March 15th, 2019
The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. And jail time is surprisingly more commonplace than most people realize for HIPAA violations.
Former New York Dental Receptionist to spend 2 – 6 years in jail for accessing and disclosing protected health information from her place of employment.
For 6 months, the aforementioned dental receptionist accessed patient information from the dental practice and provided it to a third party via unsecured email. The third party then used the information for identity theft.
You don’t want to think that this scenario will ever happen to your practice or that your employees will ever go rogue. Unfortunately, something like this can happen again and without the right processes established or safeguards implemented, your ability to quickly and appropriately respond will most certainly be hindered.
Employees snooping through patient medical records or stealing patient information is a substantial risk that needs to be addressed within a practice. Employee mistakes and malicious actions are one of the leading causes of reported data breaches to the federal government, resulting in HIPAA violations, fines and even criminal penalties. We all too often see that Dental Practices have very limited, if no HIPAA Compliance Program implemented. In fact, it is not uncommon to see practices that have never trained employees on HIPAA or have no written and implemented policies and procedures.
In today’s world, there is no excuse for not having a complete HIPAA Compliance Program. If a Dental Practice is investigated by the Office for Civil Rights (OCR) of the Department of Health and Human Services and there is not an established HIPAA Compliance Program, the Dental Practice may be assessed a HIPAA Fine and/or a Corrective Action Plan.
Here are a few simple steps to take to help prevent and mitigate an issue, such as the one above, from occurring.
Step 1: Develop appropriate HIPAA Policies and Procedures
I know, we are all busy and the last task anyone wants to do is sit down and write HIPAA Policies and Procedures. It can be time consuming and a challenge when a practice doesn’t know and understand the regulations; however, in the scenario above, policies and procedures could actually be a necessary safeguard in the defense against a data breach lawsuit or an OCR investigation. Dental practices must have written policies and procedures that define the appropriate use and disclosure of protected health information as well as processes for reviewing electronic access to patient information. Your foundation to a strong HIPAA compliance program is a complete set of practice-specific policies and procedures.
Step 2: Apply Least-Privileged Access
Limiting information that a workforce member can see in an electronic system is an essential step to the protection of patient’s information. Workforce members should only gain access to information on patients when it is needed to do their job. For example, if an individual doesn’t have a business need to know a social security number, best practice would limit the social security number to the last 4 digits or block access all together.
Step 3: Conduct Information Activity Reviews on Audit Logs
Most software systems, especially electronic health records (EHR) programs, produce audit logs. The audit logs provide information on when workforce members accessed specific patient’s electronic information and what they did in the chart (viewed, created, deleted, etc.). HIPAA requires that these audit logs are regularly reviewed to ensure that the access to the patient’s information is appropriate and meets business needs. If you are unsure or unaware of audit logs produced by your electronic systems, consider working with an IT Managed Service Provider that specializes in HIPAA.
Step 4: Employee Training
HIPAA training is one of the least popular tasks for a practice; however, it is an essential step in setting up your workforce as well as your practice for success. Workforce members should have a high-level understanding of what the HIPAA regulations are and understand how your practice is protecting the information that is provided by your patients. Annual HIPAA Training with periodic HIPAA educational updates throughout the year will keep HIPAA in the forefront of your workforce’s mind and support the protection of patient information.
Patient’s come to you to get care that they need. They provide you with a lot of valuable information that they trust you are going to keep confidential and protect. Don’t let your patients down and put your practice at risk by not taking time to comply with the HIPAA regulations. They were established to protect the patients and the information they trust you with. Take the time so you don’t end up on on the Wall of Shame.
Solving The Rest Of The Puzzle
Of course the steps above are not the only requirements of HIPAA. They are but one piece of a much bigger, much more complicated puzzle. We’ve put together a handy (and free!) HIPAA Compliance Checklist to help organizations get started on their HIPAA Compliance journey, but when the stakes are as high as they are with HIPAA you may not want to go it alone. Protostar offers a full HIPAA Compliance package to help organizations of all sizes obtain and maintain compliance.