Every person who goes to see a medical professional will divulge personal information, insurance information and their medical history to the health organization. This information will be used by medical practitioners to create health records for the patient. These records can then be accessed to provide better quality medical care, send out important follow-up information, and can be used for billing purposes. Unfortunately, such data can be used to commit fraud and identity theft if it falls into the wrong hands.
The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect patients’ medical records and other sensitive information. Health organizations and other businesses that deal with the medical industry must abide by the regulations to protect and keep private this data. Organizations that fail to implement safeguards or report health data breaches can face hefty HIPAA violation penalties that are paid to the United States Department of Health and Human Services (HHS), as well as be required to implement all corrective action plans.
Examples of HIPAA Violation Settlements
1. Memorial Healthcare System – Inappropriate Access of Patient Information
Memorial Healthcare Systems has to pay a $5.5 million settlement due to the failure of having the proper audit controls. The nonprofit corporation had employees and users at affiliated physician offices inappropriately access patients’ names, date of births and social security numbers of up to 105,646 people. It was discovered that the corporation failed to have procedures in place to review information system activity on a regular basis to discover any privacy breaches, and failed to have the appropriate authorization policies in place.
2. MAPFRE Life Insurance Company – Unsecured Electronic Health Information
The MAPFRE Life Insurance Company will be paying $2.2 million towards their HIPAA settlement for noncompliance. The life insurance company reported a breach of data when discovering electronic patient health information (ePHI) for 2,209 people was stolen from the IT department. The data information was left on a USB drive that was not properly secured. It was concluded that MAPFRE had failed to implement encryption methods and other alternative methods to safeguard information on removable storage media devices and laptops.
3. Presence Health – Misplaced Operating Room Schedules
The Presence St. Joseph Medical Center, which is part of the Presence Health hospital system, was found in violation of HIPAA due to the mishandling of operating room schedules. The paper-based schedules contained protected health information for 836 people as the operating room schedules went missing. Presence Health also experienced delays in reporting the breach to those patients who were affected due to miscommunications between their workers. The medical center has agreed to settle its HIPAA violations for $475,000.
Common HIPAA Violations to Avoid
Many of the common violations to HIPAA regulations involve the organizations not performing the right risk analysis and procedure reviews to ensure patient information is kept secure. In addition, with the amount of technology used in the medical industry today, new compliance protocols need to be implemented to prevent the mishandling and misuse of electronic patient information. Here are the most common HIPAA violations and the steps you can take to prevent these issues:
1. Misplaced Paper-Based Medical Records
Paper forms left out in the physician’s office or the receptionist’s desk can be read by other employees who should not have access to this information, or by other patients waiting for medical services. All paper-based records need to be kept in a locked location that only allows access by authorized personnel. In addition, health organizations need to have proper medical record handling procedures to prevent the information from being misplaced in the office.
2. Stolen or Lost Electronic Devices
With more medical facilities and organizations turning to electronic protected health information that can be accessed on smartphones, tablets, and laptops, medical personnel must have safeguards in place to prevent unauthorized access and viewing of this data if a device is lost or stolen. The organization needs to develop the appropriate encryption methods for electronic devices used in the medical facility, as well as have procedures for employees to report lost or stolen devices in a timely manner.
3. Sharing of Patient Information to Employees or Unauthorized People
Employees must be aware that talking about, sharing files, and taking patients’ photos can be a privacy violation of the HIPAA. No matter how harmless the information is that is shared, it still could violate Title II of HIPAA as it doesn’t matter whether the information is relayed through text messages, social media or face-to-face interactions. If other people overhear, read or see the information, they could use it to the detriment of the patient or the medical practice. Employee training that focuses on HIPAA regulations and prevention methods to stop the inappropriate disclosure of patient information can help workers stay in compliance.
Have Your Medical Information Technology Procedures Assessed
I.S. Partners, LLC can help medical organizations stay in better compliance with HIPAA regulations to avoid breaches in patient information data and to prevent your organization from paying costly settlement fines. We can evaluate your present procedures and safeguards to check for gaps in HIPAA compliance. Then we provide you with our findings so that you can take the necessary steps to keep medical information secure and confidential. Send us a message or call us at 215-675-1400 to find out more about our HIPAA Compliance assessments.