The 10 Most Common HIPAA Violations

All HIPAA violations could be considered potential threats to your medical-related organization, but there are some that are much more common than others. And, seeing that HIPAA violations can bring fines reaching up to $50k per occurrence and a maximum penalty of $1.5 million per violation, it’s very important to stay on top of the regulations and rules.

If you think you might need to button up your organization related to HIPAA standards, we suggest looking at these 10 most common violations.

This includes both physical copies of medical information, records, and data, as well as digital copies. Physical copies need to be locked away in a desk or filing cabinet when not in use and all digital access needs to be secured and password-protected.

This is somewhat similar to unsecured records, but also includes encrypting and PHI that is incoming through assets like forms or surveys, and that is outgoing through methods such as email. Also, if all data is encrypted, it will be unusable if the security is breached.

It’s unfortunate, but there are many people out there who try to hack into networks and databases in order to access PHI and other data so they can sell it. This is why it is so important to have secured and regularly monitored digital assets.

It is fairly simple - any employee who comes in contact with PHI needs to be thoroughly trained in HIPAA compliance and your organization's specific policies and procedures.

No one loses their laptop or phone on purpose or tries to have it stolen. But, this does happen from time to time. The upside is that as long as the PHI and data is not accessible, you’ll just need to replace the device. The HIPAA violation occurs when an unauthorized user is able to use that device to access the medical data.

When medical records or PHI are no longer needed, any documents relating need to be shredded, not just thrown in a trash can. Digital copies need to be stored elsewhere or wiped from devices.

Most of the time, this occurs due to curiosity over malicious intent. It happens when an employee uses their credentials to view another’s PHI or medical records that they are not authorized to see.

It’s difficult not to talk about the crazy thing that happened at work, but doing so could be violating HIPAA standards. Talking with others who are authorized to view the information is fine, but chatting with others is not.

The most common occurrences of unauthorized release of medical information come from

A.) The media releasing medical information about a celebrity or well-known public figure, or

B.) Medical personnel releasing information to family members of the patient who are not authorized by power of attorney.

PHI should only be discussed with the people who need to know the information. This includes the patient, the doctor(s), and/or the person(s) billing for the procedure, medication, insurance, or other related services.

After looking over the whole list, the most common reasons for HIPAA violations are avoidable. It all comes down to securing the data, both digitally and physically, educating employees on the HIPAA laws, and only communicating with others authorized to do so.

If you have questions about the HIPAA compliance of the digital side of your organization, we’d love to chat. Even if it’s just to help you strategize around a new solution.