The Department of Health and Human Services Office for Civil Rights (OCR) has its hands full every year prosecuting and fining healthcare organizations and their employees for violations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its amendments.
Put in place to protect individuals’ privacy and ensure their data doesn’t fall into the hands of criminals, the vague requirements outlined in HIPAA can be challenging to understand and to enforce in large healthcare operations. Yet it is critical that these organizations do their due diligence to ensure their employees and practices are above reproach. The alternative could mean tremendous fines and other legal disputes, lost licenses, lost business and trust, and, depending on how egregious the crime, it could also result in jail time.
The best way for healthcare organizations to prevent HIPAA violations is to ensure they are constantly training and educating employees, following every possible best practice, and taking security precautions and protocol seriously.
Common HIPAA violations
Thanks to the Health Information Technology for Economic and Clinical Health (HITECH) Act—a component of the American Recovery and Reinvestment Act (ARRA) of 2009—by 2015 all healthcare organizations in the U.S. had to have medical records stored electronically and under significant firewall protection.
There were many incidents prior to this law where entire truckloads of patients’ protected health information (PHI) were stolen in paper form, and there were also incidences of lost records due to catastrophic loss caused by fires and natural disasters. Going electronic made good sense and was made possible by significant advances in digital technology, but it also came with its own vulnerabilities. Chief among them was the risk for cyberattacks and the unauthorized viewing and sharing of PHI.
The HIPAA Security Rule serves as an extension of the HIPAA Privacy Rule and requires a number of safeguards be put in place to protect patients’ PHI. These safeguards are meant to reduce the risk of cybercrime and to force healthcare organizations to make a reasonable effort to ensure that only authorized personnel gain access to PHI.
According to HIPAA Journal, one of the more common issues stems from when healthcare employees illegally access private medical data to snoop on a family member’s health or that of their co-workers and other people they know—even some they don’t, such as celebrities. Ignorance of HIPAA law is not a justifiable defense and the OCR will issue fines or launch legal investigations if situations like this arise.
The HIPAA Journal states that other common violations include:
- Failure to enter into a HIPAA-compliant business associate agreement with vendors who are granted access to PHI
- Failure to encrypt PHI (or use an equally effective measure) to safeguard data from potential theft
- Failure to issue a data breach notification to affected parties within 60 days of the breach occurring
- Disclosing PHI to anyone not authorized in writing by the patient, such as an employer
- Improper disposal of PHI
- Denying patients timely access to their own medical records
Use policy management software to limit risk
Healthcare organizations should seek policy management software that will work within their own firewalls in order to make a concentrated effort to limit exposure to these risks and others, and to ensure every employee is familiar with critical policies and procedures. The software should integrate seamlessly with existing IT infrastructure and be easy for employees to use and adopt.
It’s important that every policy and procedure be written in clear, easy-to-understand language so there can be little to no confusion over expected behaviors, record-keeping best practices, and rules and regulations. Once created, the documents should be disseminated to all relevant employees and then should be made easy for them to access and refer to as needed.
Make sure the third-party policy management software selected easily complies with security and privacy laws outlined in HIPAA. Organizations that operate in the cloud and use software such as Microsoft Office 365 should look for policy software that uses the organization’s own Active Directory to maintain a secure network. This measure will protect data from accidentally falling into the wrong hands. During the document lifecycle, it also helps to use the Active Directory for task assignments. When it comes to maintaining compliance with HIPAA and other laws affecting the healthcare industry, it’s a good idea to have functionality built into the policy management tool that enables policy managers to receive instant notifications when a policy is ready for renewal, revision, or retirement.
Use the policy management system to store all the organization’s policies and procedures in a centralized repository that is easy to search. Healthcare professionals know that audits are inevitable and necessary for compliance assurance. A central repository will help make finding important documents a simpler matter. If the policy management solution also offers a details page for each document, storing the version history and other important historical and collaboration notes, the hard work is already done before the audit.
Finally, the policy management solution should give organizations the ability to test their employees’ comprehension and understanding of the policies and procedures as written. If there are a great number of failing scores, it will raise a flag that the organization needs to revise the document reviewed to be clearer. It will also ensure employees pay closer attention to what they’ve read. Their digital signatures and confirmations will further protect the organization in the event of a compliance failure in the future by showing that the organization took precautions to prevent the breach.