Common HIPAA Violations: What Not To Do

Cyber Health

/

November 7, 2018

Karen Walsh

“But, I didn’t know.”

It’s no excuse. Whether you’re five or fifty-five, you’ve often responded to an accusation with this sentence. Unfortunately, in the world of data protection, regulators don’t want to hear that phrase. You must know. When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.

What is HIPAA?

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS), administered through the Office of Civil Rights (OCR), to adopt national standards for electronic healthcare information. Extended over the years, HIPAA now incorporates the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.

A short HIPAA summary is that these four rules establish strict guidelines for privacy and security controls over protected health information (PHI). Defined as “individually identifiable health information,” PHI or electronic PHI (ePHI) includes any demographic information, medical history, test or lab results, mental health information, insurance information or other data that identifies a client. However, to fully understand not only what HIPAA is but how it relates to your business, you need a brief overview of the Security Rule and Privacy Rule.

A Simple HIPAA Security Rule Summary

In short, the Security Rule creates a series of guidelines for making sure that you safeguard  confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted. In other words, don’t let someone accidentally access the information or steal it no matter what it is or where it is. As part of this, you need to identify and protect against potential risks that lead to unintended uses or disclosures. Moreover, you need to make sure your employees do the same.

A Simple HIPAA Privacy Rule Summary

Although similar in nature, the HIPAA Privacy Rule focuses on a person’s right to control the use of their information. While you need to secure it, you also need to make sure that you’re not letting anyone have accidental access to it.

Two Key Differences Between The Security and Privacy Rules

These sound similar, but there is are two important distinctions:

  1. While the Security Rule focuses on electronic information, the Privacy Rule also incorporates spoken and paper information.
  2. The Privacy Rule focuses on “keeping it quiet” while the Security Rule details specific steps to compliance.

Who Must Comply with HIPAA?

HIPAA applies to you as a “covered entity” if you’re a healthcare provider, health plan, or health care clearinghouse. The HIPAA law definition of “business entities” expands that to incorporate third parties who perform functions on behalf of covered entities that uses or discloses health information for them.

In other words, if you’re looking to expand a software or web application to enable any of the covered entities mentioned above, then you need to be compliant with HIPAA rules.  

What Constitutes a HIPAA Violation?

Although HIPAA violations arise in a variety of ways, they all incorporate “someone who shouldn’t know something who learns about it because there weren’t enough protections.” This definition includes everything from employees having too much system access, to a hacker gaining entrance to your system, to someone leaving a piece of paper on a desk or a screen open to view.

Under the Enforcement Rule, OCR can levy fines anywhere from $100 per violation (not exceeding $25,000 annually) to $50,000 per violation (not exceeding $1.5 million annually) for an accidental violation. The penalty minimums increase as you act more willfully when violating the law. In fact, if your actions are too egregious, the Department of Justice can fine you $250,000 and up to ten years in jail for a data compromise with an intent to sell, transfer or use the information for commercial advantage, personal gain, or malicious harm.

Employer HIPAA Violations: How to Protect Employee Information

Even if you’re not a healthcare provider or business associate (third-party handling healthcare information on behalf of a healthcare provider), you may still be at risk. HIPAA law and employers have a tense relationship. Although employee medical privacy rights mostly fall under the Americans with Disabilities Act, some fall under HIPAA laws and regulations. Importantly a few HIPAA guidelines for employers exist.

Don’t Call The Doctor

Whatever you do, never call an employee’s health care service provider. Just don’t do it.

Segregate Medical Documentation

If you require medical exams as part of an employee health program or as a requirement for a job offer, keep medical information segregated from traditional employee records. This can be physical segregation or digital segregation (such as a different server).

Protect ePHI within Self-Insured Healthcare Plans

If you’re using an Administrative Services Only (ASO) plan in which you as the employer pay benefits using your own company funds, then you need to be entirely HIPAA compliant.

Establish Data Handling Practices for Group Health Plan Information

If you’re getting more than summary information from the group health plan, it’s covered by HIPAA and needs protection. Make sure you review the documentation sent to your Human Resources Department and either create new practices or better define what information the group health plan should send you.

Review Company Health Clinics and Employee Assistance Programs

Both of these may be classified as hybrid entities wherein the provider transmits information for payment. As such, if you’re maintain records like these you need to lock them down to be compliant.

Never Announce Something (Good or Bad) Classified as a Medical Condition

You may be over the moon that your employee is pregnant or devastated by a cancer diagnosis. However, unless your employee allows you to disclose, the announcement can be a HIPAA violation.

HIPAA Violations Examples: Workplace Do’s and Don’ts

HIPAA violation stories abound. An emergency medical services worker posting on social media can be viewed as a violation. Businesses no longer operating and short-lived Snapchat or Instagram Stories posts offer additional potential HIPAA violation lawsuit examples.

Protect Your Company From HIPAA Violations: A Do/Don't Do Guide

Protect against HIPAA violations
Source: Zeguro

Transparency Is the Foundation of HIPAA Compliance

HIPAA’s detailed control list and risk assessment requirements make your security-first approach difficult. You want to be transparent, but the rules sometimes prevent that. At Zeguro, we value transparency in the way we communicate with our customers, which can also be a guide to how you view medical data transparency:

  • Honesty: We’re up front about how well your protections align with HIPAA Security Rule’s requirements.
  • Clarity: Our plain language policy templates and training modules remove legalese from the process to help you create HIPAA guidelines for employees.
  • Simplicity: We simplify HIPAA compliance with an easy-to-navigate platform and staff who can answer your questions and ease the burden of compliance.