Common HIPAA Mistakes

As a person who works within the healthcare industry, understanding HIPAA is a necessity, even if it is knowing just the basic rules.  These rules and regulations are complex and ever-changing so that they can keep up with the fluid landscape of healthcare, so unless you are an expert, it is unlikely that you know all the details of being compliant.

With fines that can be debilitating to a business of any size, we thought we’d look at some of the more common mistakes that are made when it comes to HIPAA violations.  While every business is different, we found that these were often repeat offenders.   The responsibility of these mistakes varies and may reside at the business level or the individual level, but if a violation occurs, the business will be held accountable.  Yet another reason to emphasize just how important it is for a business to ensure that their team is well trained and informed on how to maintain HIPAA compliance.

1. Perform a risk analysis. You can’t fix what you don’t know is broken.  Every business should assess where they are when it comes to HIPAA compliance.
2. Cybersecurity flaws. Hacking and data breaches are one of the biggest risks to healthcare businesses.  If you don’t know where your cybersecurity weaknesses are, a cybercriminal will show you soon enough.
3. Loss of theft of devices. We “live on our phones” …and so does access to a lot of data.  And that data is PHI that falls under HIPAA regulation.  So if your phone or laptop is stolen, you need to follow proper protocol.
4. Employee training. HIPAA experts are experts for a reason – they are dedicated to knowing the rules and regulations.  You are the healthcare experts.  You can’t keep up with the government rules and regulations, and couple that with the tactics that are changing daily when it comes to cybercrime, it is a full-time job.  Let the experts guide you on how to learn to stay compliant and keep that data safe.
5. Exceeding the timescale for providing patient access to health records. A patient has the right to access their health records within 30 days.
6. Office gossip, inadvertently sharing PHI. Friends and colleagues talk at work about a range of things, but sharing PHI when it’s “watercooler chatter” is off-limits
7. Employee curiosity. “I’m just going to have a quick look at this patient’s file” …curiosity is not a valid reason to allow access to a patient’s file if an employee is unauthorized. This includes unauthorized sharing with third parties.  Education on who can see what is key.
8. Unencrypted data. This added layer of protection is critical, especially if PHI is stolen.  State regulations can vary, so make sure you are working with a team who KNOWS THE RULES.
9. HIPAA Breach Notification Rule. As a covered entity, you have 60 days to issue notifications following the discovery of a data breach.
10. Improper disposal of PHI. Once retention periods have expired, you must destroy information securely and permanently – and under HIPAA guidelines.

These ten reasons are not all the ways that HIPAA violations can occur, and with the additional risk of a weak cybersecurity posture, the ways are essentially endless in which you could find yourself at risk of a violation.

Take time to make HIPAA compliance and strong cybersecurity a priority in your business model.  You will be rewarded with less stress and a stronger likelihood of longevity and good health within your own business.