The Violation
A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions. HIPAA violations are more common than you think. In May 2020, a nurse threw away documents that contained PHI in a regular trash can — which was a common practice in her office. Her employers found out and not only was she reported to her state nursing board (and faced sanctions therein), she also lost her job.
Some of the most common HIPAA violations are: snooping on healthcare records, insufficient ePHI access controls, failure to encrypt/safeguard ePHI on portable devices, impermissible disclosure of PHI, improper disposal of PHI, leaving devices/paperwork unattended, emailing PHI to personal devices, and releasing patient information to an unauthorized individual.
The rise of social media in the last decade has also increased the amount of breaches. Unless prior written authorization has been granted, it’s impermissible to post pictures and videos of patients online — even through messaging platforms such as Facebook Messenger and WhatsApp. Many recent violations involving social media have included nurses taking pictures of patients in degrading positions and videos of patient abuse. Even snapping a quick “work selfie” can have serious consequences if PHI or a patient is seen in the background.
COVID-19 and some institutions’ lack of preparedness has also seen a rise in HIPAA-related violations. A Michigan nurse viewed the charts of several patients in April 2020 to see if the hospital was following proper protocols and procedures. When administration was made aware of what this nurse was doing, they terminated him and cited HIPAA violations as the cause. Although the intent of the nurse came from a good place, the way in which he went about obtaining this information was not. There are outside channels for reporting suspected misconduct to regulatory agencies that still comply with HIPAA rules.
The Penalty
Generally, one of four things could arise from a HIPAA violation: (1) internal reprimand by the employer, (2) job termination, (3) professional board sanctions, and (4) criminal charges including fines and imprisonment. Healthcare individuals and those who fall under “covered entities” are subject to HIPAA compliance and in turn, penalties from a violation.
The nature of the penalty depends on the severity of the violation. There are several factors that can influence an employer, professional board, federal regulator, and the Department of Justice to act that include: nature of the violation, knowledge if HIPAA rules were being violated, action to correct the violation, malicious intent or personal gain when the violation occurred, harm caused by the violation, number of people affected, and if the violation falls under the criminal provision of HIPAA.
If any person or entity regulated by HIPAA is found to not have complied with HIPAA regulations during an audit, failure to comply can result in penalties — even if there isn’t a breach. Employers are on the hook for an employee who violates HIPAA (but never received the necessary training in order to prevent the violation). This is why it is important to provide training, document what and when it was, and who attended. Oftentimes, many employers make HIPAA training mandatory during the orientation process.
Prevention
If you’re ready to take the next step to protect, contact us today for courses, training, or general risk management and compliance guidance! Learn more about me and my practice or connect with me on Instagram, Linkedin, Twitter or Facebook. Join my mailing list to learn more about upcoming events and resources for you and your practice.