Failure to manage the correct handling of healthcare data can lead to costly HIPAA violations. One study found that more than half of providers aren’t fully compliant with HIPAA’s Right of Access. That’s an expensive proposition, given that the average cost of non-compliance for healthcare organizations is $14.82 million.
And the damage is not limited to fines for HIPAA violations. Healthcare organizations can also lose revenue due to a damaged reputation and lost customers, as most consumers lose trust quickly when their personal data is compromised by a third-party organization.
Fortunately, a good IT team (or managed services provider) can actually do something about HIPAA violations that fall within their domain. Here, then, are the top 7 HIPAA violations your team can do something about.
#1 Thinking HIPAA Does Not Apply to Your Organization
There are many activities that might trigger the need for HIPAA compliance, even if your organization is not the “typical” type of covered entity. If your enterprise handles business activities such as marketing and content creation, medical transcription, cloud-based storage for health records, or medical data processing, and you aren’t sure if you need to be in compliance, it’s a good idea to contact a compliance expert. The same goes for activities like audits, answering services, consulting, and shredding and/or document storage.
#2 Failing to Implement Access Controls
Access to private health information (PHI) within your enterprise should only be given to employees when it’s essential for their job and then revoked when the employee no longer works for your company (or changes roles). Such access should be reviewed regularly.
The lack of such a review hit the Texas Health and Human Services Commission (HHSC) in 2018, when it was penalized by the Office for Civil Rights (OCR) for failing to perform an enterprise-wide risk analysis. The OCR found that Texas HHSC failed to implement access controls on its applications and IT systems as required by HIPAA, resulting in a steep $1.3 million fine.
Lack of review is one thing; actually having an employee access records when they are not supposed to is something even worse. Miami-based Jackson Health System (JHS) was found in violation of HIPAA when it was revealed that an employee inappropriately accessed over 24,000 patient records and sold that data to shady third parties over a five-year time span. A regular review of records activity and time of access could have revealed the pattern of abuse much sooner. Such “leaks” when it comes to access controls are, unfortunately, a common occurrence, especially when IT teams are overworked.
#3 Insecure Pages and Portals
Insecure web pages and web portals provide an easy avenue for hackers and data thieves to steal PHI. In 2019, hackers were able to gain access to the payment data of over 20.1 million patients in a database of a third-party bill collection vendor, American Medical Collection Agency (ACMA). It appears that a web payments page being maintained by ACMA—which patients were using to pay their lab testing bills—was improperly secured. The breach went undetected for eight months, during which time hackers were able to get names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details, and bank account information.
Any portals that traffic in patient data, financial data, or both must be secured to the highest standard, and breaches must be reported as soon as detected. Hiring a cybersecurity expert can help reveal vulnerabilities before they become a problem.
#4 Faulty Setup/Configuration Errors
The data of 974,000 UW Medicine patients was left exposed for three entire weeks when simple human error led to a misconfigured server. The data was being kept so that patients could have access to their information, in conformity with HIPAA requirements. Somehow, the data was made public and readily found via an internet search engine—in fact, the mistake was found when a patient conducted a Google search of their name and found a file containing their data, including lab tests that had been conducted.
According to Gartner, almost 95 percent of cloud breaches occur because of human errors like configuration mistakes. These can be drastically reduced, by implementing a standardized configuration and using automation to ensure that nothing is left to chance or error.
#5 Mobile Devices Not Properly Secured
Approximately one-third of companies across all sectors experienced a mobile-related breach in 2018-2019, and that trend held true for healthcare as well. Roughly 90 percent of hospital and healthcare institutions are investing in smartphone and mobile technology, which means potential breaches are going to become much more common.
But it’s not just smartphones and tablets that create risk: Laptops, thumb drives, and other portable technology might present an even greater risk, Take, for example, the University of Rochester Medical Center, which was required to pay $3 million to the Office for Civil Rights because PHI was left unencrypted on a flash drive. The drive was left inserted into a laptop that itself was stolen when a physician was off campus. Who knows where that data ended up?
If mobile devices, including laptops and thumb drives, are going to be brought into your organization, it is imperative that they also be brought into your overall endpoint management strategy.
#6 Failing to Properly Notify Media and Affected Individuals about Breaches
Jackson Health System, mentioned above, found out about the high cost of failing to provide “timely and accurate breach notification to the Secretary of HHS” when it was also hit with a civil money penalty of $2,154,000 for its breach.
Although a breach does not necessarily result in a violation, the HIPAA Breach Notification Rule necessitates the notification of such breaches within 60 days to affected individuals and prominent media outlets serving the state or jurisdiction where it occurred (if it affected more than 500 residents). And, if the breach occurred through a business associate, that entity must notify the corresponding covered entity within the same two-month period. If it encompasses compromised PHI, a report has to be filed on the HHS’ Breach Reporting Portal.
Conducting these notifications might not seem difficult, but some healthcare enterprises fail to complete them and therefore incur avoidable HIPAA violations fines. An IT team can get around this simply by having a defined and regularly updated notification system in place.
#7 Assuming You Are Compliant (Because Your SaaS Application or Public Cloud Is)
It can’t be said enough: No cloud platform, public or otherwise, is inherently 100 percent HIPAA compliant. Compliance comes not from having a certain kind of technology or platform, but rather from configuring the platform (and, ultimately, handling the data) in appropriate ways.
So, don’t assume you are in compliance simply because your platform, cloud provider, or application provider says they are HIPAA compliant. Even if they are, your IT team still has work to do.
Start by making sure you sign the business associate agreement. Then implement the appropriate access controls, set up firewalls that provide logging and oversight for file integrity monitoring, and get your encryption in place. And remember, if any of these steps are proving to be a challenge, there’s no harm in reaching out to a third-party vendor that specializes in HIPAA compliance.
Penalties for HIPAA Violations
Penalties for HIPAA violations vary quite a bit. They depend, first, on whether the violations were the result of a civil or criminal infraction.
Penalties for civil HIPAA violations
- Penalty range: $100-$50,000 per violation, with an annual maximum of $25,000 for repeat violations
- Reasonable cause. Penalty range: $1,000-$50,000 per violation, with an annual maximum of $100,000 for repeat violations
- Willful neglect, but violation is corrected within the required time period. Penalty range: $10,000-$50,000 per violation, with an annual maximum of $250,000 for repeat violations
- Willful neglect and is not corrected within required time period. Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
Criminal violations of HIPAA
- Covered entities and specified individuals “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification regulations
Penalty range: up to a $50,000 fine and imprisonment up to one year
- Offenses committed under false pretenses
Penalty range: up to a $100,000 fine and up to five years in prison
- Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm
Penalty range: fines of $250,000 and imprisonment up to 10 years
These penalties can markedly affect a healthcare enterprise’s revenue stream and reputation. There are steps you and your IT team can take, though, to enforce compliance and avoid common HIPAA violations and their costly consequences.
For more discussion on this topic, view our article “Who Does HIPAA Protect? And What Does This Mean for Your IT Team?”
To learn more about how HIPAA violations can negatively affect your enterprise, see our article “You CAN’T Afford It – What HIPAA Violations Really Cost.”
For more on our own HIPAA compliance services, visit our HIPAA Compliance Page.
Korunda Medical, based in Florida, paid the Office for Civil Rights $85,000 for potentially violating HIPAA’s Right of Access rule. The case focused on Korunda not providing patient-requested records in a timely manner or in the requested format.