The healthcare industry is incurring a higher rate of data breaches than any other industry.
This makes HIPAA regulations of critical importance to doctors and healthcare organizations of every size. Patients (rightfully) demand it as a protection of their personal information. Not doing so, can cause a HIPAA Violation that can be exceptionally devastating to a business. Besides being an important step in protecting their patients, it’s also a great business practice to know how to keep data safe.
Some small clinics may think that because there are larger organizations to keep an eye on, they wouldn’t get investigated. But, they may be surprised by just how many investigations are initiated by a single patient complaint.
What is HIPAA Law?
HIPAA is the Health Insurance Portability and Accountability Act. There are 5 major rules of the act that covers: privacy, security, transactions and code sets (TCS), unique identifiers, and Health Information Technology for Economic and Clinical Health (HITECH) enforcement.
This act was created to develop a national standard of how medical professionals need to protect individuals’ medical records and other personal health info. Patients now have much more control over their health information. Boundaries have been set on the use and release of their health records. HIPAA violations are investigated by the U.S. Department of Health and Human Services in conjunction with the Office for Civil Rights.
How Do HIPAA Violations Occur?
Many people are surprised when we tell them that the single biggest threat is from inside of a healthcare organization. According to McAfee, insiders (including doctors, and other healthcare professionals) are responsible for 43 percent of data breaches. The Information Security Forum puts that number at 54 percent.
These are not usually actions with malicious intent. Human error plays a significant role in data breaches. Here are two easily done HIPAA violations:
- Lost or Stolen Devices – Laptops and mobile phones are easily lost or stolen. When the theft includes Protected Health Information (PHI) stored on the phone it becomes a HIPAA violation.
- Texting Patient Information – When using standard texting software on your phone, it ’s too easy for information to be stolen by cybercriminals.
More examples of human error resulting in data breaches include improper disposal of records, sharing of photos with patients on social media, and accessing patient information on home computers or public wifi networks.
Who Does a HIPAA Violation Affect?
When a HIPAA violation occurs, it is damaging for the doctor and the patient alike. Potential attackers will specifically target healthcare providers to obtain medical records, financial records, and intellectual property. This doesn’t just threaten the patient’s security. On average, medical identity theft victims pay $13,500 to resolve the issue.
When the violation is reported and action is taken against the doctor or clinic, there is usually a significant fine. The fines are adjusted based on the severity of the violation but can range anywhere between $100 to $1.5 Million, and can even include prison time.
Besides the fines, doctors can also be impacted by potential lawsuits, a disruption of care, damage to their reputation, and loss of patient’s trust.
HIPAA Violation Fines
The fines that doctors or clinics can receive for violating regulation are significant and can be highly destructive for their business. To determine the fine, the Department of Health and Human Services have created four tiers of severity.
- Tier 1 – The least severe violation. In this tier, the violation was unknown, and would not have been known while exercising reasonable due diligence. These violations are often covered by cyber insurance. Cyber insurance is important to have because it’s usually excluded from professional liability insurance policies. Fines can range from $100 to $50,000.
- Tier 2 – In this tier, the violation had a reasonable cause, but was not due to willful neglect. Negligence due to “sticking your head in the sand” automatically raises the violation to Tier 2. Fines can range from $1,000 to $50,000.
- Tier 3 – When this violation occurred, it was due to willful neglect, but it was corrected within a reasonable time period. Fines in this category can range from $10,000 to $50,000.
- Tier 4 – The most severe violations are in tier 4. This is when the violation was due to willful negligence and no attempts were made to correct the violation. The fines in this tier range from $50,000 up to $1.5 million with a potential jail sentence.
Becoming HIPAA Compliant as Small or Medium Healthcare Organizations
It is important for small and medium-sized organizations to understand they will never reach the perfect state of 100% compliant. It would simply be cost prohibitive to do so. What we do recommend is finding the biggest risks and solving those first. From there we advocate for building a clinic culture of compliance and ongoing education.
This involves doing a full assessment, creating processes and procedures, educating employees and management, and using security applications and technology.
How We Cover HIPAA Compliance
When we start working a doctor or clinic, the first step is to do a comprehensive HIPAA security review. This is to determine their current state of compliance and any specific violations they may have already had. We tie each HIPAA rule to an assessment question, then we rank the likelihood, impact, and risk of not being in compliance with that rule.
Some of the Questions We May Ask our HIPAA Compliance Clients are:
- Does your organization control access to electronic PHI and other health information by using encryption/decryption methods to deny access to unauthorized users?
- Do employees ever leave an unlocked computer alone in a room with an unauthorized employee or patient?
- Can employees identify potential ransomware? If so, do they know what to do with it?
- Do employees know how to use their phone and computer in a HIPAA compliant manner when using public or hotel Wi-Fi?
Benefits of HIPAA Compliance Assessment
For each rule, we share with our client solutions for ensuring their compliance. Which includes improving their processes, procedures, education, and technology. This, in turn, helps a clinic to make more informed decisions on where to focus their efforts and resources with remediation.
For example, those two HIPAA violations we mentioned above both have quick fixes to prevent the violation. We would password protect and encrypt most devices like phones and laptops. Then, we would also install encryption for texting to allow safe communication of PHI.
Going through an assessment like ours can lessen the penalties associated with violations. Generally, when you have an assessment and a plan in place, you can keep a violation in tier 1, the least severe.
How to Prevent a Violation
According to the Ponemon Institute’s Annual Study on Medical Identity Theft, 68% of patients aren’t confident in the measures taken to protect their medical records. It’s important not only for the patient but the clinic too, that each and every staff member knows their role in HIPAA compliance.
With only 33 percent of healthcare providers believing they have sufficient resources to prevent a data breach, education is critical. We always advocate that our clients focus on education and training. Ensuring that the office staff understands their role in HIPAA compliance is a critical part of protecting their patients’ medical records. It takes a commitment to make internal training a priority and continuing to educate the staff of the proper processes and procedures.
Since we are considered business associates to our healthcare clients, we are required to be HIPAA compliant as well. We practice what we preach with constant HIPAA training along with reviewing and updating our processes and procedures. To make sure your business is kept safe too you must have plans set in advance.
The Five Security Tests We Use In HIPAA Compliance Audits
We always perform five tests when helping clients become HIPAA compliant. Learn more about these necessary tests!
Staying HIPAA compliant is a critical move all doctors and clinics need to do. It keeps your patient’s information safe and keeps your business safe from hefty fines. These regulations are also good business practices for ensuring every staff member is on the same page and takes their position seriously.
Interested in your company’s HIPAA compliance? Let’s chat.