HIPAA violations are unfortunately a quite common occurrence in the US healthcare industry. According to the Office of Civil Rights (OCR), and at the time of writing, there have already been 421 reported violations in 2020. There are also countless cases still under investigation, and due to the COVID-19 pandemic, additional discretions were introduced in March to help healthcare professionals cope with the unprecedented challenges.
Our research has identified that over 20 million records of protected health information (PHI) violations have been recorded in 2020, quite a staggering figure, especially when considering the maximum penalty per record increased to $59,522 in January 2020. This evidence suggests that much can still be done to protect patient data.
What are the most common HIPAA violations?
It is a mandatory requirement of the HIPAA Breach Notification Rule (2009) that healthcare organizations must report a breach. The Final Omnibus Rule amendment of 2013 set in stone exactly what a breach is, and the requirements of when the patient must be advised.
As this data is recorded and freely available, it is possible to understand what the most common HIPAA violations of 2020 have been:
|Type of Breach||Count||Individuals Affected|
|Hacking / IT incident||297||19087504|
|Unauthorized Access / Disclosure||80||447246|
Source: U.S. Department of Health and Human Services Office for Civil Rights – Cases Currently Under Investigation database (January 1st, 2020 to October 19th, 2020)
As the evidence presented above suggests, the most common violation is a Hacking / IT incident. This is a very generalized term that needs clarification. It includes breaches caused by ransomware, malware, viruses, unsecured remote connections, and external bad actors.
How to prevent HIPAA violations
Medical institutions are a primary target for hackers and cybercriminals globally. The professional harm inflicted by falling foul of a data breach is very real. HIPAA compliance demands any PHI breach must be reported, and depending on the severity of the breach, limitless fines, and a tarnished reputation is even more probable.
Here are our top seven tips for preventing the most common HIPAA violations:
Outsource IT Systems
HIPAA compliance is not easy to achieve, as there are several required safeguards and numerous recommended safeguards to complete. The most effective way to mitigate violations is to operate IT Systems within a HIPAA compliant hosting environment.
Some organizations choose in-house hosting, with mixed results, but outsourcing to a reputable HIPAA compliant hosting provider will instantly provide significant layers of protection against the most common violations.
Change your organization’s security thinking
Making a change to the security outlook of a covered entity is essential. Securing PHI is the cornerstone of HIPAA, and one of the most important first steps to achieve compliance. Know where PHI is stored and how you process PHI. Knowing what PHI you have will help to create a baseline to work upon, the baseline acts as a line in the sand, helping to define how to handle and process PHI, creating a roadmap for the desired state configuration.
Protected health information must be encrypted at rest and in transit with at least 256bit AES encryption. Not protecting PHI is a common HIPAA compliance violation. An IT partner can help achieve encryption compliance with ease by introducing technical solutions that encrypt data rapidly using an encryption key unique to you, as a result, no one else can access the data, as only you have the master key.
Encrypting databases or devices such as laptops, tablets, and mobile phones will render the data useless if data or a device are lost or stolen.
HIPAA requires access controls at a physical layer, as well as a logical layer to prevent unauthorized access and disclosure. What this means is that users have limited access to select computer systems, healthcare professionals only have access to the data that is relevant for their role.
Access Control Lists are used to manage user privileges and enforcing automated logoff and lock screen timeouts are essential. Restricting physical access, and auditing everyone who enters and leaves restricted areas of a building, particularly those that contain computer systems that manage PHI – most commonly this will be a data center.
Training is the best way to protect against all common types of a data breach, especially Hacking / IT incidents, Unauthorized Access / Disclosure, Theft, Improper Disposal, and Loss.
HIPAA training for health professionals should be compulsory. Training is essential for employees to understand what PHI is, and how employees must handle PHI. Training about the latest cybersecurity threats as well as learning what a data breach is, and the different ways in which a data breach can occur is essential.
Training helps to embed an understanding of what constitutes PHI, how to prevent phishing attempts via email or phone and instructions on how to use cloud computing services, IoT devices, as well as training on the user and computer etiquette needed to protect against human error, viruses, ransomware, and malware.
HIPAA requires that all business services be documented to formulate the roles and responsibilities of everyone involved. This typically involves employing a representative to ensure the legislation is followed and processes are learned, evolve, and develop over time. Any concerns should be reported and acted upon.
Business continuity planning is a mandatory objective of HIPAA compliance. It requires administrative and technical planning to host services and process PHI in the event of a disaster scenario such as a total system outage caused by ransomware, or a natural disaster that takes the primary data center offline.
Technical measures must include a backup schedule to protect all PHI, quite often the quickest way to recover from a major incident is to recover from a backup. Other technical solutions must be in place to fail over core business services in the event of a computer system outage – this is commonly done through a cloud hosting partner who leverages replica computer systems in an alternative location that can be enabled once a disaster is invoked.