HIPAA Violations & the Consequences. What the HIPAA Privacy Rule Does

image with HIPAA and money with stethoscope

Many health care providers, as well as health plans, that are protected by the HIPAA Rule must follow the requirements, and the date when compliance was required to begin was by 04/14/2003.

This rule, for the first time, makes worldwide values to safeguard patients’ medical documents and additional, private health data. HIPAA offer individuals additional control over their healthcare data, it establishes limitations on how the information is used or released, it creates proper protection measures that doctors and other healthcare providers must do to safeguard each patient’s health data and privacy.

Additionally, if a practice has a HIPAA violation, the business will be held accountable – the consequences could be either criminal or civil penalties. You can read more about what HIPAA does at hhs.gov.

What Could Happen When a Small Practice Violates HIPAA?

Besides a practice’s reputation, which is extremely important, other things could happen when HIPAA violations happen. A practice could incur big fines. Anthem, for example, in 2018, paid one of the largest settlements in history. The reason for this settlement was due to a huge cyber-attack, which occurred between 2014 & 2015.

According to Commins (2018), “Sadly, Anthem neglected to implement proper measures and controls for detecting risks – like hackers who got into Anthem’s system to gain individuals’ passwords and steal personal data. (commins. Para. 7. (2018))

If you are not sure if your small practice’s IT is secure, you might wish to consult with a healthcare IT consultants like Fastech Solutions. Once a practice violates HIPAA, even a small violation, it might already be too late, for many reasons – reputation-wise, financially, loss of clients, business closing, and so forth. If your IT is not secure enough, you might wish to outsource your IT to a company like Fastech.

Common Causes of HIPAA Violations

  • Confidentiality issues – employees disclosing information
  • Mishandling of medical documents/data
  • Lost or stolen mobile phones, PCs, tablets, memory cards, flash drives, etc.
  • Using text messaging to send patient health care data
  • Social media use
  • Staff members obtaining data illegally
  • Societal breaches
  • Authorization/permission requirements
  • Accessing individuals’ health care information on personal PCs – like from home
  • Inadequate training/knowledge

patient records in a small medical office

A Few Common and Successful Preventative Measures

Staff members breaking confidentiality

Whether on purpose or not, it is a HIPAA violation. It might be worth training employees to be aware of their atmosphere, at home and at work. It is important to limit conversations about clients to private areas and avoid discussing patient details with loved ones and friends.

Health care records being mishandled/misused

This HIPAA violation is a very common one. If a health care facility uses paper documents, such as patients’ charts, and the paperwork is left in an exam room by mistake, another patient or staff member might be able to see patients’ health data. It is important that printed paperwork is always accounted for and kept in a safe, secure place, such as a locked filing cabinet.

Lost/Stolen mobile devices, computers, etc.

If a practice stores patient data on such devices and one or more device is lost or stolen, a violation of HIPAA could occur. Smaller devices are easier for people to steal – so, safeguard measures are even more vital – protecting them with secure passwords and encryption is a great idea.

Using text messaging to send patient health data

While it might be easier and faster to send information to patients by text messages, it might not be the best process – not secure. Cyber criminals could gain access to vital health care data through text messages. If your practice prefers sending text messages so patients can receive vital data faster, you might want to consider encryption protection for your texting devices – all data can be protected by encryption programs but both the patient and the sender’s devices (wireless ones) must have the program installed on them.

Misuse of Social Media Sites

Posting pictures of patients, for example, is in violation of the HIPAA Rule. It may seem like a minimal occurrence and appear harmless, even if the patients’ names are not mentioned, if someone sees the pictures and recognizes the people in the photos and are aware of the small practice’s specialty and location, big consequences could occur against the practice. It is important that all staff members are aware of this situation, so your practice is protected further.

Staff Members Accessing Patient Data Illegally

If staff members do not have authorization to access patient data and they do access it, that is a violation of the HIPAA Rule too. This situation might happen simply because a staff member is bored or feels nosy, or a friend or relative asked the employee to look up data about another patient – regardless of why it happens, it is not permitted under the HIPAA Rule – it is considered illegal and serious consequences could happen to your practice if it occurs. In some cases, violators could do time in prison. It is important that all your employees understand this part of the law and other ones.

Public Discussions of Confidential Information

An example of this violation is when an individual sees a healthcare provider or nurse in a public location and he or she mentions another patient’s name or ask about that patient, possibly a friend or relative of him or her, who is a patient affiliated with that healthcare provider or nurse. That instance is considered a social breach. If this situation happens, it is important to have a proper answer planned way before it happens, which will lower the possibility of accidentally disclosing private patient data.

Failure to Get Permission/Authorization

Written permission is necessary for the utilization or release of any patient’s private healthcare data that is not used for:

  • Payment
  • Healthcare
  • Treatment
  • Operations, or
  • Permitted under the Privacy Rule/Law

If any staff member is uncertain, it is always better to obtain prior permission prior to disclosing any data.

Accessing/Obtaining Patient Data on Personal Devices

Many doctors and nurses might use their home PCs while away from the office to look up or obtain patient information, possibly regarding record notes or to check on follow-up status, for example. That situation could result in violating the HIPAA Rule, especially if the person leaves his or her computer screen on and a family member or friend happens to see what is on the screen. Password protection when the screensaver comes on, when the PC goes to sleep, or after closing a laptop lid is vital.

nurse working at a computer in a medical office

Patients need to feel secure about their private health data, so it is important to make that the utmost priority for your health care practice. Make certain all materials are up-to-date, keep all manuals updated, and have yearly or quarterly (when necessary) HIPAA education meetings to avoid possible violations. Many violations can be easily vetoed by having HIPAA guidelines into practice policies/processes and guaranteeing that every employee with access to patients’ health data has been adequately trained and educated.

Let’s say that you are considering using I-Cloud, or you might already be using it. Are you sure it will protect private, vital patient data?

Get A HIPAA Audit

If you are not sure if your IT is secure enough and have questions or concerns about your IT and patients’ data being compromised, you need to contact an managed IT company specializing in medical practices to protect your practice from HIPAA violations that could devastate your business.