There's no doubt – HIPAA compliance requires diligence. But with penalties reaching $1.5 million, it's crucial for practices to be aware of mistakes that could result in violations and fines.
Below are common mistakes that could cost your practice and resources for learning how to handle them.
1. Lost or stolen device
It's not uncommon to accidentally leave your phone or laptop behind. Maybe you hastily got out of an Uber or forgot your phone on the table as you left a restaurant. Perhaps your flash drive fell out of your pocket as you were digging for something else.
However, if a device containing electronic protected health information (ePHI) is no longer secure, you could have a breach on your hands. The situation becomes even more severe if the device contains unencrypted ePHI – the Office of Civil Rights has expressed that any loss of control over unencrypted ePHI constitutes a breach.
No matter how careful you may be with your device, tragedy may happen unexpectedly - for instance, your device could be stolen from your own car. Your best defense against a breach resulting from a lost or stolen device is to avoid storing ePHI on mobile devices in the first place. Regardless of the device it is contained on, ePHI should always be stored in a secure location and encrypted, which involves encoding the information in such a way that only authorized parties have access to it. Many devices have encryption capabilities built-in, so take advantage of these capabilities to encrypt any files and folders that contain ePHI. Be sure that any device that you use to store or access ePHI is further secured with a strong password, and configure your device with a screen locking setting that requires your password to be re-entered after inactivity.
Refer to HealthIT.gov for tips on securing your devices.
2. Improper storage or disposal of records
In 2012, a pharmacy discarded an unlocked container of documents containing the PHI of over 1,500 patients in a publicly accessible dumpster, resulting in a $125,000 settlement.
Proper storage and disposal of PHI is essential, regardless of whether your records are kept on paper or electronically. Any document containing PHI must be stored in a secured location at all times and kept out-of-sight from unauthorized parties. Special care must also be taken when destroying records: simply deleting a file does not sufficiently erase it from your hard drive, and throwing a crumpled-up document in the trash doesn't protect the information from unauthorized parties. All staff members should be trained on both the proper storage and the proper disposal of PHI to ensure that your records don't end up in the wrong hands.
Consult these FAQs about the proper disposal of PHI by the Department of Health and Human Services (HHS) for more information.
3. Unauthorized disclosure of information
Disclosing PHI without authorization is one of the most common mistakes a provider can make. Talking with a friend about a mutual acquaintance under your care, discussing a patient with staff at the front desk, and even accidentally filing a document containing PHI in the wrong patient's chart could put you at risk for a breach. Sending PHI to the wrong recipient, even if accidental, is also a violation: in 2014, a medical center paid a $387,200 settlement after accidentally faxing PHI to the patient's employer rather than the patient himself.
PHI should only ever be discussed in private settings with the people who need to know. All practice staff should be instructed to never discuss PHI in an open setting and always verify that information is only being delivered to an authorized recipient.
4. Lack of a Business Associate Agreement
One of the more difficult tasks for providers is determining who qualifies as a business associate and securing the relationship with a Business Associate Agreement (BAA). A BAA helps to ensure that a business associate such as your EMR vendor or telehealth service provider will appropriately safeguard PHI.
Even if both entities are trustworthy and in compliance with HIPAA, a BAA which clarifies the permissible uses and disclosures of PHI with an entity who helps you conduct business is required. Failure to execute a BAA could result in a hefty fine or make your organization liable for any breaches by the business associate.
For information about business associates and what BAAs should entail, read Business Associate Contracts from the HHS.
5. Inadequate risk analysis policies and procedures
Taking time to examine where a breach can occur in your organization and documenting your policy for that situation can be important for protecting yourself. For instance, you may need an electronic media policy that details how devices should be encrypted and what safeguards and access controls should be implemented. Policies should enumerate who has access to PHI, how it is to be used, and what steps to take in the event of a breach.
However, simply writing these policies isn't sufficient: they must be followed on a daily basis and reviewed and updated regularly. Impress upon your staff the importance of following established policies and encourage them to point out potential violations. As your practice grows and changes, there may need to be different ways of handling PHI and updates to the BAAs you already have in place.
For more information on risk analysis, consult the HHS's Security Rule Guidance Material or refer to the Security Risk Assessment Tool at HealthIT.gov.
6. Sharing usernames and passwords
According to the HIPAA Security Standards, assigning each staff member who accesses PHI a unique user identifier is a required technical safeguard. Unique login information for management systems such as your EMR gives you the ability to identify and track user activities and form an accurate audit trail, a key component of the HIPAA Security Rule.
Staff members should never share usernames and passwords to access PHI. Doing so not only directly violates HIPAA but also undermines your efforts to maintain HIPAA compliance by putting you at risk for other violations, such as unauthorized access to information and a lack of access controls.
In most cases, avoiding HIPAA violations involves common sense and some careful attention. However, many seemingly harmless actions could land you in a breach situation. Keep all staff in your organization educated and up-to-date on HIPAA regulations, and take advantage of the training materials offered by the HHS. If you do experience a breach of unsecured PHI, be sure to issue a notification of breach in accordance with the HIPAA Breach Notification Rule.* The content of this post is intended to serve as general advice and information. It is not to be taken as legal advice and may not account for all rules and regulations in every jurisdiction. For legal advice, please contact an attorney.