When HIPAA was enacted in 1996, there was no doubt how important and necessary the law was. Regulations protecting patient privacy are absolutely vital to the successful function of the healthcare industry and patient care. However, at times, for business associates and covered entities, complying with the regulation can seem daunting. There is a lot of concern that surrounds compliance and rightfully so. The last thing anyone wants is to be the practice or Business Associate that makes one of the all too common mistakes with personal healthcare information.
So, what are some of these common mistakes?
1. Working with Non-Compliant Vendors
HIPAA compliance is not just the responsibility of your organization, but the responsibility of any organization you work with that requires use of Protected Health Information (PHI). Any vendor using PHI should be willing, and able, to comply with your organization’s Business Association Agreement.
2. Unsecured Storage or Unencrypted Transmission of Data
Data shared with your vendors or other healthcare providers needs to be transmitted in accordance with HIPAA. Data transfers should be encrypted. When data is received it needs to be stored on servers maintained in a secure facility.
3. Inappropriate Use or Disclosure of PHI
An example here is leaving a voicemail that contains PHI. To comply with HIPAA, a voicemail must be left using the patient’s preferred means of contact; whether that be on a home phone, cell phone, or otherwise. Also, the message must not contain details on the treatment a patient is receiving or their medical condition.
4. Lack of Risk Management
If an organization has no measures in place to prevent a breach, a breach is obviously more likely to occur. Your organization and the business associates you work with should train all employees on HIPAA requirements and perform routine HIPAA risk assessment audits.
What are some of the consequences of these mistakes?
Disclosing healthcare information due to lack of risk management, whether intentional or unintentional can hold some substantial consequences for the disclosing party. The following videos created by ACES Medical, a company that specializes in providing healthcare organizations the tools they need to comply with HIPAA, illustrate these consequences:
Video 1 tells us the story of James Smith, an IT Manager in Washington State. Due to improper risk management, the network of the practice James works for has been breached. The cost of notifying patients, legal fees, and a security analysis ended up costing the practice around $400,000.
Video 2 tells us the story of Selena Cortez, an IT Manager in Phoenix. A flash drive has been stolen from one of Selena’s employees that may contain PHI. The practice had to invest $500,000 in similar reactive measures as outlined in video 1. However, the practice was also investigated by CMS (Centers for Medicare and Medicaid Services) and fined $200,000 for non-compliance with HIPAA Omnibus rules.
The consequences can become very unaffordable, very quickly! That is why is best to avoid mistakes in the first place.
Now, how can these mistakes be avoided?
If you are not sure where to start protecting your practice, you may want to consider partnering with a company like ACES Medical to aid you in performing a Security and Risk Analysis, or potentially provide your practice with some HIPAA Training. For more videos like the samples provided above or to learn more about training opportunities, visit the ACES Medical website.