Data breaches targeting the healthcare industry, and the resulting theft of patient records, have reached epidemic proportions, putting the privacy and protected health information (PHI) of millions of Americans at risk. And many of those breaches are triggering HIPAA audits—and devastating fines.
In just one example, North Memorial Health Care of Minnesota agreed to pay a settlement of more than $1.5 million for charges that it violated HIPAA Privacy and Security Rules after an unencrypted, password-protected laptop was stolen from a business associate’s locked vehicle, compromising the electronic protected health information (ePHI) of 9,497 patients.
OCR cracks down on HIPAA noncompliance
The Department of Health & Human Services’ Office for Civil Rights (OCR) launched its next phase of audits in late 2015. In the first seven months of 2016 alone, the agency reported nearly $15 million in settlement payments related to a host of alleged compliance failures at various organizations.
For private employers that handle protected health information of their employees in conjunction with a group health plan, it’s a double-edged sword. You not only need to understand and comply with the HIPAA Privacy Rule when handling this information, but employees are increasingly using violations of their privacy rights as the basis for allegations and lawsuits against employers.
That means you need to protect yourself from this potentially devastating liability, and that starts with being aware of your vulnerabilities.
Here are seven of the most common areas of HIPAA oversight employers need to beware of:
- Lost or stolen devices. We live in an age of gadgets, and when devices with sensitive information aren’t properly encrypted and password protected, losing them becomes a serious breach.
- Hackers. Data from OCR shows that hacking accounts for 23 percent of all HIPAA breaches. Hackers commonly exploit user profiles with weak passwords, use malware or exploit software.
- Employee dishonesty. Whether someone in your organization is accessing private information out of curiosity or using it for nefarious reasons, it’s illegal and can subject you to fines and even prison.
- Improper disposal. Did you know your copy machine could cause a HIPAA violation? If you’re copying sensitive info on a leased machine that saves copies on its hard drive, and you return that machine without properly wiping the drive, that’s a HIPAA violation. It happened to Affinity Health Plan, Inc., and cost them $1.2 million.
- Unencrypted data. The HIPAA Omnibus Ruling doesn’t require encryption of data, but HHS has been slapping heavy fines on businesses that don’t properly protect information. Encryption is easy and relatively inexpensive.
- Lack of training. Employee unfamiliarity with HIPAA is a gigantic liability in many small businesses, opening up endless possibilities for careless and potentially costly mistakes.
- Unsecured records. HIPAA requires that all electronic and paper documents and files containing PHI be secured. Lock your filing cabinets, lock your offices, create strong passwords on all devices and encrypt all files that contain PHI.
Three steps to security
The HIPAA Security Rule outlines the requirements for covered entities and business associates as far as risk analysis, security procedures, training and breach response planning. But any employer who handles employees’ PHI should be covering the three core components of the security rule:
- Physical safeguards such as locked file cabinets, surveillance cameras and restricted access to areas where private information is stored.
- Technical safeguards to restrict electronic access such as unique IDs and passwords, encryption and multifactor ID logins, as well as a comprehensive backup and disaster recovery plan.
- Administrative safeguards such as rules about who has access to data, training on data security and specific processes for preserving, changing and destroying data.
Need help sorting out your HIPAA compliance issues? Contact us.