What Constitutes a HIPAA Violation?
Updated: Jul 11
Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure.
"For large organizations, the most common uses of the cloud are for hosting analytics applications and data (48%), hosting financial applications and data (42%), for operational applications and data (42%), and HR applications and data (40%). 38% were using the cloud for disaster recovery and backups".1
It is very important that you avoid some of the most common HIPAA violations:
Sending texts containing PHI.
Improper mailing or emailing of PHI.
Failure to monitor and maintain PHI access logs.
The omission of a HIPAA-compliant Business Associate (BA) agreement with vendors before allowing access to the information system containing PHI.
Accessing patient information on a personal device or home computer.
Inadequate or lack of limitations as to who may view PHI.
Failure to remove access authorization to employees who no longer have a reason to access PHI.
Poor training to ensure that employees understand the many HIPAA requirements and guidelines.
Lack of documentation of HIPAA compliance efforts.
Lost or Stolen Devices
Therefore, if any device of a person who has access to PHI is lost or stolen, it is a direct violation of HIPAA. That is why it is vitally important to keep track of your mobile devices. It’s also worth having remote-wipe systems in place in case a device goes missing.
Employee Disclosure of PHI
Discussing a patient’s condition, medications, or any personal data with co-workers or friends is a direct violation of HIPAA regulations.
Improper Disposal of Medical Records
Electronic information that is deleted must be tracked and logged. When in doubt, employees should seek the advice and training of their IT or compliance team to properly dispose of PHI records.
Mishandling of Records
Photocopiers are a high-risk zone for mishandling of PHI.
Most photocopiers feature a storage drive that saves and collects a document to let employees retrieve it at their desk or to re-print at a later time. If the person creating the resulting document forgets to close their session, the following employee
Failure to Conduct a Risk Analysis
The HIPAA Security Rule and the HHS mandate that healthcare organizations perform a risk analysis. The risk analysis helps organizations discover opportunities and vulnerabilities in their computing system. If the results indicate issues with confidentiality, integrity, and availability of electronic PHI held by the healthcare organization, the organization may correct the issue. Left uncorrected, the findings may result in HIPAA violations.
We hope you keep in mind that the top benefits for healthcare organizations when migrating to the cloud are performance and reliability, ease of management, the total cost of ownership, and infrastructure agility.
Contact Us to become HIPAA Compliant! Our team of security experts can help you!