HIPAA violations have become increasingly common with the use of technology. Fines and penalties can be devasting to a practice, yet many organizations are not safeguarding against these types of violations. Learn more about the most common types of violations below.
Inadequate Employee Training and Lack of Documentation
According to the 2017 State of Privacy and Security Awareness Report, 70% of over 1,000 employees surveyed should be labeled as either a risk, or a novice when it comes to security and privacy awareness. This startling statistic means that the average employee is at risk of jeopardizing protected health information (PHI) and is not properly equipped to protect an organization from preventable cybersecurity incidents.
Proper training informs employees which items are considered PHI and the reasons for its protection, and most importantly it teaches employees how to protect patient information. Documenting employee training is vital when it comes to passing a HIPAA audit and protects you and your business if an employee is to violate compliance laws.
Learn moreabout Cytek’s HIPAA Compliance Training.
No Risk Assessment
HIPAA requires that covered entities conduct and retain documentation of a risk assessment of their organization. A risk assessment helps your organization ensure that it is complaint with HIPAA’s administrative, physical, and technical safeguards. A risk assessment will also help to reveal areas where your organization’s PHI could be at risk, helping your business avoid fines and civil penalties as well as costly downtime caused by cybersecurity incidents.
Take a Free HIPAA Risk Assessment
Ransomware is malicious software that infects a computer system, locking and often encrypting information until a sum of money is delivered to the hacker. Ransomware typically infects a system through email attachments and links to malicious websites. Ransomware attacks that encrypt patient data are considered a HIPAA violation as an unauthorized individual has taken possession of the protected information.
Illegally Accessing Files
Human error is one of the main causes of HIPAA breaches. Unauthorized employees accessing patient data or files is a violation. Unauthorized employees cannot access files at the request of an authorized employee, and authorized employees cannot give information to unauthorized family members of a patient.
Encryption helps to safeguard your practice against violations, especially in the case of lost devices. Your organization should use both encryption and cloud backup for all electronic data. HIPAA Security Rules state that an algorithmic process must be used to transform data into a form in which there is a low probability of readability. All electronic transfers of PHI within your organization should use encryption.
Physical and electronic documents containing protected patient data must be secured at all times. Healthcare workers should avoid leaving papers and charts that contain PHI out on desks or in exam rooms. Paper documents should be stored in either filing cabinets, desks, or offices that are locked. Electronic documents should be protected using strong passwords and data encryption.
Improper Disposal of Records
Improper dumping of PHI is one of the most common violations and can lead to fines of as much as $10,000-$50,000 per exposed record. While HIPAA Privacy and Security Rules do not explicitly state how PHI must be disposed of, it does state that all protected data must be destroyed beyond readability. Paper records as well as electronic records are subject to these guidelines.
Lost devices such as flash drives, cellphones, and laptops, that contain PHI are considered a HIPAA violation. Loss of a device is only not considered to be a violation if the data on the device is encrypted or the device is secured and can be remotely wiped of its data. Proper employee training can prevent employees from accessing PHI on personal devices further reducing the risk of this type of HIPAA violation.
Want to learn more about how you can protect your organization from cybersecurity threats? Contact Cytek today for a free consultation.