Established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) set national standards for the confidentiality, security and transmissibility of personal health information (PHI). PHI includes names, birthdates, phone numbers, emails, Social Security numbers, medical record numbers, health insurance, biometric identifiers and other data created or collected by a covered entity (or a business associate of a covered entity), and can be linked to a specific individual. The Department of Health and Human Services (HHS) defines covered entities as health care providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and government agencies.
Under the HIPAA Privacy Rule, health care providers, including home health care and hospice organizations, are required to protect and keep confidential any personal health information. The rule also sets limits and conditions on its use and disclosure without patient authorization. It gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.
HIPAA violations can result in significant fines by the HHS’ Office for Civil Rights (OCR), up to $1.5 million. Additionally healthcare providers can be at risk for sanctions or loss of income. In 2017, alone, OCR imposed $19,393,000 in fines from covered entities and business associates to resolve HIPAA violations.
How does OCR go about enforcing HIPAA and determining a resolution?
OCR is responsible for investigating all filed complaints, conducting compliance reviews to ensure covered entities are in compliance, and performing education and outreach to encourage compliance. Once OCR determines if they will investigate a complaint, it notifies both the person that filed the complaint and the organization named in it. Both parties are then asked for information about the incident described in the complaint. By law, covered entities must cooperate with complaint investigations. Upon reviewing the information or evidence for each case, OCR determines whether the organization violated the requirements of the HIPAA Privacy Rule. If it concludes that a violation was made, it will ask that the organization voluntarily comply and suggest a corrective action, and/or resolution agreement. When an organization doesn’t comply, OCR may fine the organization with civil money penalties. If the organization is fined, it can have an HHS administrative law judge decide if the fines are supported by the evidence in the case.
What are the more common reasons for HIPAA violation citations? Following is a list compiled by the Heath IT and CIO Report:
- Employees disclosing information – Employees’ revealing information about patients to friends or coworkers is a HIPAA violation that can cost a provider a significant fine. Staff must restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.
- Lost or Stolen Devices – Theft of PHI through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines. Mobile devices are the most vulnerable to theft due to their size, making it necessary to implement measures such password-protected authorization and encryption to access patient-specific information.
- Texting patient information – Putting patient information in a text such as vital signs or test results may expedite communication but it can potentially place the data in the hands of cyber criminals. Home health care providers should use new encryption programs that allow confidential information to be safely texted. This program must be installed by both parties – the sender and recipient – for it to be effective.
- Social Media – Posting patient photos on social media is a HIPAA violation. All employees should be aware of this violation.
- Employees illegally accessing patient files – Accessing patient information when not authorized is another very common HIPAA violation. Whether it is out of curiosity or as a favor for a relative or friend, this is illegal and can cost a provider substantially. Also, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.
- Authorization Requirements – Written consent is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations, or permitted by the HIPAA Privacy Rule. If an employee is not sure, best practice is to obtain prior authorization before releasing any information.
- Lack of training – One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. All employees, including caregivers and aides, should receive training on HIPAA law. Compliance training is one of the most proactive and easiest ways to avoid a violation.
Making privacy and security of patient information a priority is critical for the continued success of a home health care provider. Not only can the organization find itself in violation of HIPAA law, the exposed data can lead to nefarious use by cyber criminals exposing the provider to third-party lawsuits. All providers should ensure that their training materials are current and conduct annual HIPAA training to prevent potential violations. In addition, be sure your clients carry Cyber liability insurance in the event of a breach, and Professional Liability insurance which can often be endorsed to cover the costs of HIPAA proceedings, fines and penalties.
Manchester Specialty Programs offers a Cyber insurance solution designed for home health care providers, which also includes valuable cyber management and loss prevention assistance through our carriers and third-party consultants. We also provide Professional Liability insurance coverage that can include coverage relative to HIPAA violations, fines and penalties. For more information about our Cyber and Professional Liability insurance solutions and how you can assist your clients, please contact us at 855.972.9399
Sources: Health IT & CIO Report, Total HIPAA Compliance