HIPAA law goes by many names:
- The HIPAA Security Rule
- The HIPAA Privacy Rule
- “HIPPAA” Law
- HIPAA Confidentiality Law
- PHI Data Protection Law
- Private Patient Information Law
They’re all facets of the same thing (and one misspelling).
By any name, HIPAA contains hundreds of opportunities for employers to fall prey to millions in fines.
There are a thousand doors for protected information to sneak through, and tech is always rapidly advancing, creating more. But should you worry more about breaches from networks, physical IT, or some other source?
This article will show you the biggest HIPAA law pitfalls, based on an analysis of recent fines and breaches.
What is HIPAA Law?
What’s the definition of HIPAA law?
The full name is the Health Insurance Portability and Accountability Act.
The definition of HIPAA is: The US data privacy and data security law that safeguards Protected Health Information (PHI).
It’s basically the law that protects patient info from falling into the wrong hands. It puts the burden of protecting PHI on the provider.
HIPAA Privacy Rule vs Security Rule
The HIPAA Privacy Rule is the law that protects patient PHI from leaks. It establishes national standards that shield patient medical records and other protected health information.
The HIPAA Privacy Rule applies to health care providers, clearinghouses, and plans.
The HIPAA Security Rule is a more narrow subset of the Privacy Rule. It specifically protects electronic health information.
How Do Employers Run Afoul of HIPAA Law?
Private clinics and practices can get hit with the same HIPAA law problems as massive healthcare providers.
In a MedPro survey of HIPAA violations, we found that lack of regular Risk Assessments and Risk Management Plans caused the most common and costly fines.
Other major culprits include failure to protect PHI, either in physical equipment like laptops and USB drives, or in networks.
For the full list of major HIPAA Security Rule and Privacy Rule pitfalls, see below. (Click to download as a PDF.)
Click to download these common HIPAA law pitfalls as a PDF.
What is HIPAA PHI?
PHI is “Protected Health Information.”
Any release of it to third parties by “covered entities” violates HIPAA law’s Privacy Rule.
Examples of PHI include:
- Patient billing info
- Appointment scheduling notes for patients
- Patient emails about medications
- Blood test results
- MRI scans
- Phone records
Examples of non-PHI health info include:
- Calories burned
- Steps in your pedometer
- Heart rate readings without info that identifies the patient
- Blood sugar readings without info that identifies the patient
What is a HIPAA “Covered Entity?”
Covered Entities are those that provide treatment, operations, or payment in healthcare. All covered entities are subject to HIPAA law.
Covered entities include:
- Doctors’ offices, clinics, dental offices, psychologist offices
- HMOs, insurance companies, health plans
- Nursing homes, healthcare agencies, hospitals
- Health clearinghouses, government healthcare programs
- Pharmacies
15 Big HIPAA Law Pitfalls to Run from Like Godzilla, Ranked
What is HIPAA’s biggest, meanest violation?
The list below contains the biggest HIPAA law pitfalls of 2016 and 2017. We’ve ranked them in order of most common and costly.
The rankings come from a MedPro analysis of 2016 and 2017 HIPAA violations. Each has resulted in fines of over $1 million for individual providers.
1. Failure to Conduct a Regular HIPAA Law Risk Assessment
Here’s a horror story.
Your office admin hands you a sheet of paper.
It’s a letter from OCR. You’re being investigated for a HIPAA law breach.
That’s bad enough, but when the ashes settle, you get a second fine because you didn’t conduct a regular HIPAA Risk Assessment.
That infraction boosts your penalty into the seven-figure zone.
This scenario has played out nightmarishly for several healthcare employers in 2016 and 2017.
This is the most frequent and most costly HIPAA violation.
Why is it so prevalent? Because it piggybacks on other HIPAA Privacy Rule breaches.
Example HIPAA Law Breach
In 2016, a healthcare employee left a company laptop in his car. When a thief stole the laptop, PHI was compromised.
The fine? $5.55 million.
A big part of that came from failure to conduct a risk assessments.
So, just what is a HIPAA risk assessment?
A HIPAA Law Risk Assessment is required by DHHS for all covered employers that handle PHI.
A Risk Assessment Is an Internal Analysis that Covers:
- Any risks to PHI data, including electronic media, transmissions, portable media, networks, desktops, business associates, etc.
- Data storage, including hosting providers.
- Potential vulnerabilities and threats.
- Determining the likelihood of threats.
- Determining the likely impact of threats.
- Assessment of current security measures.
- Determining your overall risk level, with corrective actions planned.
- Retaining final analysis in writing in case of a HIPAA law investigation.
How Often Should You Conduct a HIPAA Risk Assessment?
The HIPAA Security Rule doesn’t mandate a timeline for risk assessments. That said, providers should at least reassess HIPAA violation risk every time they plan to adopt a new technology.
You should also reassess risk when changing business operations.
Given the pace of technology and business, once a year is probably the best window. Every six months is not unreasonable.
The HIPAA Law Breach: Laptop stolen, PHI data compromised, upon investigation, OCR found no risk assessments were conducted.
The Fix: Conduct regular risk assessments and document them to avoid an ugly HIPAA Privacy Rule violation.
Bonus Violation: A MedPro analysis found several 2016 HIPAA law breaches where the lack of risk assessments added insult to injury. Fines reached the tens of millions.