stars to local government leaders. Unfortunately, if you are the information source then you are liable for large fines and lawsuits. Unless a patient is a dependent, or Power of Attorney has been obtained, it is illegal to release PHI, even to family members.
You might be wondering, “What about communicable diseases?” In a recent blog I wrote about Ebola and the HIPAA requirements for disclosing this information to the CDC.
7. Unencrypted Data
There is some discussion whether or not encryption is required in order to be HIPAA compliant. While the HIPAA Omnibus Ruling does NOT require encryption of data, HHS has been levying stiff fines against businesses that don’t properly protect information. Encryption is an easy and relatively inexpensive way to satisfy your HIPAA requirements, as many programs have encryption built in to them. Make sure you are encrypting data in all 3 phases – Rest, Transmission, and Storage.
In 2013, the first violation for a case of unencrypted data involving fewer than 500 patients was settled for $50,000. A laptop containing the PHI of 441 patients was stolen from Hospice of North Idaho.
“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable, and undecipherable.”
8. Lack of training
Employee unfamiliarity with the HIPAA Rule is a HUGE problem in many small businesses and practices I work with. Many people come to me thinking that only the owners or managers need to be trained, and they neglect training the most important people, those employees that are on the front line with the clients. When we sell a compliance solution, we make sure ALL employees who come in contact with PHI are included in the training. This includes any contractors, front desk workers, and volunteers. You are required to train employees on the Law and to ensure they know your Policies and Procedures.
9. Unsecured Records
HIPAA requires you to secure all electronic and paper documents and files containing PHI. Lock filing cabinets, lock your office, create difficult passwords on all devices, and encrypt all files with PHI. OCR is starting the second round of audits; read more about it here {link to blog of Audits}. You have a responsibility to your patients to protect their PHI.
In 2014, an $800,000 fine was levied against Parkview Health Systems, Inc. They left 71 boxes with 5,000 to 8,000 patient records on a physician’s porch. This was within 20 feet of the road, and right around the corner from a heavily trafficked public shopping mall. This is a bit of an extreme example, but the moral of the story is – secure those records!
10. Loud Mouths
Some people just don’t know when to stop talking, but when it comes to PHI, not knowing when to keep quiet can land you a hefty fine. Sharing PHI between co-workers in a public area or with friends who should not know this information puts you at risk for a HIPAA violation. Be mindful of your environment, restrict those conversations to private places, and don’t share information with friends and family.
For all you sports fans, a recent example of a loud mouth was when Cam Newton had surgery on his ailing ankle before the start of the last NFL season. A caller to a sports show asked if the host knew of Newton’s scheduled surgery. Only a few insiders knew, as this was information the Carolina Panthers were keeping under wraps.
It turns out this caller was married to a nurse working at the hospital where Newton was going for surgery. We don’t know if it was determined who the nurse was, and if she was sanctioned for the violation. But the moral of the story is that you need to be careful about what information you disclose, and to whom. The reality is, that nurse could have lost her job, and a violation like this could make finding a new one quite difficult.
With all the recent breaches of Protected Health Information, there is a new sensitivity to protect it. We receive 2-3 phone calls every week from people who feel their health information has been inappropriately released. These 10 HIPAA Violations highlight the fines and penalties for a HIPAA breach, but they don’t talk about the loss of trust these practices face. Remember, implementing HIPAA isn’t only about avoiding fines, it’s about protecting your patients and your business.
Want to see Part 1 of the Top 10 HIPAA Violations? Click Here