In today’s fast-paced world, paper-based information systems are growing irrevocably obsolete. Pretty much any kind of data is now processed electronically: we make payments online, store our vacation photos on clouds, and maintain employment-related records in web-based platforms. The same applies to our medical information – it’s more rarely held on paper and is more frequently transformed into the digital form.
Electronic health records let healthcare providers be more flexible and efficient in practice. However, they are also associated with significant security risks:
When a hospital, an insurer, or a member of medical staff discloses their client’s digital health information (either by accident or on purpose), they violate that person’s right to privacy and confidentiality – the core pillars of one’s social well-being.
The HIPAA regulations were created to protect individuals from such infringements on their rights and prevent the occurrence of medical data breaches. In this article, we’re going to discuss what HIPAA regulations are, why respecting them is pivotal for every employer, and how to avoid HIPAA violations in your workplace.
What Is a HIPAA Violation in the Workplace?
HIPAA stands for the Health Insurance Portability and Accountability Act, which came into force in 1996. It aims to promote the use of new technologies among healthcare businesses and practitioners (aka covered entities) while protecting individuals’ private health information from theft and fraud.
HIPAA forbids covered entities from disclosing patients’ individually identifiable health information without their consent. This includes the info about:
- Patients’ past, current, or future health conditions
- Prescribed medical services and treatments
- Payment for the provided care
The failure to protect this data from unauthorized use is what we call a HIPAA violation.
Note: If health information doesn’t contain any common personal identifiers (such as a patient’s name, address, birth date, etc.), it can be freely used and shared by covered entities without a patient’s authorization.
What Are Covered Entities Under HIPAA?
HIPAA applies to organizations and persons who have access to patients’ health information and can share it in electronic format. They are:
- Health plans – Any organization that provides healthcare coverage: health maintenance organizations, health insurers, Medicaid and Medicare insurers, etc.
- Healthcare providers – Organizations and solo practitioners that can exchange patients’ electronic health information with other parties during such standard transactions established by the US Department of Health and Human Services as benefit eligibility inquiries, referral requests, etc.
- Healthcare clearinghouses – Any organization that processes patients’ individually identifiable health information after receiving it from another covered entity or patients themselves. Healthcare clearinghouses usually serve as middlemen between insurance payers and covered entities (+ they may act as business associates to the latter). These organizations include medical billing, community-based information systems, etc.
- Covered entities’ business associates – Organizations or individuals that process, analyze, review and use personally identifiable health information in any other way on behalf of health plans, healthcare providers, and healthcare clearinghouses.
Why Are HIPAA Violations Bad for Your Business?
HIPAA violations are costly.
Depending on the number of people affected by a data breach, how harmful it was, and the circumstances that led to it, the Office for Civil Rights (OCR) may impose a pretty massive fine on a covered entity.
The most significant HIPAA violation penalty up to date was settled in 2018 by a US health insurance provider, Anthem Inc. The company paid a hefty amount of $16 million for the loss of 78.8 million records due to a cyberattack. But that’s not all. Anthem Inc. also lost over $150 million, settling a multi-state action and a class-action lawsuit on behalf of the victims of that unfortunate episode.
Although HIPAA violations don’t result in jail time that very often, such incidents still happen (in case of theft, for example). Plus, severe HIPAA violations are always damaging to one’s reputation – and if you want to attract new clients and maintain long-lasting relationships with them, it’s exactly what you need to avoid.
How to Avoid HIPAA Violations in the Workplace?
The most reliable way to stay away from HIPAA violation penalties is to ensure impeccable HIPAA compliance at the workplace. That means you should strive to maintain confidentiality, integrity, and availability of all the personally identifiable health information you keep and exchange with other parties.
HIPAA regulations don’t dictate specific measures on how to achieve this goal. However, when choosing your data protection methods, it’s recommended to consider the following factors:
- Size and complexity of your organization
- Adopted technologies and IT infrastructure
- Available budget
- Overall risks to individually identifiable health information
Now, let’s see what can help you protect patients’ data and prevent security breaches:
- Risk analysis – This process involves discovering potential threats to patients’ data privacy: technical shortfalls, inadequate access controls, poor understanding of HIPAA requirements among employees, etc. Risk analysis should be carried out regularly and systematically. You need to have a step-by-step risk assessment procedure in place and document your findings thoroughly – they will help you develop an evidence-based strategy for compliance improvement.
- Data protection and privacy policies – Organizational policies provide guidance and promote accountability among employees. They will help explain to your staff what HIPAA regulations are, why they’re important, how to comply with them and which sanctions apply in case of misconduct. When designing your data protection policy, be sure to elaborate and refer to the major terms and concepts from the HIPAA Privacy Rule.
- Privacy personnel – It’s much easier to take data protection under control when all the relevant duties are allocated to a single professional (or a small group of thereof). So, choose a staff member who has enough expertise to develop and enforce organizational privacy policies, educate employees on compliance with HIPAA rules, and manage all the complaints regarding HIPAA violations.
- Technical and physical safeguards – These include strict access controls, data usage monitoring, data encryption, data backups, mobile device security, etc. Make sure to apply only reliable hardware and software and do your best to respect all the up-to-date data security requirements.
- Employee education and management – Any professional who comes in contact with patients’ personally identifiable health information – be that a full-time staff member, a part-time worker, or a trainee – must be familiar with HIPAA requirements and behave in line with them. Hence, it’s pivotal to provide your employees with high-quality training and keep them accountable for every breach of confidentiality and privacy.
What to Do When You Found a HIPAA Violation at the Workplace?
You bear a much lower risk of data breach penalties in case a HIPAA violation is detected internally and addressed promptly to prevent its recurrence. Therefore, it’s essential to have a straightforward procedure for reporting every potential HIPAA violation at the workplace.
This procedure should comprise three basic steps:
- An employee notifies the Privacy Officer about a potential data breach.
- The Privacy Officer investigates the issue. They figure out who was responsible for the incident, how it took place, and what effects it had.
- The Privacy Officer designs a plan for correcting the discovered HIPAA violation and imposes sanctions on the involved employees.
Note: If you believe that the found violation could be harmful to individuals whose data was disclosed, it must be reported to those individuals, as well as the OCR. This will help you mitigate financial penalties (and possibly avoid them).
