Understanding HIPAA Complaints, Violations, and Consequences

Next, we are going to review how a patient should file a HIPAA complaint, common violations amongst covered entities and business associates, common violations at an employee level, the consequences of a HIPAA violation, and how you can work to prevent HIPAA complaints and violations within your practice.

 

As a practice who handles patient information on a daily basis, it is required that you have a procedure for patients to address complaints in place within your office. Under the HIPAA Act, patients should contact your HIPAA security officer, as well as the HIPAA program office to make a complaint. The office of civil rights, which is the federal government agency in charge of enforcing the HIPAA Privacy Rule, has a website for patients to file a complaint electronically.

 

Let’s take a look at the top 10 most common HIPAA violations by covered entities and business associates. These include:

 

1. Snooping on healthcare records
2. Failure to perform risk analysis
3. Failure to manage security risks
4. Failure to enter into a HIPAA-compliant business associate agreement
5. Insufficient ePHI access controls
6. Failure to use encryption to safeguard portable devices
7. Failure to issue breach notification
8. Impermissible disclosure of PHI
9. Improper disposal of PHI after retention period expires
10. Denying patients access to their healthcare records

 

Next, let’s review common violations by the employee. When it comes to patient health information specifically, these violations include:

 

• -Removing PHI from the office
• -Leaving PHI unattended
• -Not signing off or locking electronic devices
• -Emailing ePHI to a personal email and emailing ePHI through an unencrypted or non-HIPAA-compliant email

 

Next is, the release of PHI to an unauthorized individual, and this includes:

 

• – Releasing PHI with no authorization on file
• – Releasing PHI for purposes other than treatment, payment, or healthcare operations
• – The authorization on file had previously expired
• – The authorization did not specify the types of PHI that could be released

 

And last involves a lack of training or education. Within this, we have:

 

• – Employees that are unaware of minimum necessary standards
• – An employee who is unaware of policies and procedures, or an employee who is unaware of HIPAA and the consequences of a HIPAA violation.

 

HIPAA violations are not to be taken for granted. They are in place to make sure that practices and covered entities, as well as business associates, are following the rules and guidelines that have been put into place.

 

When looking at fines, being unaware of the HIPAA violation, you could be fined anywhere between $1,000 and $50,000 per violation with a maximum of $50,000 per year. If there is reasonable cause that the covered entity knew of the violation, the fine is then between $1,000 and $50,000 per violation or a maximum of $100,000 per year. If there is willful neglect of HIPAA rules with the violation corrected within 30 days, this fine is anywhere from $10,000 to $50,000 per violation and a maximum of $250,000 per year. And last, if there is willful neglect of HIPAA rules and zero effort is made to correct the violation within 30 days, the fine is $50,000 per violation with a maximum of $1.5 million per year. You can be charged individually, as well as as an organization for any kind of HIPAA violation. Be sure you’re taking the responsibility and holding yourself and your team accountable to follow the safeguards that have been put into place.

 

Thank you for completing The Focusing On HIPAA Compliance Program. As a reminder, we recommend you complete this training annually. We have attached several resources and handouts for you to reference when reviewing your HIPAA Manual and in reviewing HIPAA guidelines with your team. If you have completed this program as a team, please send an annual training blog around, and sign and date. Store this in your HIPAA Manual. If completing this program as an individual or as a new hire to a practice, please let your administrator know that you have completed this program so that the proper documentation of completion is placed on file.