The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to ensure healthcare data is safeguarded and patient privacy is protected. Violating this act not only costs the healthcare industry thousands of dollars in violation fees but puts their most precious asset at risk: patient health information.
What is a HIPAA Violation?
A violation of HIPAA is defined by hipaajournal.com as failing to comply with an aspect of HIPAA standards and provisions. Some of the most common violations are:
- Unauthorized access to Patient Health Information (PHI)
- Failure to implement procedures to ensure confidentiality, availability, and integrity of PHI
- Not maintaining PHI access logs
- Failing to provide HIPAA training and security awareness training
- Not implementing access controls to limit who can view PHI
- Failing to encrypt PHI to prevent unauthorized access
The Office of Civil Rights (OCR) under the US Department of Health and Human Services (HHS) reveals violations through internal audits. According to hhs.gov, in 2018, the OCR received 25,912 complaints about health information privacy.
Audits are commonly done after the OCR receives a complaint of a HIPAA violation, after a data breach occurs, or in some cases, an employee self-reporting a violation. While an internal audit can result in bad press and costs, some consequences are even more severe.
Severity of Violating Patient Health Privacy
An OCR investigation that finds there to be a violation will result in advising the organization to comply voluntarily, undergo a corrective action, or create a resolution agreement. If a violation complaint describes an action that could violate the criminal provisions of HIPAA, the complaint may then be transferred to the Department of Justice (DOJ).
If the violator does not adequately resolve the issue, the OCR can impose civil money penalties which are determined based on a tiered civil penalty structure. The HHS Secretary determines the total cost based on the violation and the extent of its harm. Criminal penalties are handled by the DOJ.
Criminal penalties include entities and individuals who knowingly obtained or disclosed personally identifiable health information. Those who commit this violation can face up to a $50,000 fine and one year of imprisonment. Offenses committed under false pretenses allow penalties to increase to $100,000 and up to five years in prison. If a violation was committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious purposes, face up to $250,000 and ten years in prison. Directors, employees, or officers in any level of healthcare are liable for these charges.
2018 saw the largest amount of HIPAA penalty amounts at just under $30 million according to the HIPAA Journal. It went on to state that the average HIPAA penalty cost due to violations was just over $2.5 million. Thus far in 2019 according to compliancy-group.com, there have been $12,945,000 in HIPAA fines.
Protecting Patient Data and Company Reputation with Encryption
One of the most common HIPAA violations is not encrypting PHI to prevent unauthorized access. The SecureDrive product line is hardware encrypted to completely eliminate data leaks. The devices themselves are FIPS 140-2 Level 3 Validated and HIPAA compliant, giving the healthcare industry a secure solution that can be added to an existing workflow.
The SecureDrive BT can only be unlocked using a mobile app and allows for authentication via fingerprints or facial recognition for an added layer of security. Training on how to use these devices takes minimal time and allows administrators to focus on other projects.
A physician-owned hospital recently adopted the use of the SecureUSB BT and an administrator commented on the ease-of-use for all levels of employees. Another valuable feature for healthcare is the ability to remotely wipe the drive from anywhere in the world using a mobile device. If the SecureDrive BT or SecureUSB BT becomes lost or stolen, no unauthorized access will take place.
Finally, an administrator can limit access to PHI on the SecureDrive products with remote password change and read-only mode. An administrator will also be able to monitor when an employee unlocks a device and accesses data through the access log built into the mobile app. There, a documented list of who attempted to access a drive, when and where it took place will be available.
With the proper security protocols and encrypted data storage, following HIPAA guidelines is a simple practice for anyone in the healthcare field.