It is crucial and mandated by federal law for healthcare organizations to ensure the privacy and security of PHI. Many acts of neglect, willful or not, can be considered violations of HIPAA. In a video titled Privacy and Security: The New HIPAA Rule, we are given three examples of violations: a hospital in Michigan accidentally posting over a thousand patients’ PHI online, a health insurer losing the financial and personal information of over 450,000 customers, and several pharmacy chains improperly disposing of medical records in dumpsters instead of by using appropriate disposal methods such as shredding. These examples are extreme and include cases that affected a great number of people; however, violations that only affect a few individuals are also cause for concern because they shed light on a problem in the organization’s privacy and security policies and procedures. The fines for security breaches are hefty, ranging from $100 to $50,000 depending on the scope of the violation, as well as whether or not the violation was made unwittingly or as an act of uncorrected, willful neglect with full knowledge of the law. These fines correspond to 4 tiers of violations increasing in culpability, as set by the HIPAA Omnibus Rule (Sterling, 2015). Measures can be implemented to avoid such HIPAA violations and security breaches, and it is crucial for management to routinely conduct thorough analyses of their organization to identify potentially risky areas or behaviors. Whereas an internal security audit is better than no audit, it is also important to undergo a professional Security Risk Analysis (SRA) which may identify new factors that may not have previously been considered. Additionally, an annual SRA is now required in order to attest for Meaningful Use.
In the event of a security breach that involves more than 500 people, several steps are required by the Breach Notification Rule. First, the organization must provide individual notice to all persons affected by the breach. Ideally, this should be done in the form of a letter sent by first-class mail, but can also be done by email if the individual affected had previously agreed to receiving such notifications by email. If more than 10 people affected are unreachable due to inaccurate contact information, the organization must post a public notice about the breach for at least 90 days on their website, in broadcast print, or by use of media. Second, the media must be notified of the breach, most commonly done by holding a press release in the affected area. Finally, the organization must also notify the Secretary by going to the HHS website and filling out a breach report form (HHS, 2016).
In the event of a security breach that involves less than 500 people, individual notice to all affected persons is required, but the media does not necessarily need to be notified. Additionally, in a breach involving less than 500 individuals, the Secretary does not need to be notified immediately—such breaches can be reported to the Secretary on an annual basis (HHS, 2016). However, regardless of scope, security breaches can take a huge toll on the organization in several ways—it will cost the organization a significant amount of money both in fines and in reparation efforts, will take up time and resources in order to appropriately notify all affected individuals and the HHS Secretary, and will also tarnish the organization’s reputation. It is therefore crucial for management to be well-versed in privacy and security regulations, and to ensure that all measures are taken to avoid security breaches.
The main causes of HIPAA violations include lack of knowledge, low security, unauthorized users or unnecessary access to PHI, and simple neglect. To address lack of knowledge, healthcare office managers must take several measures. First, a policies and procedures manual must be kept updated and revised as new opportunities for violations arise, such as in the case of new technology or devices being implemented. Our practice recently started using a mobile app through our EMR, which allows providers to access PHI from their smartphones. They are able to access patients’ charts, send prescription refills or lab orders, and perform other tasks that may be necessary for an on-call provider who may not otherwise have access to the EMR system at that moment. Such new features, although beneficial for patient care, open up new opportunities for security breaches. To address such risks, a new policy must be added to the policies and procedures manual, and precautions must be taken such as requiring that the providers accessing the mobile app utilize a complex password to access their phones (in addition to the login credentials needed to access the mobile app). Staff trainings must be done on a regular basis to review the policies and procedures in place, as well as to introduce any new policies. In our organization we also subject all employees to HIPAA testing after training, to ensure that they understand what they have learned. It is not enough to simply conduct yearly HIPAA training, especially considering the fact that new employees may be hired after the yearly training has already been done. These new employees must immediately be subjected to a thorough training on what constitutes a HIPAA violation, and how to prevent such occurrences within the organization. A Privacy and Security Officer must be designated so that all employees have someone to turn to when they have questions or if situations arise that they are not sure how to handle appropriately.
Low security must be addressed by a Health IT professional, who can take steps such as preventing access to certain sites, using a secured network, installing firewalls and other antivirus programs, creating unique desktop and EMR login credentials and complex passwords for users, encrypting data, as well as remote data wiping in the event that a device containing PHI is lost or stolen (Cohen & Difiore, 2014). Unauthorized access to PHI can be monitored through random log audits to ensure that users are only accessing PHI on a need-to-know basis. Additionally, users can be placed in categories with different sets of permissions based on their roles and job functions. For example, front office staff does not need the same access to PHI as a healthcare provider or medical assistant involved in direct patient care. Additionally, physical measures can be taken such as implementing screen protectors to ensure that other patients or unauthorized individuals cannot see an employee’s screen. It is important for staff to be trained to log out of their EMR system when leaving their workstation so that unauthorized users cannot access PHI under their login credentials. It is crucial that no patient information is left laying around on desks at the end of the workday so that individuals such as the cleaning crew do not have access to PHI. Furthermore, any such individuals that conduct business with the organization should have signed a Business Associates Agreement as well as a Workforce Confidentiality Agreement that briefs them on the importance of protecting PHI.
It is not always easy for an organization to ensure full HIPAA compliance. It may in fact be very difficult to implement, especially in a practice or facility that has high employee turnover, and no time or no qualified person to regularly train all staff. However, when faced with the serious penalties and consequences that may arise from not being fully compliant, it is important to dedicate time and effort to this cause. The main key to reducing potential violations, aside from technological safeguards, is the proper training of all employees, the designation of a knowledgeable and thorough Privacy and Security Officer, as well as the existence of a clearly-defined, updated, and accessible policies and procedures manual in place in case an employee has any doubt about whether a specific act or behavior constitutes a violation.
About the Author:
Sonda Eunus, MHA
Sonda Eunus is the Founder and CEO of Leading Management Solutions, a healthcare management consulting company (www.lmshealthpro.com). Along with a team of experienced and knowledgeable consultants, she works with healthcare practice managers to improve practice operations, train employees, increase practice revenue, and much more. She holds a Masters in Healthcare Management and a BA in Psychology.
Breach Notification Rule. (2016). U.S Department of Health and Human Services. Retrieved from: http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Cohen, Z.B. & DiFiore, M.G. (2014).Ways to stay HIPAA compliant when using mobile devices. Medical Economics, 91(3), 44.
EnvisionHealthEd. (2010, January 22). Privacy & Security: The New HIPAA Rule. Retrieved from https://www.youtube.com/watch?v=fTjZ7GokQw4
Sterling, R. (2015). Defend your practice against HIPAA violations. Medical Economics, 92(5), 52-57.