HIPAA is the Health Insurance Portability and Accountability Act. It’s a federal regulation that protects an individuals’ privacy pertaining to personal health information. This is a huge area where there are data breaches because your full identity can be hacked with just a few crucial pieces of information. Healthcare providers are generally required to store sensitive information in a controlled space. However, depending on the number of patients a health care provider has, it can be very inconvenient and costly to store the info securely. In 2013, HIPAA added a team of private investigators to perform inspections undercover. Their sole purpose is to seek out and prosecute health care providers who violate HIPAA regulations. Below are the most common HIPAA violations committed.
As a result of health care provider negligence, this act has become a cash cow for the federal government. In 2013, HIPAA added a team of private investigators to perform inspections undercover. Their sole purpose is to seek out and prosecute health care providers who violate HIPAA regulations. Since then, there have been a record number of fines and lawsuits that would have gone unannounced. Below are the most common HIPAA violations committed. Could you possibly be non-compliant and nearing an audit?
Not double-checking audit logs.
HIPAA fines are a real thing. There are over 22,000 corrective actions pending. Massive fines and settlements are closing businesses left and right. A single violation can cost your business $4.8 million dollars. The standard fine is $10,000 per individual piece of private health information released due to non-compliance with HIPAA. Accidentally or ignorantly emailing a patient’s name, date of birth, and 1 photo can cost you $30,000. At $30,000 per patient multiplied by 30+ patients, you’re going to spend about $1 million. After fines and court fees, that could put a thriving business in debt. For a non-compliant clinic with 400 patients, HIPAA fines could be shut you down within 30 days. Double checking audit logs is an easy way to make sure you dot your I’s and cross your T’s. There’s no room for carelessness or novice mistakes in the medical field.
Sending an unencrypted email or unsolicited text messages.
I’ve received many password protected emails. You know, the ones that tell you to click a link to read the enclosed message? Then they ask you for a password that only you have access to. Digital compliance is all about maintaining confidentiality, integrity, and making sure each user is authenticated. Encrypting messages allows for a double layer of protection when you’re sending out rpivate information via email.
Encrypted messages usually come from government websites, schools, insurance companies, student loan companies, banks, and payroll services. Wedding photographers even use password protected albums. So why don’t most medical practitioners have this added layer of protection? As much money as there is in the medical field, they can surely afford it. The health industry exchanges the highest volume of sensitive information in the world. However, I rarely receive these password protected emails from doctors, lawyers, or pharmacies.
Using free Gmail, AOL, or Yahoo mail to exchange personal health information.
Do you allow your employees to use Gmail, or another email provider with free cloud storage? If so, you need to come up with a better solution fast. It is very easy to hack into a free Gmail account. 70% of companies have experienced a data breach at some level. Even still, most people keep their account logged in on their personal cell phone or laptop. It is crucial that your employees have restricted access to these documents, and that they cannot remain logged in on their personal devices. All it takes is one mistake to cost your business several months of productivity. Even if the government doesn’t find out about this, covering up a data breach is not cheap or easy.
Do you use Dropbox to store personal health info?
There are so many pieces to operating a successful practice. Every staff member, both medical and administrative, has an important and crucial role. Each tool, service, procedure, record, independent contractor and computer involved has an important role in day-to-day business within a health practice. For every aspect of a business, there are Private Health Information (PHI), and Payment Card Industry (PCI) compliance risks. To comply with HIPAA, a business must:
- Read & interpret the HIPAA Privacy, Security, and Omnibus rules. Then they must adapt to all the procedures and technicalities.
- Another option is to hire an expert auditor and maintain compliance through regular internal, confidential audits. The alternative is to risk huge fines.
Sharing accounts and logins with employees.
An employee should never have access to a patient’s medical information unless directly working with that patient. Time and time again we’ve seen patient info being made accessible to the entire staff. Even the administration won’t need full access, but it can be difficult to limit the access of certain employees with free or standard software.
Minimally training employees.
The amount of profit potential in the medical industry is incredible. I understand why it may be appealing for a business owner to train employees as the company grows. Training can be very costly for a business. Both time and productivity are sacrificed as the new employee and trainer will be using company time to adjust to the system. However, God forbid you have a “complication” during a procedure or a legitimate complaint makes its way to the municipality. At that point, you’d pay 10x over for a fully trained employee to represent the company, but it will be too late.
Becoming compliant will save you money, time, and improve your workflow. Accountability is inevitable. The choice here is whether you’re going to be proactive or reactive in how you go about it. Taking accountability now can prevent huge fines, lawsuits, confusion, and unethical decision making down the road.