4 min read

Top HIPAA-related mistakes and how to avoid them

Top HIPAA-related mistakes and how to avoid them

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a law that protects the rights and privacy of patients by introducing healthcare standards. Compliance with HIPAA is required by organizations and individuals who handle protected health information (PHI). There are numerous mistakes that healthcare professionals can make when it comes to health security and privacy.

 

What is HIPAA?

HIPAA is a law enacted to reform the healthcare industry and reduce fraud related to health transactions. The law applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) as well as their business associates. It establishes national standards that protect PHI from being disclosed without a patient’s consent or knowledge.

Navigating HIPAA compliance requires a basic understanding of the Privacy and Security Rules. The Privacy Rule safeguards PHI, ensuring it is handled with confidentiality and integrity. The Security Rule maintains the security of electronic PHI (ePHI). Among these two rules is the Enforcement Rule, which provides standards for enforcing HIPAA and penalizing uncompliant organizations.

The HITECH Act promotes the adoption and meaningful use of technology as it pertains to health information. With HITECH came two additional rules:

Adhering to HIPAA helps healthcare organizations keep PHI secure and avoid substantial penalties and damaged reputations. Some common HIPAA-related mistakes are followed and how health organizations can avoid them.

Related: Understanding and implementing HIPAA rules

 

Human error and bad-faith employees

The first line of defense for any healthcare organization is its staff. Staff can also be the cause of data breaches, whether accidentally or intentionally. A recent report asserts that 61% of healthcare data breaches come from negligence. Negligence could include employees falling for a phishing scam or leaving sensitive information in clear view of anyone. At the same time, some breaches may be intentional, due to anger/revenge, personal gain, or even failure to comply with patient requests.

The best way to negate employee issues (whether deliberate or not) is to train them on HIPAA’s rules and cybersecurity policies. Training should be continuous, tailored, and varied. It should include the latest updates to HIPAA, how to avoid malware, and what happens after a breach, among other topics. Clear communication in training ensures that employees understand what it takes to avoid any mistake.

Learn more: What is a deliberate HIPAA violation?

 

Unsecured/unencrypted PHI and records

Not all health professionals understand how to properly transmit or store sensitive patient information, whether in electronic or physical form. For organizations, this could mean having or using:

  • Unencrypted ePHI
  • Unsecured work devices
  • Unsecured email systems
  • Information stored or viewed on personal devices
  • Paper records left visible on a desk

A breach occurs when PHI is accessed, used, or disclosed—unsecured/unencrypted PHI is the quickest way to violate HIPAA. Methods to avoid unsecured records and devices include strong password protection, device encryption (for data at rest), and HIPAA compliant email (for data in transit). To add to this is the improper disposal of records, which must be kept for a minimum of six years before discarding. PHI must be destroyed (e.g., shredded) and not just thrown away. Furthermore, disposed devices should be wiped clean before being tossed.

 

Hacking and cyberattacks

Hacking and cyberattacks are real threats that organizations face daily. Phishing attacks increased by 1,265% in 2023, and seem set to grow continuously. Indeed, healthcare organizations are highly susceptible to cyberattacks given their worn-out staff, fewer cyber protections, and more attack surfaces. Health-related breaches compromise PHI and pose significant risks to patients and health organizations.

To avoid cyberattacks, it is necessary to employ strong technical safeguards such as firewalls, malware software, and access controls. Healthcare organizations should strengthen their defenses and minimize risks associated with cyber threats. Moreover, organizations must keep their employees updated with HIPAA and related risks with training.

 

Ignoring patients' HIPAA rights

Under HIPAA’s Privacy Rule, patients have several rights regarding their records and PHI. Among others, the rule grants individuals the right to:

  • Access their information
  • Restrict who can see their PHI
  • Remove inaccurate information

The Right of Access provisions aim to empower individuals by giving them greater control over their health information and healthcare. To avoid violating this, healthcare professionals must know what their patients want by asking for consent and access needs through written authorization. Covered entities must provide what is asked for upon request and in the format requested. Access needs to be provided within 30 days of the request, with certain limited exceptions.

 

Failing to report data breaches

Under the Breach Notification Rule, organizations must promptly notify affected individuals, the U.S. Office for Civil Rights (OCR), and the media after a healthcare breach. Notification protects individuals' privacy, fosters transparency, and mitigates the consequences of a breach. It ensures that breach victims are made aware of the potential exposure for future identity issues.

Avoiding this violation means providing notification within the required timeframes. Covered entities must notify impacted individuals within 60 days of breach discovery, unless state law requires a shorter timeframe or law enforcement requests a delay. For breaches affecting more than 500 individuals, notification to OCR must be told within 60 days. For breaches impacting fewer than 500 individuals, the notification should be made by the end of the calendar year.

Media notification should also be issued within 60 days of the breach discovery, but only for breaches impacting 500 individuals or more.

 

Disregarding state laws related to health and privacy

On top of ensuring HIPAA compliance, healthcare organizations must understand and follow certain state laws, with some concessions. If a state law conflicts with HIPAA's privacy and security standards, federal law takes precedence. Covered entities should comply with HIPAA.

Exceptions to this (that healthcare organizations must understand) are when state laws provide greater privacy protections or relate to public health concerns (e.g., emergencies). Organizations can avoid violating state laws by keeping up with such legislation and confirming that employees are aware of state regulations. Recognizing state laws along with HIPAA ensures that healthcare organizations can focus on patient care while avoiding consequences and violations.

See also: Understanding medical record retention requirements by state

 

The consequences of HIPAA-related mistakes

Whether from intentional or accidental breaches, HIPAA violations may result in serious consequences for organizations. The Enforcement Rule gives OCR the power to issue various penalties to uncompliant organizations. If OCR identifies a violation during its subsequent investigation, it can impose a range of consequences.

The idea is to use such penalties to act as deterrents while holding covered entities accountable. Consequences of a HIPAA violation, after an investigation, might include:

  • A corrective action plan (CAP): a plan that identifies the breach and sets forth a strategy to mitigate the issue
  • Monetary penalties: a fine dependent on the knowledge a healthcare organization has of its violation and the protections in place
  • Criminal penalties: a criminal charge, including jail time, brought against the most grievous offenders

Healthcare organizations can avoid such penalties by focusing on compliance and actively finding the right combination of physical, technical, and administrative safeguards.

 

Avoiding HIPAA violations

All healthcare organizations and their business associates are subject to HIPAA guidelines and therefore HIPAA violations. A proactive approach to security reduces the chance of a HIPAA violation and OCR enforcement. Providers must actively use security features that block the common mistakes mentioned above along with other security risks.

The right mix of protections depends on each organization but should include such features as:

  • Up-to-date policies and procedures
  • Access controls
  • Encryption
  • Vendor management
  • Proper disposal and backup plans
  • Regular risk assessments
  • Employee awareness training