The HIPAA Privacy Rule is one of the first things healthcare staff are educated on, and employees are required to complete refresher training annually to ensure that the organization can avoid the costly consequences of a security breach. Despite your best efforts, HIPAA violations inevitably arise at some point or another, and with audits becoming more aggressive you need to be certain that all employees understand the high cost of infractions.
Costs of HIPAA Breaches to Your Organization
While many of the breaches aren’t major violations (and are often committed unintentionally) they can still have resounding effects on your organization’s reputation and bottom line.
The penalties vary depending on a number of factors. including the nature of the individual situation and what, if anything, the person did to correct the incident. However, fines start at $100 and can go as high as $1.5 million per year, with even more being charged for repeat violations.
Money is not all your organization has to worry about; HIPAA violations can cost you in other ways as well. With a criminal penalty, individuals who knowingly cause infractions can end up facing jail time on top of a hefty fine. Additionally, with any fine over $100, the covered entity must share the breach with the local media, so keeping the incident out of the news isn’t something that can be controlled.
Five Most Common HIPAA Violations
With these penalties in mind, and knowing that many of the breaches are often unintentional, we spoke with industry expert Alex Krouse, JD, MHA, who provides advice and counseling on regulatory matters for healthcare organizations about the five HIPAA violations that occur most commonly in healthcare. Take a look to see if your employees are committing any of these major HIPAA “no-no’s” without even knowing it:
- Employees Accessing Files: Let’s face it, humans are curious by nature. In many cases, staff look at files that they are not meant to access. Maybe they see the name of someone they know, or start to wonder about friends or family and reach beyond their job duties by looking at personal information.
- Staff Leaving Information Unattended: There are many instances of employees leaving a file on their desk or a program open on the computer, thinking they’ll only be stepping away from the documents quickly. In many cases, they leave the area because they need to attend to a patient. Unfortunately, this problem leaves patient information vulnerable, regardless of how quickly the mistake is corrected.
- Expired Authorizations: In this situation, a patient signs an authorization that has a specific expiration date or is only good for a certain event. Instead of following that expiration date, the healthcare provider incorrectly assumes that the authorization continues after the expiration or specific event occurred.
- Bringing Information Home: Despite digital medical records, staff members often write themselves notes with reminders or have printed-out documents on hand both of which likely contain private patient information. At the end of the day, it’s easy for an — employee to accidentally bring the document or note home in his or her pocket. The note can then move to the house or the trash, becoming vulnerable.
- Lack of Understanding: Often, healthcare workers fail to realize what truly counts as protected health information (PHI). They realize some of the obvious information, such as the social security number or diagnosis, but give away other private information, sometimes sharing other less-obvious identifying information. The use of social media has aggravated this further, with healthcare workers posting pictures that inadvertently include private information or patients in the background.
Despite how easy or inadvertently violations may occur, there are a few simple steps you can take to help build a culture of compliance, technology being one of them. Use software that tracks authorization expirations and safeguards other PHI. Also, look for other simple precautions to prevent violations, such as setting alerts or required passwords on computers in patient rooms.
Good education is also a critical way to prevent HIPAA violations since it can help healthcare workers truly understand the regulations and how they relate to their daily job duties. HIPAA and compliance training can be dry if it’s not done right so look for targeted courses that drive home the pain points in an interactive and engaging way while showing how the regulations impact their daily work.
The HealthcareSource eLearning Library offers a number of HIPAA and compliance eLearning modules that are targeted for individual positions within healthcare organizations. Additionally, the packages include modified “refresher” training or abbreviated modules for more experienced staff who you decide do not need to sit through full courses.