Common HIPAA Violations
If healthcare organizations fail to follow the Health Insurance Portability and Accountability Act (HIPAA), the consequences can be severe. HIPAA violation penalties for employees include termination of employment, hefty fines, and criminal charges in extreme cases.
Here are some common violations to be mindful of.
1. Snooping on Healthcare Records
Healthcare workers cannot access protected health information (PHI) except for what’s permitted in the Privacy Rule. Examples of unauthorized record access include looking up health information about family, friends, co-workers, neighbors, and celebrities.
2. Failure to Perform an Organization-Wide Risk Analysis
Risk analyses help organizations find vulnerabilities in their systems. An organization can be fined if it doesn’t complete risk analyses regularly.
3. Failure to Manage Security Risks
Once your organization completes a risk analysis, you must take action against any vulnerabilities you find within a reasonable time. Knowing about a PHI risk but failing to fix it is a HIPAA violation.
4. Denying Patients Access to Health Records
According to the HIPAA Privacy Rule, patients can access their medical records to check for errors and obtain copies to share with entities and individuals. Healthcare organizations must allow access or provide copies within 30 days of a request.
5. Insufficient e-PHI Access Controls
Covered entities and business associates must put controls in place to limit electronic protected health information (e-PHI) access to authorized individuals. With insufficient or failed access controls, unauthorized parties can view sensitive data.
6. Failure to Safeguard e-PHI on Portable Devices
Encryption is a great way to protect PHI because it makes the data unusable without the decryption key. If your organization doesn’t use encryption, it must use a similar protective measure.
7. Impermissible Disclosures of PHI
Disclosures of PHI must follow the guidelines of the Privacy Rule. Violations include disclosing PHI:
- To the patient’s employer.
- After authorizations have expired.
- More than the minimum necessary amount.
8. Improper Disposal of PHI
According to HIPAA rules, physical copies of PHI and e-PHI must be permanently destroyed when they’re no longer needed. Physical PHI can be destroyed by shredding or pulping, and e-PHI can be destroyed by secure wiping or degaussing.
Examples of HIPAA Violations by Nurses and Healthcare Employees
All healthcare employees should be aware of HIPAA rules to avoid misunderstandings about the requirements. Here are some examples of unintentional HIPAA violations employees might make:
- Emailing e-PHI to personal email accounts
- Removing PHI from a healthcare facility
- Leaving paperwork and portable electronic devices unattended
- Releasing PHI to an unauthorized individual
- Providing unauthorized access to medical records
Contact Agio Today
Connect with us.
Need a solution? Want to partner with us? Please complete the fields below to connect with a member of our team.