In the United States, healthcare organizations are required to abide by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. This act provides guidelines pertaining to the handling of patient information across a number of platforms. When healthcare organizations are looking for cloud solutions to manage their data, ensuring that they are HIPAA compliant is a necessity.
The Office for Civil Rights in the United States periodically conducts HIPAA compliance audits on healthcare organizations. Most recently, the U.S. Department of Health and Human Services (HHS) performed audits of 166 covered entities and 41 business associates to check on compliance with selected provisions of the HIPAA Rules. Whether done through ignorance or negligence, HIPAA violations often come with large fines that can range from hundreds of thousands of dollars, to millions, depending on the severity.
5 Main Causes of HIPAA Violations in Healthcare
According to Laura Dyrda at Becker's Health IT, the 12 months prior to June 2020 saw 393 protected health information breach incidents reported to HHS. The incidents included, malicious email hacking, unauthorized access to EHRs and medical records as well as inadequate third-party business agreements. Below are five common mistakes healthcare organizations have been making, that have in turn been resulting in HIPAA violations and subsequent penalties.
- Unauthorized access of personal health information (PHI) - This could be employees looking into data for reasons other than payment, treatment and operations.
- Not performing an organization-wide risk analysis - One of the most common reasons for HIPAA violations today.
- Not participating in HIPAA-Compliant Business Associate Agreements - Simply having a business associate agreement is not enough. Healthcare organizations must ensure the third party is HIPAA compliant as well.
- Failure to encrypt ePHI on mobile devices - Although data encryption isn't mandatory under HIPAA regulations, it can certainly play an important role in protecting sensitive information when devices are misplaced or a potential cyberattack occurs.
- Not disposing of PHI properly - Whether it be physical PHI or ePHI, when it is no longer needed, or retention periods expire, HIPAA requires this information to be permanently destroyed in the safest way possible.
To learn more about the results of the most recent HIPAA audit, read the HIPAA Audits Industry Report published in December 2020.