Following federal regulations is a necessity in running a successful hearing care practice, and one of the most critical areas of compliance is the Health Insurance Portability Accountability (HIPAA). However, despite its importance, more than 250,000 complaints of HIPAA violations have been made over the past 20 years.
In today’s increasingly competitive hearing care industry, HIPAA compliance can have a significant impact on a practice’s business health as the perception that a clinic is either unable to protect, or does not take the protection of healthcare information seriously, often results in the loss of existing and future patients. And, in the event of an actual HIPAA violation steep financial penalties can also be assessed.
Because of this, it is important to stay up-to-date on HIPAA rules and regulations as technology and the hearing care industry continue to evolve.
A brief background on HIPAA
HIPAA was established in 1996, with the goal of setting standards for the safeguarding of Protected Health Information, or PHI, principles that have been continuously expanded upon by additions to the HIPAA Law.
Under HIPAA, PHI, is any personal health information that can potentially identify an individual, that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment.
Common HIPAA mistakes
Unauthorized access to medical records
The focus of HIPAA is the protection of PHI. Accessing PHI for reasons other than what is strictly required for the tasks such as treatment, payment, or other healthcare operations is a violation of patient privacy.
One of the most common HIPAA violations is when healthcare staff access information about family, friends, neighbors, or even celebrities outside the scope of their needs and responsibilities. When discovered, these employees can be subject to criminal punishment, and the hearing care practicemay also be subject to financial penalties for failing to put effective safeguards in place. Some of these safeguards include requiring user authorization for employees and staff to access sensitive information and protecting workstations with unique passwords that are changed regularly.
Loss or theft of devices storing PHI
The amount of healthcare data stored on technology devices such as laptops, tablets, and even cell phones increases monthly. With the increased data comes an increase in risk by way of a data breach, a potential HIPAA violation and a resulting financial penalty through the loss or theft of the device. Since it is not possible to completely protect devices from being lost or stolen, it is important that you and your practice take strategic steps to prevent an unauthorized party or malicous actor from gaining access to the actual data. There are several best practices available that include multi-factor authentication and strong levels of data encryption.
Some best practices security measures include:
- Remove work-related computers from visible and accessible areas when not in use.
- Store sensitive PHI on professional computers and devices only. Do not store sensitive PHI on personal devices.
- Implement Multi-Factor Authentication (MFA) which requires the user to provide two or more verification methods to gain access to a device, application, or online account.
- Enable device location to allow the owner of a device to see its location if it is accidentally misplaced.
In addition to the steps above, if a worst case scenario has occurred and recovery is impossible, many devices will allow a user to remotely delete all data on a device if needed. It is suggested to ensure all staff and employees understand how to remotely delete confidential data in the case of a lost or stolen device.
Sending unencrypted PHI over text or email
Emails and text messages are often major sources of unintentional and easy-to-avoid HIPAA violations. Email and text messages sent to patients should never contain PHI. Even if a patient requested PHI via text or email, it is not appropriate to send the information because the patient’s identity cannot be confirmed. You do not know who will be reading the messages. The proper usage of these communication methods is to notify your patients that a message awaits them so they can call for an update.
Additionally, using these methods to send treatment information about a patient between clinic staff is a HIPAA violation. The notifications can be seen and read by anyone who has access to the device and therefore at risk for a breach.
Incomplete HIPAA risk assessment
One of the requirements of HIPAA is for organizations to conduct risk assessments to determine possible gaps in their measures to safeguard PHI. If a HIPAA risk assessment is not conducted on a regular basis, your hearing care practice may have hidden security vulnerabilities that can lead to a healthcare data breach along with HIPAA violations and financial penalties. In fact, the failure to perform a practice-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty.
Some practices perform a HIPAA risk assessment once and consider it done. However, a best practice is to conduct the assessment on an annual basis, or sooner if you implement new technology, have significant staff turnover, or make other business processes or staff responsibility changes to the practice. Once your HIPAA vulnerabilities have been identified, the practice can take steps to improve HIPAA compliance and ensure effective protection of PHI.
For more information on how to conduct a Risk Assessment, consult this guide.
Lack of business associate (vendor) HIPAA agreements
HIPAA regulations also extend to vendors and any other third parties that may have access to PHI. These include technology and software vendors whose systems may store information on cloud-based servers, legal counsel, accountants, or freelance/contract positions who may perform clinical or administrative functions for the practice.
Each of these vendors or third parties who will access, transport, or store PHI is required to sign a business associate agreement outlining why, how, and when they will securely access and/or store the PHI managed by your practice. This includes provisions for the proper disposal of the information once the operating agreement has concluded.
Insufficient Employee Training
HIPAA requires that organizations provide HIPAA training to members of their workforce who will come into contact with PHI as part of their responsibilities. However, the regulation doesn’t specify the length of time required nor explain the topics to be covered in the training, only requiring that it must be “as necessary and appropriate for the members of the workforce to carry out their functions”.
To make things simple, training should include how to identify PHI, who needs to access it, the rules concerning how and when PHI should be disclosed, and how to avoid unauthorized access of PHI. Training should be short enough to not lose the attention of the trainees, but not so long as to bore them nor bombard them with information. There are numerous online training programs, including Teach Privacy that meet these standards.
Finally, training dates and completions should be effectively documented as a way of protecting the practice in the event of a breach.
What happens if your hearing care practice commits a HIPAA violation?
It is nearly impossible to prevent a violation from ever occurring, even if you make every possible effort to have up-to-date policies, conduct extensive risk assessments, and train your employees on how to protect and safeguard PHI. All it can take is a device left on a bus or an errant conversation, and your practice could face the scrutiny of the Department of Health and Human Services, the branch responsible for enforcing HIPAA.
The authors of the regulation recognized that humans make honest mistakes. In that regard, they built four tiers into the penalty processbased on the perceived level of negligence of the employees who committed the violation and the dollar amount of the fine.
The first (lowest) tier levies fines starting at $100 per incident, however, fines can increase depending upon the scale of the breach. Tier 1 fines are usually assessed when an employee could not have known they were committing a HIPAA violation.
Tier 2 fines are levied when it is determined that the organization knew or, by exercising reasonable diligence, would have known about the violation but did not act with willful neglect. Fines for the second tier can range from $1,000 to $50,000 per incident and up to $100,000 per year.
Tiers 3 and 4 are much more severe and are levied against organizations that are determined to have acted with “willful neglect” toward HIPAA rules and regulations. Penalties in these tiers can range from 10,000-50,000 per incident and with total penalties of more than $1.5 million per year.
Staying HIPAA compliant
Demonstrating a good faith effort to follow the regulations can be a helpful factor when the level of violation is determined (Tier 1 rather than Tier 2, Tier 2 rather than Tier 3, etc.).
Instituting the proper policies and procedures, regular organizational risk assessments, employee training, and signing business associate agreements can help protect your practice in the event of a violation and mitigate the potential consequences.