When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.
“But, I didn’t know.”
It’s no excuse. Whether you’re five or fifty-five, you’ve often responded to an accusation with this sentence. Unfortunately, in the world of data protection, regulators don’t want to hear that phrase. You must know. When it comes to employee or customer healthcare information, accidents can bankrupt a company. Maintaining a corporate culture of security-first compliance to create a cyber aware workforce prepares and protects your practice or your enterprise from common HIPAA violations associated with employee actions - whether you’re in the healthcare field or not.
The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS), administered through the Office of Civil Rights (OCR), to adopt national standards for electronic healthcare information. Extended over the years, HIPAA now incorporates the Privacy Rule, Security Rule, Enforcement Rule, and Breach Notification Rule.
A short HIPAA summary is that these four rules establish strict guidelines for privacy and security controls over protected health information (PHI). Defined as “individually identifiable health information,” PHI or electronic PHI (ePHI) includes any demographic information, medical history, test or lab results, mental health information, insurance information or other data that identifies a client. However, to fully understand not only what HIPAA is but how it relates to your business, you need a brief overview of the Security Rule and Privacy Rule.
In short, the Security Rule creates a series of guidelines for making sure that healthcare organizations, other covered entities, and business associates safeguard the confidentiality, integrity, and availability of ePHI created, received, maintained, or transmitted. In other words, don’t let someone accidentally access the information or steal it no matter what it is or where it is. As part of this, you need to identify and protect against potential risks that lead to unintended uses or disclosures. Moreover, you need to make sure your employees do the same.
Although similar in nature, the HIPAA Privacy Rule focuses on a person’s right to control the use of their information. While you need to secure it, you also need to make sure that you’re not letting anyone have accidental or unauthorized access to it.
The HIPAA Privacy Rule and HIPAA Security Rules may sound similar, but there are two important distinctions:
HIPAA applies to you as a “covered entity” if you’re a healthcare provider, health plan, or health care clearinghouse. The HIPAA definition of “business entities” expands that to incorporate third parties who perform functions on behalf of covered entities that use, store, process, or disclose health information for them.
In other words, if you’re looking to expand a software or web application to enable any of the covered entities mentioned above, then you need to be compliant with HIPAA rules.
Although HIPAA violations arise in a variety of ways, they all incorporate “someone who shouldn’t know something who learns about it because there weren’t enough protections.” This definition includes everything from employees having too much system access, to a hacker gaining entrance to your system, to someone leaving a piece of paper on a desk or a screen open to view.
Under the Enforcement Rule, OCR can levy fines anywhere from $100 per violation (not exceeding $25,000 annually) to $50,000 per violation (not exceeding $1.5 million annually) for an accidental violation. The penalty minimums increase as you act more willfully when violating the law. In fact, if your actions are too egregious, the Department of Justice can fine you $250,000 and subject you to up to ten years in jail for a data compromise with an intent to sell, transfer or use the information for commercial advantage, personal gain, or malicious harm.
Even if you’re not a healthcare provider or business associate (third-party handling healthcare information on behalf of a healthcare provider), you may still be at risk. HIPAA law and employers have a tense relationship. Although employee medical privacy rights mostly fall under the Americans with Disabilities Act (ADA), some fall under HIPAA laws and regulations. Importantly, a few HIPAA guidelines for employers exist.
Whatever you do, never call an employee’s health care service provider. Just don’t do it.
If you require medical exams as part of an employee health program or as a requirement for a job offer, keep medical information segregated from traditional employee records. This can be physical segregation or digital segregation (such as a different server).
If you’re using an Administrative Services Only (ASO) plan in which you as the employer pay benefits using your own company funds, then you need to be entirely HIPAA compliant.
If you’re getting more than summary information from the group health plan, it’s covered by HIPAA and needs protection. Make sure you review the documentation sent to your Human Resources Department and either create new practices or better define what information the group health plan should send you.
Both of these may be classified as hybrid entities wherein the provider transmits information for payment. As such, if you maintain records like these, you need to lock them down to be compliant.
You may be over the moon that your employee is pregnant or devastated by an employee’s cancer diagnosis. However, unless your employee allows you to disclose, making an announcement to share this information with other staff members or management can be a HIPAA violation.
HIPAA violation stories abound. They can arise from oversharing on social media and lost or stolen devices. Even businesses that are no longer operating are not safe from the consequences of HIPAA violations.
Many HIPAA violations involving social media are accidental. For instance, social media comments and posts can violate HIPAA regulations even if they don’t mention a patient by name. In some cases, employees may share photos on social media without realizing that patient information is visible in the background.
One recent example involves a nurse who created a video in which she interviewed coworkers on the challenges they face working throughout the COVID-19 pandemic in April 2020. One coworker noted that if the hospital had the resources it had requested, a particular patient may not have died, referring to the patient by name. This potential violation is currently under investigation at the time of writing.
In another example, an employee from Elite Dental Associates responded to a patient’s review on Yelp, a social media platform for rating and reviewing businesses. The response included sensitive patient information including the patient’s name, treatment plan details, and information about the cost of the treatment and the patient’s insurance. During its investigation of the complaint, the Office of Civil Rights (OCR) found that Elite Dental Associates’ responses to other patient reviews contained similar information. Elite Dental Associates settled the complaint for $10,000.
Stolen devices can also lead to HIPAA violations. For instance, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) settled potential HIPAA violations for $650,000 in 2016 following the theft of a mobile device that contained PHI of hundreds of nursing home residents.
In 2017, Lifespan, Rhode Island’s largest hospital system, notified 20,000 patients that their PHI may have been on an employee’s stolen laptop. In both of these examples, the stolen devices were found to be unencrypted and not password protected.
HIPAA requires that PHI is shared only on a “minimum necessary” basis – that is, covered entities and business associates must make a reasonable effort to ensure that only the minimum information necessary to complete a task or perform a job is accessed by or shared with authorized persons, and this is another tricky requirement that can lead to violations. For example, a nurse working in a unit or on a floor should only be given the information necessary to care for the patients they’re responsible for during their shift.
Violations of the minimum necessary requirement are common when dealing with third parties. For instance, sharing more patient information than necessary to process claims with a health insurance provider may constitute a HIPAA violation. A New Jersey psychologist faced allegations of HIPAA violations in 2017 after the practice’s billing manager sent copies of patients’ bills including codes that could reveal diagnoses and treatments to a collections agency. The complaint alleged that the practice failed to consider providing only a transaction ledger or redacting any unnecessary sensitive patient details before sending the information to the collections agency.
Best practices for avoiding these types of potential HIPAA violations include developing clear and comprehensive written security policies, including social media policies, implementing cybersecurity awareness training for employees, and implementing and enforcing robust device management policies, including reporting requirements for lost or stolen devices and remote wiping capabilities to protect sensitive information.
HIPAA’s detailed control list and risk assessment requirements make your security-first approach difficult. You want to be transparent, but the rules sometimes prevent that. At Zeguro, we value transparency in the way we communicate with our customers, which can also be a guide to how you view medical data transparency:
Note: Zeguro is not able to comment on specific HIPAA cases or violations and only provides general advice in its blogs and articles. We are also not able to assist in personal HIPAA questions. For assistance with HIPAA violations, we recommend you contact licensed legal counsel. If you are seeking solutions that can help you meet HIPAA compliance, we offer an integrated cybersecurity and cyber insurance solution that can help secure your organization and protect PHI/ePHI. Learn more here: https://www.zeguro.com/cybersecurity/compliance.