The Health Insurance Portability and Accountability Act (HIPAA) is a law with wide-ranging implications for privacy. It sets national standards designed to protect the health information of employees, patients, and customers.
Protected Health Information (PHI) includes medical records, billing information, and even conversations regarding a patient’s health.
Just about every organization with employees deals with sensitive health information in some form or another—and if that’s the case for your company, your employees need to be trained in how to handle that information without violating HIPAA rules. Here’s why.
Because it’s the law
Some people see “HIPAA” and think “healthcare.” As in, if you don’t work for a healthcare organization or you’re not in a medical profession, you don’t have to care about it. That would be wrong.
According to the HIPAA Privacy Rule (45 CFR 164.530(b)(1):
“A covered entity must train all members of its workforce on the policies and procedures with respect to PHI…as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.”
A “covered entity,” as defined by HIPAA, includes health plans, healthcare providers, and healthcare clearinghouses. “Business associates” who serve as contractors to these organizations and handle personal health information in the course of their work also have to comply.
These rules may seem specific only to the healthcare industry, but it’s actually more broad than that. For instance, the term “health plans” refers to organizations such as HMOs, Medicare, and Medicaid, but it also applies to any employer that handles personal health information when it enrolls their employees in healthcare benefits.
HIPAA law requires any employee or contractor who handles protected health information to be trained in HIPAA compliance. This includes those who work in hospitals, clinics and doctors’ offices, but it also includes any company or organization that has employees who might handle sensitive health information.
Because HIPAA violations can be costly
HIPAA fines are organized in tiers, tied to both the severity of the violation and how conscious the perpetrator was that they were breaking the law. Here’s a breakdown:
Tier 1: $100 to $50,000 per violation; capped at $25,000 per year: The perpetrator did not know they were breaking the law, and wouldn’t have known even if they’d done due diligence.
Tier 2: $1,000 to $50,000 per violation; capped at $100,000 per year: There’s reasonable cause to believe the perpetrator would have known they were violating the law if they had done due diligence.
Tier 3: $10,000 to $50,000 per violation; capped at $250,000 per year: The perpetrator deliberately ignored the rules, but corrected the action within 30 days once it was uncovered.
Tier 4: $50,000 per violation; capped at $1.5 million per year: The perpetrator deliberately ignored the rules and did not try to fix the issue within 30 days of the violation being uncovered.
A HIPAA violation can be extremely costly if, say, your healthcare organization keeps records on thousands of patients, and the security of that data was breached in a way that violated HIPAA law. In cases like this, each of the records exposed in the breach may be counted as a single violation—with a single hefty fine.
There have been some high-profile violations in the news. For instance, in 2018, Blue Cross Blue Shield carrier Anthem, Inc. was fined $16 million after its records were breached in the largest healthcare cybersecurity hack in US history. During that attack, the health records of over 79 million people were compromised.
However, big companies aren’t the only organizations at risk. The HHS Office for Civil Rights can and does prosecute small businesses and even individuals for HIPAA violations. Some examples include:
An orthopedic practice that hired a third-party provider to convert their hardcopy x-rays to digital format. They forgot to have the provider sign a business associate agreement, and now owe $750,000 in fines.
A small dermatology practice was fined $150,000 for losing an unencrypted flash drive with patients’ sensitive health information on it.
A cardiology practice was fined $100,000 for using an online calendar app to book appointments. The issue was that the names of all patients who had booked appointments were clearly visible on the app to other patients who signed in.
Because the consequences often go beyond money
In addition to massive fines for companies, individuals found responsible for negligence may face jail time for more severe violations.
A recent example includes a staff nurse at a clinic who accessed the health records of the plaintiff in a personal injury suit against her husband. The nurse passed the records to her husband’s lawyer, thinking they would help his case. She’s now facing 10 years in prison as well as a $250,000 fine for a major HIPAA violation.
Companies can face consequences beyond the monetary as well. HIPAA violations are in the public record. These kinds of violations can reduce customer trust in a company’s brand, and reduce the company’s ability to attract clients, customers, and top talent.
Because untrained employees are one of the biggest causes of HIPAA violations
Despite the high consequences of HIPAA violations, many instances of non-compliance occur inadvertently—because the employees involved aren’t adequately trained.
HIPAA violations are sometimes tied to cybersecurity breaches, where negligent employees are one of the top causes. But there are plenty of other ways untrained employees can violate HIPAA laws—it’s surprisingly easy to do.
Here are some of the easy ways your employees can violate HIPAA law without even knowing it:
Keeping protected documents in with other documents. Physical files that contain protected health information can’t be kept in the same unlocked drawer as other files. They need to be kept in a secure location, such as a locked filing cabinet, desk, or office.
Failing to encrypt data. Digital files containing sensitive health information should be password-protected, as well as encrypted—just in case the device where the information is stored gets stolen, lost, or hacked.
Failing to update their antivirus software. Instances of hacking are common, and frequently expose protected health records. And the problem is getting worse. In 2018, over 15 million patient records were exposed through hacking; but halfway through 2019, hackers accessed more than 25 million protected records.
Not all of these breaches were caused by rank-and-file employees failing to update their antivirus software. But in an age where hacking has grown increasingly common, no employee can afford to be casual about maintaining security on their individual devices.
Leaving their work phone or computer unsecured. Cases have occurred where employees have had their work phones and computers stolen—and those devices contained a large amount of protected health information.
If a work phone or laptop contains protected information, it can’t be treated the same as a personal device—taken home or on the road and left unattended, even briefly, in a bag or briefcase. It has to be kept in a secure location at all times.
Casual conversations by the water cooler. Until they’re trained, many employees don’t realize that even casual gossip among coworkers can be considered a HIPAA violation.
Conversations regarding people’s protected health information should only occur on a need-to-know basis, with the appropriate team members, and ideally behind closed doors.
Forgetting to properly dispose of records. You can’t just toss people’s healthcare records in the trash. All documents that contain protected health information must be disposed of properly—which might involve being shredded or thoroughly deleted from a computer hard drive.
Talking about private information with the wrong person. Medical professionals can make this mistake when they disclose health details about a patient to family members who aren’t authorized to receive it. It’s a common error, but only dependents and people with Power of Attorney should have access to a family member’s protected information.
The key thing here is that even casual conversation or actions that might seem innocuous—such as keeping someone’s healthcare records in the same unlocked file cabinet as their other employment records—can lead to a HIPAA violation. And from there, to a hefty fine and potentially more serious consequences.
HIPAA training is crucial to any company or organization that has employees who handle protected health information. For the untrained, it’s surprisingly easy to violate HIPAA directives—but the consequences can be steep.
Don’t let your employees be caught off guard when it comes to HIPAA violations. Improve your compliance by ensuring that your employees are protected—and so is your company.