HIPAA’s Privacy Rule Is 20 Years Old. Why Do Organizations Keep Breaking It?

Regulators began enforcing HIPAA’s privacy rule for healthcare insurers and providers in 2003. Since then, more than 300,000 complaints of rule violations have been alleged and more than 1,700 matters have been referred to the DOJ for possible criminal investigation.

Despite protocols designed to protect patients and organizations, HIPAA violations continue to occur frequently. Even healthcare organizations that diligently follow HIPAA regulations can be vulnerable to unintentional violations, which can lead to harm to patients, costly penalties, reputational damage and legal action. Authorities have imposed fines totaling $134 million since regulators began enforcing HIPAA’s privacy rule.

The most commonly reported violations in 2021 (the most recent year for data) were: impermissible use and disclosures, access, safeguards, administrative safeguards and breach notifications. Here are some tips for organizations to remain compliant with HIPAA’s privacy regulations.

Information Disclosure

As we said, most unintentional HIPAA violations are due to an organization accidentally accessing or releasing protected health information (PHI). For example, employees discussing PHI in the breakroom or with friends and family is a HIPAA violation. 

Conversations that include sensitive information should be limited to those who are authorized to hear it. These conversations should take place in a private place that is not accessible to unauthorized personnel. Other tips for protecting PHI:

• Implement appropriate employee training and management data solutions that require authorization codes or identity verification.
• Implement employee email and cybersecurity training and best practices. Disclosing PHI to unauthorized personnel can occur by CCing multiple patients in one email, sending PHI to the wrong patient or disclosing PHI on social media. 
• Verify what information is being requested before transmitting it. Even when the correct patient record is provided, if the individual has authorized only parts of their medical record to be disclosed but the entire record was shared, that’s a violation.

Device Loss

Another common way for PHI to be accessed by unauthorized individuals is through misplaced or stolen devices like laptops, USB drives, tablets and smartphones. Devices from healthcare organizations typically contain sensitive patient information.

Healthcare professionals often take work devices home and leave them unattended in their home, car or public areas. This creates a situation where these devices can easily be stolen, lost or accessed by unauthorized individuals.

Best practices to prevent PHI disclosure in the event of a lost or stolen device include:

• Device encryption
• Electronic PHI (ePHI) encryption
• Device tracking software
• Training around device handling
• Password protection
• Activity monitoring of systems and devices
• Multi-factor authentication.

Improper Disposal of Sensitive Patient Information

Failing to dispose of PHI and ePHI properly, including throwing away complete copies of PHI without shredding it or failing to wipe ePHI from USBs or portable hard drives, is a HIPAA violation. 

Healthcare organizations should routinely conduct shredding or pulping of physical copies of PHI and destroy or wipe portable devices that store PHI.

Third-Party Risk

Nearly all healthcare organizations work with third-party companies, with many requiring access to PHI. Any company that has access to or handles PHI is required to be HIPAA-compliant. Third-party vendors that do business with healthcare organizations need a business associate agreement (BAA) before they access PHI. A BAA helps ensure the protection of PHI by legally binding HIPAA-covered organizations and third-party vendors, which may not already be set up to handle sensitive healthcare information.