The term HIPAA is used in the healthcare, but some people are still unaware as to what actions create a HIPAA noncompliance violation. Here are the most common HIPAA violations.
Billing specialists and back office staff are busy focusing on submitting claims and minimizing account adjustments. A HIPAA violation is the last thing that back offices want to face. Due to COVID-19 concerns, HIPAA regulations have been relaxed. However, these regulations need to be followed by clinics and practices.
In 1996, The Health Insurance Portability and Accountability Act (HIPAA) was enacted into law. The purpose of the act is to protect a patient’s health records information (PHI). In order to accomplish this, standards were created that help to ensure that medical data is private and secure.
If health care professionals knowingly, or unknowingly, are caught violating this law, there are financial penalties. It is with the best interest of health professionals if they clearly understand what behavior creates a HIPAA violation.
Civil & Criminal Penalties:
For minor infractions, there are civil penalties for HIPAA violations. For an accidental violation, the penalties range from $100 to $50,000 for each violation. After this, the penalties increase depending on whether the violation was due to reasonable cause or willful neglect. At the maximum level, willful neglect that is not corrected, the penalty could be as high as $50,000 for each violation. At this HIPAA violation level, the maximum annual fine is $1.5 million.
The criminal HIPAA violations include possible financial penalties as well as prison time. Similar to the civil penalties for HIPAA violations, there are a range of penalties. The most severe penalty level for a criminal violation of HIPAA carries fines of $250,000 and a maximum prison sentence of 10 years. Beyond healthcare providers, criminal HIPAA penalties can also include insurance plans, Medicare prescription drug card sponsors and medical clearinghouses.
 Insecure PHI Data Storage:
Health professionals need to make sure that safeguards are in place for the secure storage of PHI data. This includes tools like administrative access only controls and encryption capabilities. If secure data storage is not in place, a data breach may occur. Sometimes these data breaches are not even that technically sophisticated. Have sensitive data that is readable by all or not encrypted is easily accessed and potentially stolen.
A way to help ensure that a “hack” or data breach does not happen is to follow general IT security protocols. A few of these protocols include:
- Restricting staff access to potentially dangerous or high-risk websites. This can include dark web, some social media, some online forums and adult websites.
- Making sure some type of firewall is installed. One of the easiest to deploy is a WAF (web application firewall) which will filter, monitor and block some internet traffic to a designated website.
- Implementing access controls for sensitive data. As data becomes more sensitive, fewer people should have access to it. The types of access control are mandatory, discretionary and role-based access control.
- Using strong passwords with regular password rotation. Pet names and ABC123 are not good passwords. Ideally, passwords should be updated every 60 to 90 days.
 Employee Abuse of PHI:
Healthcare providers are constantly handling sensitive patient data. Due to this fact, they are one of the most typical reasons for a HIPAA violation. Clinicians and/or other staff members may send PHI data in an unsecure email account or physically take the data out of the medical office. Other cases may involve accidently posting images of PHI on social media or leaving information out in the open and unattended. With the expansion of telehealth services, healthcare providers need to especially be careful when using videoconferencing technology.
A lack of technological knowledge can have a substantial impact. Staff members may not realize that their personal computer is not secure. However, they may still download and view PHI data on their device. If the device is unauthorized or the download was performed through a non-secure computer/WIFI network, there is a high probability that a HIPAA regulation was violated.
 Unauthorized or Improper PHI Access:
Medical clinicians and office staff handle an increasing amount of PHI data. However, only authorized personal and parties are allowed to access this data. Otherwise, sharing PHI data with an unauthorized third party is a HIPAA violation. Examples of this include sharing data with unauthorized family members or accidently giving PHI data to the wrong patient.
PHI data is typically accessed by the patient in question, healthcare providers, pharmacies and medical billing staff. Any entity outside of this description is usually not authorized to access PHI. Otherwise, there is a risk of improperly sharing PHI data.
Between April 2003 and August 2020, according the U.S. Department of Health & Human Services, there were a total of 242,743 rule complaints. During the same period, out of these complaints, there were a total of 40,847 HIPAA investigations. In some of these violations, employees accidentally released PHI data. Yet, even when done unknowingly, employees and practices are still legally responsible. HIPAA compliant and violations are a topic to not take lightly.
For questions about HIPAA policies and regulations, as well as other related topics, contact the staff at Advanced Billing & Consulting Services (ABCS). They have been providing medical billing, credentialing and other supportive services since 1997.
For more information about their services, call them at 614.890.9822.
Tweets by @abcsohio
#medicalbillinghelp #healthcaretrends #Cardiology #medicalbilling #PHPbilling #Behavioralhealthbilling #credentialinghelp #Ohiomedicalbilling #ltachbilling #BundledPayments #IOPbilling #mentalhealthbilling #EHR
Photo credit: Unsplash