If you are a doctor or some other healthcare provider, you are probably well aware of the importance of maintaining a HIPAA-compliant workplace. Originally passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes is a set of national standards that covered entities must follow in regards to patient privacy. Failure to do could result in a fine handed down by the Office for Civil Rights (OCR).
Improper Disposal of PHI
One of the most common types of HIPAA violations cited by the OCR is improper disposal of Protected Health Information. Whether it's a patient's medical file, billing information, or any other document containing personally identifiable information, all forms of PHI must be properly disposed of in a manner that prevents restoration. This may include shredding and/or burning paper documents, or having hard drives wiped clean by a professional Informations Technology company.
Not Creating Business Associates Agreement
Covered entities whom work with one or more third party organization must create a Business Associates Agreement (BAA). Among other things, this document specifies the way in which the business associate will use the covered entity's PHI, as well as provide restrictions on limited use.
Lost or Stolen Devices
Another all-too-common HIPAA violation involves lost or stolen devices. If a hospital stores PHI on the tablets used by its nurses, for instance, those tablets must be secured in a manner that prevents them from becoming lost or stolen. Furthermore, the hospital must implement a self-wipe feature, allowing it to delete data off the devices in the event that they are ever lost or stolen.
Lack of Cybersecurity
What safeguards does your healthcare practice have in place to prevent hacking? Unfortunately, hacking and other forms of cyber crime have become increasingly commonplace in the past few years, with major health insurers like Anthem, Inc. and Premera becoming targets. The HIPAA Security Rule states that all covered entities must implement meaningful and appropriate safeguards to protect their patients' information from unauthorized use or disclosure. This may include the use of encryption, firewalls, network monitoring, and two-way user authentication systems.
Not Training Employees
A fifth HIPAA violation that many healthcare practitioners are guilty of making is not training their employees. Workers must be trained on the nuances of patient privacy in regards to HIPAA – and this isn't something that workers can forget after training. On-going training is critical to remaining compliant with HIPAA and avoiding fines.