Costly HIPAA violations are an all too common occurrence. Even for organizations that believe they’ve done their due diligence on security, inadvertently sharing private medical information can come with extremely expensive—and sometimes legal—repercussions.
HIPAA compliant hosting is an essential step to take in protecting your business from violating HIPAA rules and regulations.
So what is HIPAA? And what does it mean for you and your business?
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 and was designed to protect patient health information, putting in place nationwide measures to safeguard protected health information (PHI) from being disclosed without patient consent.
The HIPAA Privacy, Security, and Breach Notification Rules ensure the security of health information.
What Information Is Protected?
HIPAA provides federal protection for the following information:
- Diagnosis and treatment by doctors, nurses, and other medical professionals.
- Patient information and medical test results.
- Health insurance provider records.
- Billing information relating to medical treatment.
- Prescription information.
- Any other individually identifiable health information.
Individuals have the right to view all data held by a covered entity and receive notice when personal information is used and shared.
Three HIPAA Rules
Here is a breakdown of the Privacy, Security, and Breach Notification Rules along with helpful examples in order to avoid HIPAA violations.
1. The Privacy Rule
The Privacy Rule sets national standards which protects medical records and other protected health information.
Examples of HIPAA Privacy Rule Violations
- Failure to conduct HIPAA training for new or existing employees.
- Failure to conduct HIPAA training for substantive changes in policies and/or procedures.
- Failure to keep paper charts or records from public view and exposing protected health information to unauthorized parties.
- Failure to obtain written authorization for use of or disclosure of PHI for reasons having nothing to do with treatment, payment, or other operations as permitted by the Privacy Rule.
- Failure to implement the rule of least privilege to prevent curious employees from accessing patient files without authorization.
2. The Security Rule
The Security Rule dictates that covered entities and business associates must safeguard electronic protected health information (ePHI).
Examples of HIPAA Security Rule Violations
- Migrating ePHI data to a cloud service provider that is not HIPAA compliant and/or does not incorporate a Business Associate Agreement (BAA).
- Failure to incorporate access controls on ePHI to log whether data has been altered, destroyed, or had the potential to be intercepted by unauthorized parties.
- Failure to encrypt ePHI, use alternate data protection schemes, or document as to why encryption isn’t necessary.
- Failure to use controls that automatically terminate access to ePHI after a period of inactivity on computers and mobile devices.
3. The Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information.
Examples of HIPAA Breach Notification Rule Violations
- Failing to notify affected individuals within sixty (60) calendar days following the discovery of an ePHI breach.
- Failing to provide an active toll-free telephone number for at least ninety (90) calendar days when individuals can learn if their ePHI was exposed.
- Failing to notify the media of a breach involving ePHI affecting greater than five hundred (500) residents of a state or jurisdiction within sixty (60) days of the discovered breach.
- Failing to notify the Department of Health & Human Services to a breach affecting greater than five hundred (500) records within sixty (60) calendar days of a discovered breach.
What is HIPAA Compliance?
HIPAA sets national standards for the safety of patient information. It is essential for companies that deal with sensitive health information to have a series of safety measures to ensure that their operations are in accordance with HIPAA. These include physical, technical, and network security measures.
What is a HIPAA Violation?
Without the safety mechanisms provided by HIPAA compliant hosting, businesses run the risk of violating HIPAA, a misstep that can have significant legal and financial ramifications.
HIPAA violations occur when covered entities or business associates fail to safeguard protected health information resulting in personal risk to the patient.
Common HIPAA violations are caused by:
- Hacking made possible by lack of firewalls.
- Theft of devices that are not password protected or encrypted.
- Unsecured digital files.
- Exposing PHI, such as social security numbers or diagnoses.
Violating HIPAA can be extremely costly, with fines reaching up to $50,000 per occurrence, with a maximum annual penalty of $1.5 million—per violation. HIPAA violations can even result in jail time.
What Does a HIPAA Violation Look Like?
HIPAA violations can take on many different forms which can be unexpected. The following situations are seemingly benign but can have serious consequences.
The use of social media to convey opinions, activities, and photos is a way to connect with others, but can also blur the line between professional and personal relationships, especially when that information is presented out of context or the information reaches unintended individuals.
Consider the hypothetical story of someone with HIPAA training out with friends from both personal and professional circles. He shared a picture of a patient, who was a friend, that the patient took while out clubbing and posted on social media. He informed his friends that the patient consumed alcoholic beverages that interacted with the patient's medications. Is this a breach of patient confidentiality since the picture was on social media? Is this a breach of patient confidentiality even though he did not say which medications the patient was taking? The legal and ethical ramifications can quickly become quite murky.
How many times have you been to a doctor’s office for your own appointment and inadvertently see or overhear other patient names and medical information?
When checking in at the front desk, it’s a common practice for office staff to keep a sign-in sheet on a clipboard that includes the names of all the patients who are in the office that day. This clipboard may also include social security numbers and even the medical procedures and treatments patients are having performed.
It’s also very common to overhear patient information being discussed by staff on their way out or through the waiting area where other patients are waiting to be seen by their own doctors.
These particular examples may yield a very uncomfortable pause; HIPAA violations are blunders quite easily made, even in passing.
Unattended phones and unlocked computers, which are used to access patient information, are HIPAA violations waiting to happen. Only approved company devices that are secured properly and encrypt patient information should have access to ePHI. The last thing your company needs is a lost personal mobile phone leaking patient information.
How To Avoid HIPAA Violations
- Mind your technology. Tech has made sharing information easier than ever before, but it comes with substantive risks. Sharing login credentials or passwords, leaving mobile devices unattended, and texting patient information are easy ways to get hit with a HIPAA violation. Use caution when discussing or viewing confidential information on devices and be sure to use employer healthcare messaging instead of regular text messaging.
- Watch where you discuss patient information. Medical facilities are lively buildings abuzz with personnel who sometimes find it easier to relay patient information in passing to a coworker while dashing down a hallway. The medical professional may not realize patient families and other pertinent personnel could overhear PHI.
- Double-check authorizations. Before the use or disclosure of information (other than treatment, payment, surgery, or Privacy Rule exemptions), always ensure that written consent was obtained from the patient beforehand, especially when providing information to coworkers not caring for the patient.
- Avoid connecting with patients and other caregivers on social media. Professional boundaries should be strictly enforced to avert the disclosure of confidential patient information.
Fines for HIPAA Violations
HIPAA fines are assessed according to the following criteria:
- Nature of the violation, including, but not limited to, any data accessed without authorization and/or the number of people involved.
- Duration of the breach permitted after having been discovered.
- Any previous HIPAA violations.
Fines may also be compounded based on the layers involved in a breach.
Consider the following scenario:
Failure of access controls to terminate access to ePHI after a period of inactivity (violation #1), on an unattended device (violation #2), due to personnel not having been trained (violation #3) and finally, the ePHI was located on an unencrypted device (violation #4).
Four Levels of HIPAA Violation Culpability
The level of culpability also plays a critical role in how fines are issued.
- Level 1 violations carry the lowest penalties and are ones which could not be avoided. The covered entity could have been ignorant, and even after having conducted due diligence, still not have had knowledge of it in time to avoid a breach. The minimum penalty is $119 while the maximum is $59,522. The max amount that can be charged for a single calendar year is $1,785,651.
- Level 2 violations have a reasonable cause for the violation, and the covered entity should have known about it before the violation took place. The minimum penalty is $1,191 and the max penalty is $59,522. The cap for the year is $1,785,651.
- Level 3 violations involve willful negligence. If the violation was corrected within thirty (30) days, the penalty may be less severe. The minimum penalty is $11,904 while the max penalty is $59,522. The cap is $1,785,651.
- Level 4 violations carry the highest penalties because they involve willful negligence and there have not been any timely attempts made to resolve the issue. The minimum penalty starts at $59,522. The max and calendar year cap are both $1,785,651.
Are There Criminal Penalties for HIPAA Violations?
HIPAA violations are considered criminal offenses and carry jail time when they are willful and intended to cause injury. For example, a healthcare professional knowingly sharing ePHI for financial gain is a criminal offense.
Criminal HIPAA violations designate levels and punishments as follows:
- Level 1: The covered entity had a reasonable cause and/or was unaware of the violation. The result may be one year in prison.
- Level 2: The covered entity obtained ePHI under false pretenses/social engineering. This violation can carry up to five (5) years in prison.
- Level 3: The covered entity obtained ePHI for personal use or gain with malicious intent. The court can sentence offenders up to ten (10) years for this violation.
Be Audit-Ready for HIPAA Violations
The Department of Health and Human Services’ Office for Civil Rights periodically conducts audits. These audits are meant to ensure that covered entities and their business associates are acting in compliance with rules and regulations concerning HIPAA.
All covered entities and business associates are eligible for an audit.
To avoid violations, it is vital for companies to choose a hosting service that is HIPAA compliant, understands the audit process, and is knowledgeable on how to prevent violations.
Understanding the necessity of being prepared for such an audit, Liquid Web conducts examinations using the Office for Civil Rights’ Audit Program Protocol, following best practices to ensure compliance.
Additionally, Liquid Web uses Audit Control to ensure that all logins and maintenance are properly documented, as required by HIPAA.
HIPAA Compliant Hosting with Liquid Web
In a rapidly shifting medical landscape, it can be complicated to keep up with what HIPAA requires of business owners. In the age of COVID-19, a further complication is that workplaces must remain HIPAA compliant—whether they are working remotely or not.
In addition to understanding HIPAA rules and considerations, the most valuable step you can take toward ensuring that you are staying HIPAA compliant as a small business is choosing a HIPAA compliant hosting solution.
HIPAA violations can have damaging consequences. That’s why Liquid Web offers HIPAA Compliant Hosting solutions with superior physical and technical security. A thorough review by third-party auditors confirms that Liquid Web meets all HIPAA/HITECH requirements.
Liquid Web’s compliant hosting solutions are fully customizable to fit the needs of businesses and organizations that need powerful data security.
Need Help with HIPAA Compliant Hosting? Download our HIPAA Hosting FAQ eBook.
The material contained herein is provided for information purposes only and does not qualify, nor should it be construed, as legal advice. Understanding the causes of HIPAA violations can help Covered Entities and Business Associates better comply with the HIPAA Rules and avoid data breaches. However, understanding the causes of HIPAA violations does not guarantee that you or your organization are HIPAA compliant. A HIPAA compliance expert should always be consulted to help protect against litigation.
About the AuthorMore Content by Christine Wilinsky