Preparing for HIPAA compliance violations in advance is one of the best ways to limit the damage. However, let’s face facts. Breaking the law is bad for business. There are fines, and your organization’s reputation will suffer! That’s why we emphasize the importance of understanding the law and implementing systems to ensure compliance. However, even the best organizations sometimes make mistakes.
It’s been said that the best way to learn is from experience. However, there is no need to make those mistakes yourself. Instead, you can learn from other organizations that have had problems with HIPAA compliance.
HIPAA Compliance Violations In The News
In 2020, Metropolitan Community Health Services agreed with the U.S. government to pay $25,000 for a HIPAA violation. According to JD Supra, “Metro filed a breach report regarding the impermissible disclosure of electronic protected health information (ePHI) to an unknown email account. The breach affected 1,263 patients. OCR conducted a subsequent investigation that revealed longstanding, widespread HIPAA compliance issues.”
This example is notable for several reasons. First, the organization had to pay a fine, which has an immediate impact on its ability to fund other priorities like patient care. Second, the investigation identified systematic problems with respect to HIPAA compliance. As a result, Metro was asked to carry out a variety of improvements. These improvements include conducting risk assessments, updating their policies and procedures, and submitting documents for review to the government.
If you thought $25,000 was a hefty fine, pay attention! West Georgia Ambulance recently agreed to pay a $65,000 penalty as a result of HIPAA Compliance Violations. As reported by Health IT Security, “In 2013, West Georgia filed a breach report with OCR over the loss of an unencrypted laptop that contained the data of about 500 patients. The investigation that followed uncovered several ongoing HIPAA non-compliance issues, including failing to conduct a thorough and accurate risk analysis of potential risks and vulnerabilities to all its electronic protected health information.”
There are several lessons to learn from the West Georgia Ambulance case. First, security controls regarding portable hardware assets like laptops are essential. In addition to laptops, it is easy to see that other types of portable storage media like USB keys, external hard drives, CDs, DVDs and tables may pose an increased risk of a HIPAA compliance violation if they are ineffectively managed.
It is also interesting to note that West Georgia received a more significant fine than Metropolitan despite the lower amount of patient data involved. This means that every data archive and system needs robust IT security protections. It is not good enough to focus exclusively on the most significant IT systems in your organization.
Develop Your HIPAA Compliance Violation Playbook (Just In Case)
While nobody looks forward to reporting HIPAA compliance violations, it is vital to be prepared. If a HIPAA compliance issue is detected and not reported, you may face even greater scrutiny and pressure from the government. Therefore, it is wise to develop proactive systems and processes to detect and report procedures.
Use the following principles to build your HIPAA compliance violation reporting procedures:
● Study the HIPAA compliance violation requirements. The U.S. government has specific requirements regarding when and how violations must be reported. Take the time to study these expectations so your report is complete.
● Develop reporting timelines. You cannot drag your feet in reporting these violations. After all, just think about your patients — they deserve to know what is happening to their health information.
● Build a quality assurance review on the violation report. Before submitting a report to the government, complete a quality review of the report to verify that all of the facts are correct.
● Schedule a root cause analysis. The government may take some time to complete its analysis. While that process is underway, conduct your analysis. There are probably gaps in systems, training and procedures that you can identify and improve while you wait for the government to complete its review.
Preventing HIPAA Compliance Violations With This Process
Now that you know the types of fines and publicity that come from violations, it is time for a different perspective. Adopt a proactive approach to fulfilling HIPAA compliance, and you may never need to worry about reporting a violation. There are multiple facets to HIPAA, so we cannot cover everything here. We will focus on IT security systems since poor IT security practices and technology tend to be an important factor leading to violations. Use these steps to move from where you are today to a more compliant organization.
Assess Your Current Situation
Start by gathering information on the IT systems that contain health-related data in your organization. In addition to an inventory of systems, you also need data on the IT security controls. For example, determine how access management is governed for the various systems.
Evaluate Which IT Software Solutions Are Required To Increase Compliance
Depending on the nature of the problems you discover, you will need different solutions. If you find out access and permissions are disorganized, an access management software solution will be required. On the other hand, you may find that your systems are generally sufficient, but the IT security team is overworked. When your IT security specialists are overloaded with work, it is more likely they will miss something. In that situation, implement Apollo to take on repetitive tasks like password resets.
Develop Your Business Case To Leverage Software To Improve HIPAA Compliance
Now you need to do the work to obtain resources and staffing to implement the new software. For the best results, organize a cross-company project team. For example, you may need support from human resources to update HIPAA compliance training materials. Finance may have expectations regarding expense management for the project. Take all of these needs into account as you build your business case. For additional advice on how much time you should spend on your business case, read our article: How Much Time Should You Spend On Your Password Management Business Case?