As organizations covered by the Health Insurance Portability and Accountability Act (commonly known as HIPAA) look into creating or modifying their training techniques, they may be asking themselves what the most common types of HIPAA violations are.
It is important to pay attention to common mistakes and areas where other groups may be weak in order to benchmark one’s own performance and address potential problem areas before issues arise. It may also help covered entities to see how new rules are being regulated and implemented.
What are the Most Common Types of HIPAA Violation?
As with many areas of HIPAA, the importance of the risk assessment analysis cannot be understated. If this analysis is not sufficiently broad in scope and in-depth in nature, then this lack of care in identifying weaknesses that pose a threat to the confidentiality, integrity, or availability of Protected Health Information (PHI) may constitute a HIPAA violation in its own right. This is unfortunately a common occurrence.
Choosing the correct business associates and ensuring that all required administrative procedures have been carried out to satisfaction is another area where many organizations fail to live up to their obligations under HIPAA. Many groups have been found to be working with their partners without having an appropriate business associate agreement in place prior to operations being carried out.
Other common violations include unauthorized disclosures of PHI, inexcusable delays in issuing breach notifications, and failing to appropriately safeguard PHI – in particular electronic PHI and mobile devices.
The Department of Health and Human Services’ Office for Civil Rights (OCR) may impose fines or seek settlements from organizations that violate HIPAA. These are both to serve as punishments to offenders and also as signals to promote HIPAA compliance overall.
Data Breaches and HIPAA Compliance
Given the huge increase in the amount of data stored and created electronically, including PHI and health related data, it is not surprising that there are a large number of attacks targeting electronic information.
With the constant evolution of attack methods and corresponding security procedures, it is all but impossible to completely guarantee the safety of information on an electronic system.
In the case of data breaches, the OCR often approaches the incident with this in mind. Indeed, investigations into data breaches have been carried out and found that no violation of HIPAA had occurred at the compromised entity.
Data breaches do not automatically mean HIPAA violations. The covered entity is only obliged to implement safeguards to reduce risk to an acceptable level, not to completely erase all risk. Failure to promptly and correctly report data breaches, however, can and will be found to be a breach of HIPAA regulations.
Discovering HIPAA Violations
It is possible that a data breach could be occurring for a long time before it is discovered. Similarly, HIPAA violations may be routinely overlooked or poorly understood in some covered entities or business associates, resulting in repeated violations over an extended period. Following discovery and investigation, sanctions or corrective action will normally be based on the perceived level of control or negligence the entity was found to be demonstrating. If, for example, a breach or violation should have been found during regular reviews and these were not carried out, the penalty could be severe. If staff have not been sufficiently trained or refresher courses were not held, this could also lead to increased sanctions
HIPAA compliance reviews should be frequently carried out to ensure that violation or breaches are quickly found and addressed by the covered entity themselves, and not found through an audit or investigation by the OCR or other regulatory body.