When it was passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was considered a big win for patients by delivering higher levels of security and privacy. But their strict and complex nature presents risks for companies to unwittingly commit HIPAA violations.
HIPAA was also designed to provide advantages to organizations that store and handle Protected Health Information (PHI). The act’s regulations aimed to create administrative efficiencies as well as a well-defined set of obligations to reduce potential liability.
HIPAA levies steep fines for non-compliance. Plus, with healthcare fraud costs estimated at $68 billion and identity fraud victim costs calculated at $1.7 billion, protecting patient and customer data is more important than ever.
Because HIPAA regulations are strict, it’s possible that your organization’s employees are committing HIPAA violations unknowingly. Our HIPAA-certified records management team has put together a list of questions to ask yourself that may reveal unexpected violations.
If your company is subject to HIPAA regulations—or if you’re not sure—we’ll walk you through the background on HIPAA and exactly what organizations are subject to its rules. Then, we’ll show you some unexpected sources of exposure to help you stay compliant, keep your PHI protected and help reduce your company’s risk for liability.
Is Your Organization Subject to HIPAA Regulations?
HIPAA was enacted with the goal of creating standards for transmission, privacy, and security of Americans’ health information.
Specifically, the HIPAA Privacy Rule protects “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information (PHI).”
Let’s break this down a little:
“Individually identifiable health information” means information that can be traced back to an individual, such as:
- Names, including a last name/initial combination
- All geographical identifiers smaller than a state (with a few exceptions)
- Dates directly related to a person
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health insurance beneficiary numbers
- Account numbersCertificate and/or license numbers
- Vehicle identifiers such as VIN numbers and license plate numbers
- Device identifiers and serial numbers
- IP addresses
- Biometric identifiers, such as fingerprints, retinal scans, and voiceprints
- Full-face photos
- Any other unique identifying number, characteristics or codes
This list should give you a sense of the broad variety of data that can be considered PHI under HIPAA.
However, this information also has to be held or transmitted by a covered entity, which includes organizations such as:
- Health plans, including health insurance companies, HMOs and employer-sponsored health plans.
- Clearinghouses, which are third-party systems that interpret claim data between provider systems and insurance payers. Examples include a billing service, repricing company or community health information system, which processes data.
- Providers: Doctors, clinics, chiropractors, dentists, nursing homes, pharmacies and other similar organizations that provide patient care.
- A business associate contracted by a covered entity to carry out its health care activities and functions.
Note that a records management and destruction contractor IS considered a business associate covered by HIPAA. If you hire a company to help you with these services, make sure they thoroughly understand HIPAA regulations.
It’s also important to note that the Privacy Rule excludes employment records that an organization maintains in its capacity as an employer. So although every company has obligations to protect its employee data, these records aren’t necessarily covered under HIPAA.
However, when it comes to PHI, any form or media, whether electronic, paper or oral is protected under HIPAA. This will become even more critical when we look at some surprising ways your team can unwittingly violate HIPAA.
6 Unexpected Ways You Might Be Committing HIPAA Violations
Often, HIPAA violations are unintentional. Most organizations train their staff in HIPAA compliance, so when a breach does occur, it’s often due to unusual circumstances or to an angle that your team may not have previously considered.
Use this list of potential questions as a checklist to evaluate your current procedures. Could you see one of your staff members in any of the following scenarios? If so, it might be time for some additional training or some tweaks to your current records management policies.
#1: Do you have a system in place so that only specific and authorized individuals can request and receive PHI?
For example, do you have an open room in your organization that contains files with PHI? Could anyone walk in and access this data? Or can anyone request any file at any time? If so, you might want to reconsider your records management policies. Additionally, storing your records off-site can help minimize the risks associated with easy access to protected data.
#2: Does any member of your staff take hard copies of records in personal vehicles?
For example, could a team member take a file home to review it overnight? This can create issues in two areas. First, what if your employee gets into a car accident and the car is towed to a body shop with the file inside? You may have unwittingly carried out HIPAA violations.
Or, let’s say the file slides off the seat of the car and falls open. However, your employee doesn’t notice and parks the car in a public parking lot, with the information easily viewable through the car windows. This could represent a HIPAA violation.
If you don’t have policies surrounding these scenarios, you may want to consider putting some in place—and discussing them with your employees.
#3: Do you have an alarm system in your place of business? What about video surveillance?
If someone breaks into your office, would you be aware—and have the tools to trace down the intruder? If the location where your records are stored doesn’t offer security measures, this could be another argument in favor of an off-site storage location for your records with security and video monitoring.
#4: Do all employees have the same level of access to your records?
When fewer people have access to your records, it’s easier to reduce the possibility of a breach, especially when you can provide high-level training to anyone who needs access. Consider a records management policy that only provides access to the employees who truly need access to PHI.
#5: How do you ensure that files that leave your facility for destruction are kept confidential?
As we mentioned earlier, any records management or destruction service that handles files with PHI would be considered a “business associate” and, therefore, be subject to HIPAA. When you choose someone to transport, store and/or destroy your records, make sure they understand their obligations from the minute the files leave your office. This includes secure transport to a facility for destruction.
A records management service that’s experienced in HIPAA regulations will know exactly how to execute secure destruction from start to finish. Look for a company with established procedures in place for secure transport or mobile shredding.
#6: Do you have a documented plan in case of disaster or business interruption?
The HIPAA Security Rule requires your organization to maintain a written business continuity plan that includes provisions for data backup and emergency operation procedures. If you don’t already have one in place, you’re not in compliance with HIPAA.
Additionally, regulations aside, if a typhoon hits Guam or disaster strikes, such as an office fire, it’s important to have these pieces in place. A strong business continuity plan will protect the integrity of your patient and business data so your organization can get back on its feet quickly.
Protecting Your PHI—and Establishing an Important Level of Trust
If your organization is one that’s covered by HIPAA, staying compliant is critical, especially since fines can range from $100 to up to $50,000 per record violated.
However, even beyond federal regulations, compliance with HIPAA is important for establishing a relationship of trust with your patients and customers. When they share their personal health information with you, they expect you to keep it private. Complying with HIPAA makes it easier for you to do your part. Compliance will also help you prevent problems like identity theft, health insurance fraud—and the liability that comes along with it.
If you’d like to explore how outsourcing your records management and storage can help you stay compliant, our HIPAA-certified team would be happy to help. We can also assist with secure records destruction services. Just reach out to us for a complimentary consultation to get started.