HIPPA Compliance Issues
A HIPAA violation occurs when a HIPAA covered entity or a business associate fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules. Violations may be intentional or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules (HHS, 2018).
An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications. Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.
Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules (HHS, 2018).
If the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.
The four categories used for the penalty structure include (HIPAA Journal, 2018):
- Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases the violation where an attempt has been made to correct the violation
- Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct
HIPAA compliance is an ongoing process and efforts ensure that safeguards remain effective and staff remains vigilant of their responsibilities with respect to PHI and HIPAA. Regular risk analyses need to be performed to identify new risks to the confidentiality, integrity, and availability of PHI and those risks must be properly managed and reduced to an acceptable level. Documentation should be maintained on compliance efforts as it will need to be inspected by regulators in the event of an audit, if a complaint is made about an organization, or if there is a breach of protected health information.
Table 2: Ways that an organization can ensure HIPAA compliance include: (Marco, S. 2015)
|Be informed and educated||Hold in-office trainings to teach employees all they need to know about HIPPA privacy and security regulations and to answer any questions they might have.|
|Maintain/protect the possession of mobile devices||The most common HIPPA violation today is mobile devices storing patient health information being lost or stolen. Continually remind employees to be aware of where mobile devices are at all times and to shut them down and lock them up when they are not in use.|
|Enable firewalls and encryptions||It’s essential to enable encryptions, firewalls and secure user authorization on every device. There are technologies that can also remotely lock or wipe (i.e. Reset to factory defaults erasing all apps and data) using apps and software programs.|
|Assure that files are stored correctly||Remind employees who deal with patient files to focus on what they’re doing and double check that they properly store and save files in the right folders and drives.|
|Properly dispose of paper files||PHI when not filed should be shredded immediately so that sensitive information is not left around for others to view.|
|Keep anything about patient information on it away from view||Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas and keep your computer monitors and mobile device screens hidden from patients and visitors.|
|Use social media wisely||Employees and the company remain HIPPA compliant by having a company rule not to post any text or pictures about what goes on in the workplace on social media or even on their personal blog.|
A medical center, involving 3 hospitals settled with the Office of Civil Rights for $999,000 for compromising patient privacy during the filming of an ABC documentary.
All three hospitals reached separate settlements with OCR for inviting ABC film crews to film on site without first obtaining patient authorization. Hospital number 1 was fined $100,000, hospital number 2 settled for $384,000 and hospital number 3 paid $515,000. Each will need to implement staff training as part of individual corrective action plans.
Those plans included developing policies and procedures around photography, video recording and audio recording. The hospitals will also need a process for both evaluating and approving requests from the media to film not otherwise open to the public.
According to the settlement agreements, all three hospitals denied they impermissibly disclosed patient health data and said they did obtain proper consent. Further, the plans stated the agreements are not an admission of liability and “potential violations alleged in the covered conduct do not constitute findings of fact.”
OCR differed in its findings, stating there was no concession the hospitals were not in violation and not liable for monetary fines.
This was a breach because patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments. Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.