{"id":238,"date":"2016-08-08T15:18:21","date_gmt":"2016-08-08T22:18:21","guid":{"rendered":"https:\/\/blog.sprucehealth.com\/?p=238"},"modified":"2023-10-26T06:22:43","modified_gmt":"2023-10-26T13:22:43","slug":"5-hipaa-violations-likely-cost-avoid","status":"publish","type":"post","link":"https:\/\/sprucehealth.com\/blog\/5-hipaa-violations-likely-cost-avoid\/","title":{"rendered":"The 5 HIPAA Violations Most Likely to Cost You (And How to Avoid Them)"},"content":{"rendered":"

Everybody knows that HIPAA violations can be costly, with penalties\u00a0that can include seven-digit fines and jail time. Even worse, the combined text of the current HIPAA regulations stretches to 115 pages<\/a>\u00a0and more than 60,000 words.\u00a0It’s little\u00a0wonder, then, that\u00a0most healthcare providers are\u00a0scared they might be missing something that could\u00a0ruin them financially or put their practice in jeopardy.<\/p>\n

Luckily, the Office of Civil Rights (OCR), which enforces HIPAA, makes data available<\/a> on its\u00a0investigations and enforcement actions. We can see exactly how many complaints they field each year (about 10 to 20 thousand), how many of these result in “corrective actions” (about 20 to 30%), and most importantly, what types of HIPAA violations\u00a0most commonly result in corrective actions. “Corrective action,” by the way, is the OCR way of saying that you’re likely settling\u00a0(paying the government) or paying a fine (also paying the government) in addition to agreeing to a plan to rectify and then monitor your areas of violation, which will also cost money and time to carry out.<\/p>\n

HIPAA Violations Most Likely to Get You a Corrective Action<\/h1>\n

So which areas of your HIPAA coverage should you focus on most to avoid the dreaded corrective action? Let’s go\u00a0right to\u00a0the horse’s mouth and see what OCR says<\/a>:<\/p>\n

1)\u00a0Impermissible Uses and Disclosures<\/h2>\n

This has been the undisputed #1 type of violation to net a corrective action\u00a0for every year in the last decade<\/a>, which makes sense. HIPAA is very focused on what you’re doing with the protected health information (PHI) that is under your control, and improper uses and disclosures of that information are obvious areas for enforcement. Additionally, patients are likely to notice and be upset about this type of violation, which could increase the volume of complaints to OCR for this category.<\/p>\n

An easy\u00a0two-step process to avoid this violation:<\/p>\n

    \n
  1. Identify the PHI that you have<\/strong>
    \nPHI is “all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” For more on this, see the Health and Human Services (HHS)     site<\/a>.<\/li>\n
  2. Identify and validate your uses and disclosures of this PHI<\/strong>
    \nLoosely, a “use” occurs when you’re doing something\u00a0internal with PHI and a “disclosure” occurs when you’re sharing PHI with an outside person or organization.
    \nHIPAA allows uses and disclosures\u00a0without specific authorization in the following six categories:\u00a0“(1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations.” Some of these categories\u00a0are opaque, but HHS provides     guidance<\/a> to clarify them. Other uses and disclosures typically require authorization from the patient.<\/li>\n<\/ol>\n

    2) Lack of Safeguards<\/h2>\n

    HIPAA requires that you maintain\u00a0“administrative, technical, and physical” safeguards to prevent impermissible uses or disclosures of protected health information (PHI). These three types of safeguards are very important throughout all of HIPAA, and it’s worth your time to understand them<\/a>.<\/p>\n

    What’s important here is that\u00a0it’s not just your\u00a0uses and disclosures that can get you penalized; you are also responsible for the systems that you have in place to prevent<\/em> those uses and disclosures. Identify what systems you need (administrative, technical, and physical), implement them, document them, and maintain them.<\/p>\n

    3) Lack of Patient Access<\/h2>\n

    Patients have a right to obtain copies of their\u00a0medical records in almost all cases, and you have a duty under HIPAA to provide complete versions of those records in a timely fashion, at minimal or no cost, and in a reasonable format of the patient’s choosing. Patients may also request an accounting of disclosures that you have made of their protected health information (PHI). There are some caveats to these rules but not many. The HIPAA “Privacy Rule” covers this topic more extensively, if you are curious about the details.<\/p>\n

    Patients also typically have the right to request that\u00a0information in their records\u00a0be amended\u00a0when that information is inaccurate or incomplete. You should make every effort to comply with such\u00a0requests in a timely fashion, too.<\/p>\n

    4) More Than the Minimum Necessary<\/h2>\n

    The concept of the “minimum necessary” amount of information is a guiding principle in HIPAA. In all situations, you should seek to use or disclose the absolute minimum<\/strong> amount of protected health information (PHI) that is necessary to accomplish the goal of the use or disclosure. For example, if sending a patient’s name and birthday is all that is needed\u00a0for a certain permissible disclosure, then do not also send their entire problem list or their current medications. Always think, “What is the least amount of information needed to get this task done?”<\/p>\n

    5) Lack of Administrative Safeguards<\/h2>\n

    If\u00a0this seems like a partial repeat of the general “Lack of Safeguards” category above, then that’s because it almost is. The difference here is that OCR is highlighting a lack of administrative safeguards on electronic<\/strong> protected health information (PHI). Remember that PHI refers to health information in any form, electronic or otherwise, and it is covered by the HIPAA Privacy Rule. Electronic PHI, however, gets special, more in-depth regulation, and it is the subject of the entire HIPAA Security Rule. All types of PHI need administrative, technical, and physical safeguards, but HIPAA gives these extra attention\u00a0when the\u00a0PHI is in electronic form.<\/p>\n

    If you’re handling electronic PHI, then you need to be familiar with the HIPAA Security Rule<\/a>\u00a0and its extra specifications for administrative, technical, and physical safeguards. It would be a shame to\u00a0do a good job on general PHI safeguards and then get nailed for missing ones that are specific to electronic PHI.<\/p>\n

    \n

    That’s it. Those are the five\u00a0HIPAA violations\u00a0most likely to end with\u00a0penalties for you, and that’s straight from the government office\u00a0that does\u00a0the enforcing. For more information on getting your HIPAA ducks in a row, check out our easy, complete HIPAA compliance checklist<\/a>\u00a0and also the\u00a0Department of Health and Human Services<\/a>.<\/p>\n

    This article is part of a series of posts relating to HIPAA law and regulation. The information provided is\u00a0meant as general guidance only and is not intended to be legal advice.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

    Everybody knows that HIPAA violations can be costly, with penalties\u00a0that can include seven-digit fines and jail time. Even worse, the combined text of the current HIPAA regulations stretches to 115 pages\u00a0and more than 60,000 words.\u00a0It’s little\u00a0wonder, then, that\u00a0most healthcare providers are\u00a0scared they might be missing something that could\u00a0ruin them financially or put their practice in jeopardy.<\/p>\n","protected":false},"author":1,"featured_media":468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"slim_seo":{"title":"The 5 HIPAA Violations Most Likely to Cost You (And How to Avoid Them) - Spruce Blog","description":"Everybody knows that HIPAA violations can be costly, with penalties\u00a0that can include seven-digit fines and jail time. Even worse, the combined text of the curre"},"footnotes":""},"categories":[14],"tags":[16,15],"different-template":[],"class_list":["post-238","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hipaa","tag-compliance","tag-hipaa"],"acf":[],"_links":{"self":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/comments?post=238"}],"version-history":[{"count":0,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/posts\/238\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media\/468"}],"wp:attachment":[{"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/media?parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/categories?post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/tags?post=238"},{"taxonomy":"different-template","embeddable":true,"href":"https:\/\/sprucehealth.com\/blog\/wp-json\/wp\/v2\/different-template?post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}