Common HIPAA Compliance Mistakes & How to Keep Them from Happening

Common HIPAA Compliance Mistakes & How to Keep Them from Happening

HIPAA compliance horror stories are unfortunately all too common, and they can happen to anyone if they’re not careful. 

There’s the $2.75 million fine at the University of Mississippi Medical Center that happened when a laptop with access to 10,000 patient health records went missing.

A CVS Pharmacy in Rhode Island had to pay $2.25 million because employees were improperly disposing of pill bottles that contained patient information on the labels.

These are just a couple of examples of HIPAA compliance mistakes that cost organizations millions of dollars.

Because they didn’t properly follow the guidelines of the Health Insurance Portability and Accountability Act.

Any organization dealing with protected health information (PHI) is subject to HIPAA guidelines.

This includes hospitals, pharmacies, nursing homes, and more. Any service providers that work with health care companies and have access to PHI are also subject to HIPAA.

Much of HIPAA compliance has to do with using good IT security practices to protect data when in transit and at rest.

Part of the regulation is designed to ensure that personal health information of individuals is properly protected from disclosure. 

HIPAA fines can range from $100 to $50,000 per record or per violation.

Protecting Yourself from HIPAA Compliance Mistakes

Following are some of the most common HIPAA violations that end up costing companies both in penalties and client trust. We’ve also included tips on how to avoid them.

Using a Non-Compliant Cloud Storage Service

There are plenty of cloud storage services you can use online, and many health care organizations just assume they’re all using similar security measures.

Unfortunately, that’s not always the case and some can leave your data at risk due to lax security.

It’s important to work with a trusted IT partner. Like RCOR, that can help you assess the HIPAA compliance mistakes of any cloud storage or other cloud tools you use to make sure you’re not leaving patient data exposed.

Not Protecting Laptops or Mobile Devices

Many HIPAA compliance penalties happen due to lost or stolen mobile devices or laptops that are left unprotected with access to patient health information.

This is an easy way to rack up the HIPAA violation penalties because they’re per record. So, a stolen iPad that has access to your entire database would cost you a violation for each patient record in that database.

Using an endpoint device manager gives you the ability to remotely lock or wipe devices that have gone missing, which could save you from having a breach and a large penalty.

Accidental Oral Disclosure by Employees

Here’s a real-world example of this type of HIPAA mistake. One dental patient was having tooth filled, when an assistant came in to ask the dentist about another patient.

They gave a detailed account of that patient’s issue to the dentist, right in front of the patient he was working on. 

This is an example of an accidental oral disclosure and it happens all too often. Employees may be discussing a patient at the front desk, in front of everyone in a waiting room.

Employee training is the way to address this type of violation. Employees need to understand that disclosing information orally is just as bad as if a digital record was breached.

Texting Patient Information on an Unsecure Connection

While it may be quick to text a patient’s vital signs or lab results to another party at the same office.

If it’s done while either mobile device is on a non-encrypted connection or a public Wi-Fi. It can easily lead to a breach of that information.

Using a business virtual private network (VPN) is a way to encrypt internet connections no matter what type of network a device is connected to, which can help prevent this type of HIPAA mistake.

Not Using Business Associate Agreements

If an organization that is subject to HIPAA works with a vendor or contractor that has access to PHI during the course of their work, then that organization is supposed to use a business associate agreement.

This is a contact that ensures the vendor is also adhering to HIPAA guidelines. Without that, a vendor might be unaware of what’s required for compliance and cause a breach of patient information.

In this case, the organization they were working for would be the one found in violation.

There are often provisions of HIPAA that organizations aren’t aware of, and this is a common one that’s missed. Working with an IT provider that fully understands compliance requirements.

And can help you with HIPAA compliance can ensure nothing falls between the cracks, such as required business associate agreements.

Get Compliance Consulting You Can Trust from RCOR

You don’t have to navigate HIPAA compliance alone. RCOR offers expert compliance consulting so you can focus on your business without stressing about potential violations. 

Contact us today to schedule a compliance consultation. Call 919-263-5570 or contact us online.