11 Most Common HIPAA Violations

A HIPAA violation can cost a maximum of $1.5 million per year for violations of an identical provision and a lot of the time these are common HIPAA violations that can easily be adjusted.

When HIPAA was enacted on August 21, 1996, it turned the entire healthcare industry on its head. More than 20 years later, and many healthcare organizations constantly struggle when attempting to stay on top of everything this government regulation entails.

So what are some of the most common types of HIPAA violations?

11 Most Common HIPAA Violations

Lack of Employee Training

A HIPAA compliant working environment starts with your workforce. Lack of proper employee training is the cause of persistent HIPAA violations.

It isn’t uncommon for managers, administration, and medical staff to be the only employees who receive HIPAA training.

However, HIPAA requires that all employees, volunteers, interns, and anyone with access to PHI be trained, this can also include security guard personnel.

If your employees are familiar with HIPAA requirements, their chance of violating them significantly decreases.

The fact is, proper employee education and training can help your organization avoid some of the most common HIPAA violations.

Medical Record Mishandling

While it’s been a slow and painful transition from written patient charts and records, some still utilize this practice.

If your healthcare organization still uses paper records, it increases the likelihood that a physician or nurse may accidentally leave a chart in the exam room and potentially exposing its protected contents to unauthorized individuals.

If your healthcare organization has moved to cloud-based patient information databases, your team can still mishandle them.

A best practice to handle electronic medical records is to ensure your workforce is in the habit of locking their computer’s screen when they are no longer using or walk away from their desk. This is a simple but effective procedure to help avoid these types of common HIPAA violations.

Using Insecure Technology

If your healthcare entity uses electronic means to store and share patient health information, you still need to communicate protected health information (PHI) in order to provide the necessary care.

However, if your employees are utilizing insecure technology to share PHI information then you’re running a huge risk that could expose your organization to a potential breach.

In order to properly share ePHI via technology, communications and storage mediums should include two-factor authentication, data encryption, internal auditing procedures, and additional security controls to meet HIPAA compliance requirements. Due diligence is the best way to avoid common HIPAA violations related to technology.

Hacking and Malware

No one thinks that getting hacked or how they navigate the internet is wrong. However, it happens all the time and people want access to ePHI for malicious purposes.

It is essential that you not only have anti-virus and/or anti-malware software installed on all of your devices and that each instance of this software is updated regularly.

These common HIPPA violations are related to the topic above. This means that steps taken in the above “Using Insecure Technology” further help fight against hacking and malware.

Authorization and Patient Signature

It is detailed in the HIPAA Privacy Rule that a patient must give written consent for the use or disclosure of any individual’s PHI that is not used for treatment, healthcare operations, or payment.

When unsure as to whether or not they can disclose information, it is best practice to get prior authorization before releasing any information in order to avoid this common HIPAA violation.

Additionally, patients reserve the right to only release specific parts of their medical record.

In the case of a minors PHI, his or her parent legal guardian must give consent before any information can be released.

Disclosing The Wrong Patient’s Information

Once you receive the necessary written consent from a patient, it’s imperative that you release the correct patient’s information.

Although these common HIPAA violations is most likely accidental, it is still considered a breach of privacy subject to civil and criminal consequences.

Improper Disposal of PHI

Employees need to properly dispose of PHI that is no longer needed or becomes outdated meaning that this common HIPAA violation could be contributed to employee laziness.

Proper disposal methods include both electronic PHI records and any written records. Best practice to dispose of PHI is through shredding, destroying, and hard drive wiping.

There are many vendors who provide these services, at Etactics we use Shred-It for paper documents.

Lost or Stolen Devices

These common HIPAA violations are closely related to the use of insecure technology. Human error results are uncontrollable so it’s not uncommon for anyone to lose their devices carrying PHI.

They may lose their laptop, smartphone, or other devices that contain patient information. These devices also run the risk of being stolen, especially smartphones.

If either scenario occurs, it is important that the necessary safeguards are put into place so that PHI information is not exposed.

Social Media Sharing

Social media is running rampant in 2019 and shows no signs of slowing down. That highly increases the chances that a post containing patient photos will be shared on social media.

Although this may seem to be harmless if a name is not mentioned, this is a common HIPAA violation.

Someone may recognize the patient and the procedure being shown may be done by a specialty doctor.

That combination breaches the patient’s right to privacy. In order to combat social media sharing, inform all employees of what a HIPAA breach using social media entails.

Gossip and Conversational Breaches

No matter which healthcare specialty or area you work within, discussing PHI is always off limits.

Almost every place of employment encourages conversation between coworkers, especially in the lunch room, as it helps promote comradery.

However, if PHI is the topic of conversation, especially if there are non-permitted persons in the vicinity of the discussion, you could face a large fine.

Discussions about PHI should always be kept behind closed doors and only with appropriate personnel when appropriate or applicable.

Both of these common HIPAA violations also includes gossiping about patients to friends and family members outside of work.

Celebrity File Lookups

Many people are obsessed with tabloids and celebrities, especially in today’s world where we can see what they are doing every day through social media. Our intrigue into the lives of celebrities makes this a common HIPAA violation.

However, this goes without saying but there is a clear line between catching up with what George Clooney is up to and looking into his medical history.

There have been HIPAA breaches in the past when a celebrity is checked into the hospital or medical practices because unauthorized users want more information.

To combat this type of breach, the best practice is to implement compliance software that can identify individuals looking at things they shouldn’t.