Ensuring HIPAA compliance can be quite complex and cumbersome. However, it is ultimately needed to ensure that your organization is abiding by all the rules and regulations to safeguard PHI (Protected Health Information). By doing so, you are not only being responsible, but you are also saving yourself from hefty fines of up to a total of $1.5 million per year. Even with all that in mind, some HIPAA violation cases still occur, and these prompt the affected organizations to take drastic decisions. This article will focus on two examples and why continuous HIPAA compliance is necessary.
Two HIPAA violation cases
Chicago-based Lurie Children’s Hospital had repeated occurrences where employees accessed patient records without authorization. The first incident was detected in 2018. The employee had been accessing sensitive patient records without any valid reason for more than a year. After further monitoring, the hospital saw that the employee had accessed the records from 10th September 2018 to 22nd September 2019. As soon as the anomaly was detected, the hospital immediately restricted the employee’s access to all records. The sensitive information viewed was the patients’ names, addresses, DOB, medications, appointments, and other medical information. The hospital advised that there was no proof of misuse or release of the information related to the incident. The hospital terminated the employee after they detected the incident. Also, in accordance with HIPAA rules, the hospital notified the affected patients.
The same incident occurred a few days ago at the same hospital. Another employee was caught accessing patient records without valid reasons on 5th March 2020. This time, the employee accessed sensitive patent records of over 4,824 individuals and had been doing so from November 2018 until March 2020. The data seen by the patient consisted of but was not limited to, names, addresses, DOB, medical information like medications, and appointment schedules. After detecting the incident, Lurie Children’s Hospital restricted the employee’s access to all patient information. While conducting a thorough investigation, just like the previous incident, the hospital did not find any instance of misuse or disclosure of the records. However, the employee was terminated and Lurie Children’s Hospital is working on providing training to ensure that employees understand their job roles better and comply with HIPAA rules and regulations.
Mercy Health recently fired a few employees for multiple violations of the HIPAA Privacy Rule. The hospital claimed that the employees accessed multiple patient records without any valid reason for several days. The investigation is ongoing.
What can you do to prevent HIPAA violations?
One of the first and foremost things to do is provide training and ensure that all your employees clearly understand what their job entails and what they can and cannot access, explaining why it is crucial to safeguard PHI. The above HIPAA violation cases clearly show that the employees lacked a sense of responsibility and understanding and accessed the patients’ records with authority or reason. Employees need to know the details of HIPAA rules and regulations so that they can comply.
Another action you can take is to utilize a HIPAA compliance software with a robust set of features. HIPAA Ready is a perfect solution as it ensures that all your employees are receive training and have access to relevant HIPAA information – all the HIPAA data can be stored in a centralized location and can be accessed by authorized individuals. You can also manage training and scheduling and as HIPAA rules and regulations keep changing, you will need it. You can conduct internal audits to see if there are any gaps or vulnerabilities in your system which might put your PHI or HIPAA compliance at risk. Simplify HIPAA compliance and remove the administrative burden with HIPAA Ready now.