HIPAA breaches can happen even to the best prepared healthcare organizations, but knowing the most common failings can improve your chances of staying in the good graces of the Office for Civil Rights (OCR).
Organizations sometimes have a false sense of preparedness because they put policies in place and think that is enough, says Lucie F. Huger, JD, an officer, attorney, and member of the healthcare practice group at Greensfelder, Hemker & Gale in St. Louis. “I see a lot of technical compliance, but one thing I see organizations overlooking on a routine basis is the human element involved,” Huger says. “Through those mistakes, even with the best policies in place, you can still be violating HIPAA. People get curious and click on links in phishing emails, which can be very dangerous to an organization. Or, I see it when people work too quickly and provide information about a patient to the wrong person.”
Data management and restricted access can address some of the inevitable human failings that lead to HIPAA breaches, says Jorge Rey, CISA, CISM, risk advisory services principal at Kaufman Rossin in Boca Raton, FL, which provides business consulting and compliance services. If employees have limited or no access to protected health information (PHI), they cannot release it even accidentally, he explains. “We’ve seen a lot of healthcare institutions trying to limit the access that everyone has,” he says. “They are becoming better at understanding where that data resides to prevent that unauthorized access. Laptops were a big issue for a couple years because data was not encrypted and data were being lost, but we’ve seen in the past couple of years that is becoming less common.”
When training staff and physicians on HIPAA compliance, healthcare organizations should tailor the content to explain what HIPAA compliance looks like in the day-to-day work environment for that organization, says Melissa Soliz, JD, an attorney with Coppersmith Brockelman in Phoenix. Leaders should provide practical guidance on how to protect the privacy and security of health information, she says. “HIPAA trainers and educators often forget to cover some of the most basic HIPAA compliance measures that are most effective in protecting the privacy and security of health information,” Soliz says.
She cites these examples of important points often overlooked:
- Reminding workforce members to not take any health information outside the organization unless it is necessary to do so and permitted by the organization’s policies and procedures;
- Prohibiting workforce members from accessing health information systems through devices such as cellphones or tablets or storing health information on such devices that do not meet HIPAA standards or are not approved for use by the organization;
- Prohibiting workforce members from posting details about or pictures of patients in the workforce members’ social media posts;
- Reminding workforce members that paper records containing health information cannot be disposed of in open garbage or recycling bins;
- Instructing workforce members on how to avoid cyberattacks, such as phishing emails;
- Informing workforce members of who to contact if they want to ask HIPAA-related questions, who to contact if they suspect there has been an unauthorized use or disclosure of health information, and where the organization’s HIPAA policies and procedures are located.
It is important that the organization maintains robust privacy and security policies and procedures, Soliz says. Further, the organization should implement those policies and procedures through regular training, auditing, and enforcement. The most common mistakes employees make is individual carelessness, such as leaving paper patient records in an unlocked car, clicking on phishing links in emails, or inadvertently disclosing patient health information in a social media post about their workday, Soliz says. “Educational efforts often focus on abstract privacy and security concepts without providing workforce members with sufficient context to understand how they can be HIPAA compliant within their work environment,” Soliz says. “Providing workforce members with concrete examples of what HIPAA compliance and noncompliance looks like will enable organizations to avoid the most common errors.”
Soliz cites a recent example in which a small dental practice paid OCR $10,000 as part of a corrective action plan arising out of the practice’s response to a patient’s social media review, in which the practice disclosed the patient’s last name and details of the patient’s health condition. (Read more about this case at: http://bit.ly/2pPYg30.) “OCR imposed a $2.15 million civil monetary penalty on a health system that lost paper records on over 1,400 patients, allowed a reporter to share a photograph of an operating room containing patient health information on social media, and had an employee who had been inappropriately accessing and selling patient records since 2011,” Soliz says of another case. (Read more about this case online at: http://bit.ly/2Pii0qI.)
Training should be aligned with the organization’s policies and procedures and it must be practical, says Erin S. Whaley, JD, partner with Troutman Sanders in Richmond, VA. Too often, organizations provide generic HIPAA training, she says. “The generic trainings are, at best, not based on the organization’s policies and procedures and, at worst, inconsistent with the organization’s policies and procedures. Customizing generic trainings will help ensure consistency and alignment with the organization’s policies and procedures,” she says. “Another pitfall is training on concepts instead of practical application of those concepts. By offering real-life examples and horror stories, organizations can help their staff and physicians recognize and avoid risky or noncompliant behavior.”
One of the most frequent system-level oversights is failure to perform a complete annual risk assessment, Whaley says. Considering the number of cloud-based solutions, some organizations believe they can rely on their vendors to perform these assessments. However, these organizations are obligated to conduct a thorough assessment for all their systems, she explains. “These assessments may be informed by information from vendors but should not be delegated to the vendors,” Whaley says.
In terms of individuals, the most prevalent mistakes usually are simple human error, such as losing a laptop, sending an email to the wrong person, or discarding PHI in the wrong bin, Whaley says. “There is still a surprising amount of paper PHI in practices. Paper PHI must be properly disposed of to ensure destruction,” Whaley says. “Organizations should have a secure bin for discarded paper PHI, but the organization may only have a few of these secured bins throughout the facility. For efficiency, individuals sometimes keep a shred box at their desks so that they don’t have to walk to the secure bin each time they need to discard a document, even though this may not be consistent with the organization’s policies and procedures.”
The individual may empty this “shred box” only occasionally when it is full, Whaley explains. If the cleaning crew inadvertently throws this box away in the trash or recycling instead of the secure bin, this could be a breach. Investigating and reporting this type of incident is difficult and completely avoidable, Whaley adds. When providing HIPAA education, it is important to ensure the workforce appreciates that management has bought in relative to compliance, says Brad Rostolsky, JD, a partner with Reed Smith in Philadelphia. Training should not be viewed as “something you just need to do,” he says. “Beyond that, it’s important to do more than provide a HIPAA 101 training,” he advises. “Training should spend some time focusing on the actual policies and procedures of the business.”
From a system perspective, one of the more common challenges is logistics, Rostolsky says. The bigger the entity, the more challenging it is to communicate information throughout that entity in a timely and efficient manner, he says. “It’s important to ensure that a process is in place for the workforce to understand who in the privacy office needs to know what information and when they need to know it,” he says. “A basic example of this would be to prospectively designate a particular individual to receive subpoenas, or even just requests for PHI, so that the requests are processed appropriately.”
Individuals, on the other hand, often violate HIPAA merely because they do not fully appreciate that one person’s action, or failure to adhere to what may seem like an annoying rule, can significantly affect a large business, Rostolsky says.
“To this end, part of training should include examples of where big dollar enforcement actions were triggered by the noncompliant actions of a single individual,” he suggests.
Training also should be provided in different forms, says Michele P. Madison, JD, partner with Morris Manning & Martin in Atlanta. For example, there should be training at orientation, staff meeting reminders about HIPAA safeguards, and education about ransomware attacks. Healthcare organizations also can conduct phishing exercises to test employee response, sharing the results on an annual basis during the staff member’s performance review, Madison suggests.
“One common mistake is providing an initial education forum at orientation and requiring annual review of an online training program that fails to address the specific job functions or roles of the individual,” she says. “The lack of specific and continuous training may not adequately prepare the staff member for his or her job and lead to a mistake that causes a breach.”
Another common mistake is failing to provide continuous security awareness training, she says. Such training is a requirement of HIPAA, Madison notes, and technology is constantly changing. Therefore, the organization’s security safeguards should be reviewed on a regular basis. Staff should be trained on the new and upgraded security safeguards as well as the vulnerabilities and risks associated with electronically accessing, storing, or transmitting PHI, she says. “[OCR] fines and penalties have focused upon organizations failing to implement a comprehensive security risk analysis. Failing to fully evaluate all mobile devices and the different access points to the organization’s information technology infrastructure is a significant risk to the organization,” Madison explains. “In addition, when the technology infrastructure changes, even to troubleshoot an issue, the risk assessment should be performed to identify any safeguards that need to be implemented as part of the change to the system.”
Social media continues to pose a significant risk for HIPAA violations, says Susan Tellem, RN, BSN, APR, a partner with Tellem Grody Public Relations in Los Angeles, which assists providers with their responses to HIPAA violations. Instagram and Facebook create an easy medium for people to violate HIPAA, Tellem says. But beyond those channels, there are many ways healthcare employee can inadvertently disclose PHI and never even realize it, she adds.
“Faxing of some PHI is allowed, but a fax can wind up easily in the wrong hands,” she says. “What if a healthcare professional is taking a break and decides to share a photo of what she is eating with an open patient file in the background? Photo sharing among doctors and patients is becoming more common and may be shared by accident.”