If you work in the medical field, it's essential that you learn the nuances of the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into law back in 1996, it consists of numerous requirements that covered entities must follow to protect patients' data from unauthorized use or access. Covered entities who fail to abide by HIPAA could be subject to fines – or in some cases – criminal prosecution.
So, just how common are HIPAA violations? The Department of Health and Human Services (HHS) said that as of March 2013, it had investigated more than 19,000 cases that required corrective privacy action. There were additional 44,118 cases, however, that did not require corrective privacy action, usually due to the violation occurring before HIPAA or cases withdrawn.
The HHS typically remains transparent in regards to HIPAA violations, as this information helps covered entities better protect themselves from violations. On its official website at hhs.gov, the HHS even lists the most frequently reported violations, which includes the following:
- Unauthorized disclosure of Protected Health Information (PHI).
- No protection in place for health information.
- Patient is not able to access his or her health information.
- Using and/or disclosing more than the minimum necessary PHI.
- Lack of safeguards for Electronic Protected Health Information.
As you can see from the list above, “unauthorized disclosure of PHI” is the single most frequently reported HIPAA violation. Covered entities are required by law to obtain patient's consent before transmitting their personally identifiable health information. If they fail to obtain this consent, they could be found in violation of the HIPAA Privacy Rule.
Another all-too-common HIPAA violation is lack of protection for health information. Whether it's physical or digital, all forms of patient health information must be protected to reduce the risk of disclosure. For paper PHI, safeguards may consist of locked doors, locked file cabinets, and proper disposal methods (e.g. incineration or shredding). For EPHI, safeguards may consist of proactive network monitoring, unique user identifications, firewalls, virus scanners, etc.
Of course, these are just a few of the most common HIPAA violations. There are plenty of other violations for which covered entities have been fined. The only way you can fully protect yourself from HIPAA-related fines is by knowing and implementing the appropriate practices, policies and techniques to secure patients' data from disclosure.