5 Common Mistakes Healthcare Organizations Should Avoid When Handling HIPAA Data

Healthcare organizations should ensure all employees who come in contact with protected health information (PHI) are well-trained in federal and state regulations and compliance to protect patient privacy and avoid costly violations.  

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, sets national standards of protection for how PHI is stored, used and transmitted to protect consumers’ sensitive medical data, including names, addresses, social security numbers, birth dates, health conditions, treatments, and payment information. The Texas Medical Privacy Act, or TMPA, passed in 2011, extends HIPAA protections for Texas residents.  

Employees of covered entities and business associates are required to take training on HIPAA and TMPA laws. Covered entities include medical and dental practices, hospitals, nursing homes, pharmacies and health care companies. Business associates include accountants, lawyers, consultants and data processors. Employers are required to document what training has been provided, when it was provided, and who attended. 

In July 2022, a state academic health center paid $875,000 to the federal government to settle HIPAA violations that included impermissible uses and disclosures of private healthcare information; failures to implement internal controls and failure to provide timely breach notification to affected individuals and U.S. Department of Health and Human Services (HHS).  

Fines for violating HIPPA can range from $50,000 – $250,000 per violation. An organization may also be required to pay restitution to victims. In addition to financial penalties, a jail term of 1-10 years can be imposed on individuals found negligent or knowingly violating HIPAA rules or obtaining PHI under false pretenses. 

Ongoing HIPAA and TMPA training of healthcare personnel helps providers meet training requirements and reduce the risk of privacy and security breaches that can lead to costly HIPAA violations.  

Healthcare organizations should avoid 5 common mistakes when handling PHI. 

1. Unsecured Records 

Employees are required to keep PHI secure at all times. Physical files containing PHI should be locked in a desk, filing cabinet, or office. Electronic personal health information (ePHI) should require secure passwords to access them, in addition to being encrypted. Training employees on HIPAA and organizational controls helps to safeguard PHI records onsite, in vehicles, remote offices, on mobile devices and on publicly accessible Wi-Fi networks.  

2. Inadequate Cybersecurity 

The HHS reports the number of healthcare breaches in the first five months of 2022 are nearly double the same period last year and include a 328% increase in ransomware attacks. An IBM Security Report found that the average cost of healthcare industry data breaches has reached a record high of $10.1 million. 

In July of this year, the National Institute of Standards and Technology (NIST) released a new cybersecurity framework to bolster HIPAA security that addresses new challenges posed by telehealth, telemedicine and cloud technologies. The document reiterates ongoing education, training and awareness of healthcare personnel on how to strengthen data privacy and information to keep PHI and healthcare systems safe from hackers. 

3. Loss or Theft of Devices 

iPhones and other devices containing ePHI can be lost or stolen. If the information stored on the devices is not encrypted or password-protected, anyone possessing them can access sensitive patient information. Compliance training raises employee awareness of an organization’s policies on possessing ePHI on personal mobile devices and HIPAA compliant encryption requirements. 

4. Improper Disposal of Records 

When disposing of physical or electronic files, employees should understand that all information containing PHI should be shredded, destroyed, wiped from the hard drive, etc. If information is left lying around in a trash can or on a computer’s recent files folder, it can get into the wrong hands. Ongoing training reminds employees that healthcare data, whether in physical or electronic form, must be permanently destroyed when it’s no longer required. 

5. Unauthorized Access or Release of Information 

If unauthorized individuals access PHI or if medical personnel releases PHI to unauthorized family members or discloses it to a third party due to human error, it is a violation of HIPAA. HIPAA training reinforces that employees with access to PHI must be careful about the information they share and limit discussions to people who have a need to know such as the patient, doctor(s), person(s) billing for the procedure or other related medical services.  

Traliant Insight 

Organizations have an ethical and legal responsibility to keep the sensitive data of patients secure and private. Ongoing HIPAA and TMPA training help healthcare organizations remain compliant with federal and state laws by ensuring employees understand policies, procedures and responsibilities to protect PHI. 

Sign up for a free trial of our HIPAA training courses.