The 10 Biggest HIPAA Compliance Mistakes
With HIPAA fines and violations costing healthcare organizations $50,000 per occurrence with a maximum fine of $1.5 million per violation, it is critical you are fully compliant in every aspect of HIPAA.
This information will help you understand the biggest and often simplest mistakes healthcare organizations, big and small, are making in their HIPAA compliance efforts. Review this list and see if you are liable for big fines because your organization is not completely HIPAA compliant.
- 1. Thinking you are compliant...but not knowing for sure
- This is where the trouble begins. Many healthcare organizations unwittingly do some training, have a large HIPAA manual, assign a pseudo-compliance officer, complete some paperwork and have a few Business Associate Agreements with some major vendors and think, “We’re good!” It’s the biggest mistake of all...there is no such thing as HIPAA-lite! If you aren’t doing EVERYTHING required, you will eventually pay a hefty price!
- 2. Not having a Business Associate Agreement with all your required vendors and their subcontractors
- This is becoming one of the biggest reasons why healthcare organizations are being audited. It's now the law that any of your vendors that touch PHI must be HIPAA compliant, and you have to have a signed, updated and annually reviewed agreement...with no exceptions!
- 3. Not following through on administrative policies, procedures and training
- Yes, with all the security and cyber-security threats out there every day, you must have technology in place to protect yourself...but what most healthcare organizations don’t realize is that 80% of all violations are caused by in-house administrative mistakes such as not having updated polices, adequate, ongoing and verifiable training, and employee attestations of abiding by the procedures. This problem, which can result in huge fines, is totally within your control!
- 4. Not training your employees on corrupt (phishing) emails
- Keep this in mind: during the first five months of 2019, over 12 healthcare organizations here in the Twin Cities were breached and ended up on The Wall of Shame. 80% of those breaches occurred because an employee clicked on a corrupt email they never should have opened! It’s critical that you have ongoing security training for your employees, especially regarding the constant flow of phishing emails!
- 5. Not having adequate encryption...especially with mobile devices
- Encryption translates data into an unreadable form or code so only the people with access or the password can read the information. The dangers of leaving Protected Healthcare Information (PHI) without encryption should be clear to your entire organization. Encrypting the PHI if it is lost or stolen provides a necessary and required layer of security!
- 6. Thinking hacking, ransomware and cyber-criminals don’t apply to you
- The healthcare industry is the most hacked industry in the U.S. today, with 88% of all ransomware attacks aimed at healthcare practices just like yours! Anti-virus and other minor security measures are not adequate enough to protect your PHI and your company from breaches, HIPAA violations, and fines. The bad guys don’t care who you are or how big you are...you are just an IP address in the healthcare industry to them, and they know your data is valuable on the Dark Web!
- 7. Not reporting lost or stolen devices
- How many different devices do employees use or bring to work? The list includes, phones, tablets, laptops, and wearable devices just to mention a few. There was a case with an iPhone containing vast amounts of ePHI that was settled for $650,000. The iPhone was not password-protected or encrypted, causing the fine...and the fine was against a Catholic nonprofit organization! If devices are not stored in a secure location, they are subject to loss or theft, and if they are not encrypted, the penalty becomes even more severe!
- 8. Human Error
- With healthcare organizations having so many employees, it is often thought that the lowest level employees are the people to worry about, but this is not true at all. Doctors, nurses, management and administrative staff are often the culprits affecting HIPAA compliance. Until now, it has often been overlooked that one of the most common HIPAA violations is the mishandling of medical records by your own professional team!
- 9. Thinking your IT provider is keeping you compliant
- Although technology and HIPAA are now closely tied together, hearing that your IT provider has a full and robust cyber-security program does not make you HIPAA compliant. There are many incidents of companies, now occupying a place on The Wall of Shame, who learned the hard way that their IT firm wasn’t compliant and had failed to follow the HIPAA guidelines for both themselves and their healthcare client. Don't let this happen to you!
- 10. Failure to document your compliance
- One of the most frustrating issues that often results in hefty fines is when a healthcare organization does everything right but neglects to provide the evidence that they did it. It isn’t enough that you obey all the HIPAA regulations and guidelines, but you must also document and prove you did so. It’s really easy to fix, but when you're audited, you can’t say you're sorry...it’s too late!
As you know, keeping your healthcare organization HIPAA compliant is an ongoing process. Hopefully this information made you think twice and helped you reconsider your efforts, bringing to light some of the gaps you may need to fix right away.
Take a look at Imagine IT’s HIPAA Security Shield so you can quickly see how thoroughly we can help protect you and your organization now. Please contact us today to start a conversation!
Download Your Copy of The HIPAA Checklist