How to Prevent Two of the Most Common HIPAA Violations and Avoid Costly Fines
In healthcare, your business is subject to the privacy standards of the Health Insurance Portability and Accountability Act (HIPAA). The goal of HIPAA is to protect personal health information (PHI) that are held by doctors, insurance companies, and pharmacies. As a result, violations of HIPAA - whether intentional or accidental - can result in fines from $100 to $50,000 which can be extremely detrimental to organizations operating on limited budgets. If you want to protect your team from accidental HIPAA violations, it’s important to have strong training policies and procedures in place. Our research found that most accidental HIPAA violations fall under two umbrellas: unsecured medical records and cybersecurity. Below, we’ll offer some tips to prevent common violations and protect your healthcare organization from fines.
Unsecured Medical Records
Where are your medical records stored? One of the most common violations happens when employees without security clearance access, or even hospital visitors, view unsecured medical records. This can happen if a medical record is left behind in an exam room, an unlocked office, or on a coffee table in the breakroom. To prevent this, ensure that your team knows how to keep medical records under lock and key. An ounce of prevention saves hundreds of thousands of dollars. The OCR reports collecting $28,683,400 for HIPAA penalties in 2018, a record-breaking amount. On average, a HIPAA financial penalty in 2018 cost $2,607,582.
By training your team on HIPAA best-practices for the digital age, you protect both your organization’s financial safety as well as the privacy of patients. Ensure that you have dedicated, secure meeting spaces or communication channels for private health care discussions. For example, while plenty of patients will require multiple physicians or care teams to collaborate, PHI cannot be discussed in public places: the elevator, the cafeteria, or anywhere that might have unauthorized listeners. The same applies to digital communication spaces: if an unauthorized person can access the communication, patient data is not secured. miSecureMessages keeps patient discussions and related health information, all on a HIPAA-compliant, encrypted platform.
Cybersecurity / Hacking
Now that much of electronic health data is digitized, the corresponding risk is a hack or leak of digital information. The number of healthcare records exposed via poor cybersecurity or hacking increases consistently, but 2015 saw an abnormal spike in breaches: 113.2 million. The first time a health care center is breached, there may be little to no financial penalty. However, willfully ignoring sources of common data breaches is seen by the OCR as neglect, and the severity of fines will increase sharply. Protecting your healthcare center’s digital records from breaches, therefore, requires a few extra steps.
Anti-virus software is only effective if it’s well maintained and updated regularly, so sign up for email alerts from your software provider that will notify you when an update is available. For all digital health records, encrypt the files with secure, randomly-generated passwords that are changed at least once per year. This adds an additional layer of protection against cyberattacks. Additionally, all patient-related communication needs to be through an end-to-end encrypted messaging platform, as email and SMS text messages are not HIPAA-approved modes of communication.
[Related: What is Encryption?]
miSecureMessages offers protection from many common cyberattacks. Most notably, from breaches that can happen accidentally when family or friends access patient data on providers’ personal devices. A cell phone or laptop left unattended may not have a password to open the device itself, but the miSecureMessages platform will always require a password or fingerprint for access. Now, teams are empowered with the convenience of communicating on their personal phones or computers.
If your personal device is stolen, the admin can remotely disable miSecureMessages access on that particular device, eliminating any HIPAA breach risks. miSecureMessages does not store any communications on a device, messages are securely stored on a hospital’s central server on in the cloud.
While a secure messaging platform like miSecureMessages eliminates many of the risks that commonly cause HIPAA violations, no digital tool can protect you from human error. Combat human mistakes with human solutions -- good compliance training, detailed communication with your team, and honesty with your patients.