Is your facility HIPAA compliant? Are you sure? If not, HIPAA violations could cost you.
HIPAA violations result in fines per offense which range between $100 and $50,000. However, there is a limit to the amount one organization can be fined annually: a whopping $1.5 million! In addition to these fines, the states’ attorneys general can pursue civil actions. And, breaches for greater than 500 patients must be reported to news media. Suffice to say that most businesses can’t afford that type of profit loss per calendar year nor can they recover from a malevolent media onslaught.
In order to avoid expensive fines and negative publicity, administrators need to ensure both their operating systems and their policies and procedures are regularly updated. Furthermore, employees should receive compliance training both as a new hire and on an ongoing basis.
→ Learn More: 3 Steps to HIPAA Law Compliance
The 8 Most Common HIPAA Violations
As part of your compliance training program, make sure your employees are aware of the most-violated HIPAA laws:
#1 – Disclosing patient information to an impermissible third party.
Your employees should be very careful to avoid gossiping, even if they believe no one will ever find out about their conversation. Unfortunately, sharing information through chitchat with friends, family and coworkers is one of the most common HIPAA violations. Remind your employees frequently: talking about a patient is against federal law!
#2 – Releasing unauthorized protected health information (PHI) due to incomplete HIPAA forms.
Before releasing any information to outside parties, it is imperative that patients’ authorization forms are completed in their entirety. The form should include the patient’s legal name, the specific information that is permitted for disclosure, and the date through which the authorization is valid. (See a sample HIPAA authorization form here.)
#3 – Failing to destroy old information.
According to HIPAA law, outdated or incorrect patient information must be destroyed to avoid a breach of PHI.
#4- Incorrectly disposing patient information.
PHI should never be discarded in the regular trash can; rather, it should be shredded or burned. Placing signs at trash cans, recycling bins and shredding stations can be a great reminder for employees to dispose of PHI correctly.
#5 – Releasing patient information in an untimely manner.
HIPAA law requires that medical records be released upon request. It is imperative that your employees release information in a timely manner to avoid fines.
#6 – Making errors when storing papers or files.
If you use paper and storage filing system, sooner or later a document is going to be misplaced; it’s unavoidable with human error. And unfortunately, incorrectly filing a patient’s records can lead to a HIPAA fine. Switching to an electronic filing database can almost completely eliminate this risk.
#7 – Improperly securing or losing computer devices or back-up drives.
Stolen laptops, tablets, mobile phones, backup discs, USB drives and the like can cause leaks in patient information. Safeguards should be in place to protect PHI in the event of theft or loss such as using passwords on electronic devices to verify the person signing into the device is authorized to access the information.
#8 – Being unprotected from computer hacking.
Again, using encryption, firewalls, password-restricted access, and other security measures are imperative for protecting PHI. It may also be a wise investment for your organization to utilize an electronic records database that can be accessed remotely from a cloud to avoid computer hacking and misuse of PHI.
Inadequately trained employees leads to a greater chance of HIPAA offenses
Many of the aforementioned HIPAA violations can be avoided if employees receive adequate and ongoing training on HIPAA law. Don’t let your facility become another statistic! If you don’t have one already, begin and implement a HIPAA compliance training program, and make sure that HIPAA law compliancy is included in your written policies and procedures.
→ Learn More: 7 Must-Haves for Regulatory Compliance Training
Originally published in 2014.