Common HIPAA Violations: What you Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) outlines the rules and regulations for the protection of health information in the US. The HIPAA privacy and security rules dictate the appropriate use of protected health information (PHI) and storage best practices. 

The regulation sets personal privacy and security as a priority in the health industry, not only to avoid a HIPAA violation. However, despite the importance of HIPAA, sometimes data security goes wrong. Breaches and HIPAA violations aren’t uncommon, and can have a detrimental effect on both the victims and the HIPAA-covered entity.

Errors can range from accidental, such as human error, to neglectful, such as poor software security. However, each of these problems has associated preventative measures. 

Poor privacy safeguards could result in extensive fines, criminal penalties, and damage to the business. Therefore, it’s critical to be aware of the most common HIPAA violations, what mistakes are often made, and how you can prevent them. Here are just a few common HIPAA violation examples.

Human Error

Human error is perhaps the most challenging HIPAA violation to overcome. Unfortunately, there is always going to be an element of risk when people handle personal data. The key to preventing mistakes is to implement as many preventative measures as possible.

Some examples of human error breaches include:

• Incorrect disposal of PHI

• Phishing links

• Loss of devices

• Lack of personal security 

• Mistaken data

Mistaken data is one of the more common causes of human error in HIPAA violations. For example, two users might share the same name, or the same birthday. Therefore, the wrong information is provided, or the information is mixed up. This results in a breach of privacy, and damage to the integrity of the health organization. Whilst this is a simple mistake, it has dramatic consequences. 

In 2016, an Illinois healthcare system was fined for a data breach resulting from the theft of a laptop from an employee’s car. They were ordered to pay $5.5million as around four million people were affected. In this case, an employee was careless, and this resulted in huge financial losses.

However, there are ways to mitigate human error as much as possible. The diligence of employees is crucial. However, security measures such as firewalls, access controls, and other IT security systems should limit access to private data as much as possible. They also allow for the monitoring of access, providing control over who accesses private data and when. 

Unfortunately, it’s not possible to eliminate human error completely. However, it’s important to ensure maximum security measures throughout digital health tech solutions, to reduce mistakes.

Credential Security

In health care, once again, people handle the majority of data and its’ transfer between healthcare organizations. One of the most common security barriers between people and electronic databases is passwords and credentials. Log-in systems provide a way to monitor data access and change user permissions. 

The challenge with log-in credentials and their security is twofold. Firstly, credential systems need to have effective security measures. For example, password criteria need to be challenging. You might also consider two-factor authentication.

However, credential security is also reliant on the individual user. Ultimately, they can set their own passwords. Credential security weaknesses typically lie in the individual passwords of critical users. It’s key to enforce the importance of complex passwords. Consider an organization-wide mandate to use keychain password apps, or implement strict password criteria. 

Ensure that passwords aren’t saved anywhere else that doesn’t fall under your company security. Even the strongest passwords are ineffective if they are accessible elsewhere.

A cancer center in Texas was fined $4.3million in a civil case as thumb drives were stolen from the center. The USB drives were not password protected, as per the center’s protocol. 

In the first instance, passwords and log-in credentials are the only barriers between a user and patient data. A failure of this security protocol opens databases up to HIPAA violations and breaches of critical data. The simplicity of this mechanism is what leads this to be such a common HIPAA violation.

Application Security and Phishing

Breaches may also come at the hands of external factors. While the human element of data security is a risk, it’s just as important to protect against phishing and hacks from those outside of your organization. 

In 2021, the ten biggest healthcare data breaches occurred due to hacking or phishing attacks. Some even lead to separate HIPAA violation penalties for each victim. In these cases, the organization’s server was targeted in the attack. Criminals like this understand the lack of security measures in the healthcare industry often lie in facilities themselves.

The HIPAA regulations outline a set of security measures for the protection of electronic PHI. The security rule includes physical, administrative and technical safeguards. These can be used as a guide for the protection of healthcare databases. They outline the importance of database encryption, physical security of databases, limiting exposure, and more. 

Risk assessments can also help to identify vulnerabilities to hackers. This is especially important during the development of digital health solutions. Blocking hacks before they occur is the best form of defence against attacks like this.

Access Controls and Permissions

Issues with access controls and database permissions can create breaches of data. Access controls dictate who, and at which levels of the healthcare organizations, can access encrypted data. In theory, only the people who need to see certain data have the access to it. 

For example, specialist physicians may benefit from access to MRI scans or medical procedures. However, the receptionists and administrative assistants are less likely to need this information.

In digital health development projects, heads of the projects may need access to a group of healthcare data. This may be to run experiments using their solution, or to provide a data set for the production of the solution. However, individual engineers do not need to access this private health information. 

In these cases, access controls dictate the appropriate parties and their level of access to PHI. However, mistakes or miscommunication around these can result in a data breach or HIPAA violation. Incorrect permissions may be given, or they may not be withdrawn at an appropriate time. Any occasion where PHI falls into the wrong hands, at the wrong time, is a breach.

At Vertrical, we understand the importance of compliance. Not only does it protect you from hefty fines and penalties, but it protects the trust in your organization. We have teams of compliance experts that work alongside our qualified digital health engineers. Get in touch today to discuss your compliance requirements for your next digital health development project.