Understanding HIPAA Violations

If you’re involved in the healthcare sector or an organization that deals with healthcare data, you may have heard the term HIPAA violation being thrown around a lot. You might have a rough idea of what it means, but haven’t taken the time to look into the details. The regulations may seem dry and boring, but they’re incredibly important for anyone that deals with health-related data.

What Is a HIPAA Violation?

First of all, HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. It’s a piece of legislation that concerns health insurance coverage, creating national standards for the administration of electronic healthcare, pre-tax medical savings accounts, group health insurance requirements and insurance-related tax reductions.

When we talk about HIPAA violations, we are generally focused on the administration of electronic healthcare and how the regulations stipulate that patient data needs to be protected. One key aspect is the HIPAA Privacy Rule, which regulates how protected health information (PHI) can be used and processed.

This is individually identifiable information that concerns a person’s medical condition or healthcare treatment. The Privacy Rule prevents PHI from being disclosed except in certain situations, protecting the rights of patients. It was extended by the HITECH Act, which required companies to immediately report data breaches of 500 of more people.

Another core part of HIPAA is the Security Rule, which covers electronic protected health information (ePHI). This is essentially any PHI that’s in digital form. The security rule stipulates how this data must be protected: through administrative, technical and physical safeguards.

In this sense, HIPAA violations are breaches of these regulations. They can include things like improper disclosure of ePHI, or having inadequate protective measures in place.

How Much Can a HIPAA Violation Cost?

HIPAA violations aren’t something you should just brush off. They can be incredibly expensive. For organizations, violations can range from $100 to $50,000 per instance or record, up to a maximum of $1.5 million per year for violations of the same provision. Although the lower end of $100 per violation doesn’t seem so bad, it’s not uncommon for data breaches to compromise thousands or millions of individual records (e.g., via many individual email messages being compromised).  The higher end if the penalty scale is reserved for cases of “neglect” and “willful neglect.”  These are situations where, for example, an organization is knowingly not properly protecting ePHI and/or is ignorant of the requirements of HIPAA.

Individual employees aren’t safe either. They can face fines of up to $250,000 and even jail sentences with a maximum of ten years.

What Are the Most Common Violations & How Can You Avoid Them?

There are a lot of different ways that organizations can fall foul of HIPAA regulations. Thankfully, many of them can be avoided with the right planning and policy:

• Lost devices – If a computer or phone containing ePHI is stolen, it could lead to the exposure of the data and a severe HIPAA violation. Thankfully, these dangers can be reduced with features like strong authentication, encryption, and remote wiping.
  
• Using SMS to discuss patient information – Texting is inherently insecure, so if patient data is ever disclosed over text (whether to the patient themselves, or to other healthcare workers) it’s a HIPAA violation. Thankfully LuxSci offers a number of different secure and HIPAA-compliant alternatives to texting.
  
• Sending insecure email messages – PHI should never be sent via unsecured email messages, even for seemingly innocuous reasons such as email marketing or appointment reminders. Fortunately, there are many ways to ensure that email messages are universally HIPAA compliant.
• Hacking – Poorly secured systems make it easy for attackers to access ePHI. If your organization follows security best practices, it can dramatically reduce the risks, because hackers tend to expend most of their efforts on low-hanging fruit.
  
• Mishandling ePHI – Employee error is a common cause of HIPAA violations. Workers may forget to encrypt ePHI, print it out, or accidentally disclose it in other ways. LuxSci offers features like opt-out encryption, which helps to reduce the chances of employees accidentally violating HIPAA regulations by lessening the potential for human error.
  

What Should You Do If Your Organization Has Violated HIPAA Regulations?

If your organization breaches HIPAA, it needs to take the situation seriously. It’s best to report the violation as soon as possible. Employees who notice a violation should report it to either the HIPAA privacy officer or their supervisor.

An investigation and a risk assessment must then be conducted. These determine whether the violation should be reported to the Office for Civil Rights and the affected patient. If it’s a reportable breach, it’s in the organization’s best interests to do so quickly and with maximum transparency. Attempting to hide a breach can result in much more severe penalties.

Once the investigation has concluded, everything must be well documented, and the necessary steps should be taken to rectify the breach and stop it from recurring in the future. It’s important for your organization to treat every breach as an opportunity to improve its processes. Otherwise, it could face even more serious repercussions in the future.

If your organization does not have well-defined procedures for managing breaches and other security incidents, now is the time to make these.