Everybody knows that HIPAA violations can be costly, with penalties that can include seven-digit fines and jail time. Even worse, the combined text of the current HIPAA regulations stretches to 115 pages and more than 60,000 words. It’s little wonder, then, that most healthcare providers are scared they might be missing something that could ruin them financially or put their practice in jeopardy.
Luckily, the Office of Civil Rights (OCR), which enforces HIPAA, makes data available on its investigations and enforcement actions. We can see exactly how many complaints they field each year (about 10 to 20 thousand), how many of these result in “corrective actions” (about 20 to 30%), and most importantly, what types of HIPAA violations most commonly result in corrective actions. “Corrective action,” by the way, is the OCR way of saying that you’re likely settling (paying the government) or paying a fine (also paying the government) in addition to agreeing to a plan to rectify and then monitor your areas of violation, which will also cost money and time to carry out.
HIPAA Violations Most Likely to Get You a Corrective Action
So which areas of your HIPAA coverage should you focus on most to avoid the dreaded corrective action? Let’s go right to the horse’s mouth and see what OCR says:
1) Impermissible Uses and Disclosures
This has been the undisputed #1 type of violation to net a corrective action for every year in the last decade, which makes sense. HIPAA is very focused on what you’re doing with the protected health information (PHI) that is under your control, and improper uses and disclosures of that information are obvious areas for enforcement. Additionally, patients are likely to notice and be upset about this type of violation, which could increase the volume of complaints to OCR for this category.
An easy two-step process to avoid this violation:
- Identify the PHI that you have
PHI is “all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” For more on this, see the Health and Human Services (HHS) site.
- Identify and validate your uses and disclosures of this PHI
Loosely, a “use” occurs when you’re doing something internal with PHI and a “disclosure” occurs when you’re sharing PHI with an outside person or organization.
HIPAA allows uses and disclosures without specific authorization in the following six categories: “(1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.” Some of these categories are opaque, but HHS provides guidance to clarify them. Other uses and disclosures typically require authorization from the patient.
2) Lack of Safeguards
HIPAA requires that you maintain “administrative, technical, and physical” safeguards to prevent impermissible uses or disclosures of protected health information (PHI). These three types of safeguards are very important throughout all of HIPAA, and it’s worth your time to understand them.
What’s important here is that it’s not just your uses and disclosures that can get you penalized; you are also responsible for the systems that you have in place to prevent those uses and disclosures. Identify what systems you need (administrative, technical, and physical), implement them, document them, and maintain them.
3) Lack of Patient Access
Patients have a right to obtain copies of their medical records in almost all cases, and you have a duty under HIPAA to provide complete versions of those records in a timely fashion, at minimal or no cost, and in a reasonable format of the patient’s choosing. Patients may also request an accounting of disclosures that you have made of their protected health information (PHI). There are some caveats to these rules but not many. The HIPAA “Privacy Rule” covers this topic more extensively, if you are curious about the details.
Patients also typically have the right to request that information in their records be amended when that information is inaccurate or incomplete. You should make every effort to comply with such requests in a timely fashion, too.
4) More Than the Minimum Necessary
The concept of the “minimum necessary” amount of information is a guiding principle in HIPAA. In all situations, you should seek to use or disclose the absolute minimum amount of protected health information (PHI) that is necessary to accomplish the goal of the use or disclosure. For example, if sending a patient’s name and birthday is all that is needed for a certain permissible disclosure, then do not also send their entire problem list or their current medications. Always think, “What is the least amount of information needed to get this task done?”
5) Lack of Administrative Safeguards
If this seems like a partial repeat of the general “Lack of Safeguards” category above, then that’s because it almost is. The difference here is that OCR is highlighting a lack of administrative safeguards on electronic protected health information (PHI). Remember that PHI refers to health information in any form, electronic or otherwise, and it is covered by the HIPAA Privacy Rule. Electronic PHI, however, gets special, more in-depth regulation, and it is the subject of the entire HIPAA Security Rule. All types of PHI need administrative, technical, and physical safeguards, but HIPAA gives these extra attention when the PHI is in electronic form.
If you’re handling electronic PHI, then you need to be familiar with the HIPAA Security Rule and its extra specifications for administrative, technical, and physical safeguards. It would be a shame to do a good job on general PHI safeguards and then get nailed for missing ones that are specific to electronic PHI.
That’s it. Those are the five HIPAA violations most likely to end with penalties for you, and that’s straight from the government office that does the enforcing. For more information on getting your HIPAA ducks in a row, check out our easy, complete HIPAA compliance checklist and also the Department of Health and Human Services.
This article is part of a series of posts relating to HIPAA law and regulation. The information provided is meant as general guidance only and is not intended to be legal advice.