Skip to Content
Close Icon

NewsHIPAA Lesson 1: Top Five Compliance Issues

By Dorothy de Souza Guedes, VGM Education

There are many ways to violate HIPAA, from intentionally snooping into medical records of a former spouse to carelessly tossing patient records into the trash or leaving a message about a treatment plan on the wrong phone number.

The financial ramifications of being found non-compliant can be staggering: settlements average$964,634 per complaint. In addition to civil money penalties, resolution agreements can include other costly obligations, such as technology upgrades.

Up to $50,000 coverage for investigation and defense of HIPAA violations is provided under the Professional Liability Enhancement endorsement available from VGM Specialty Underwriters, said John Pacitti, vice president, Allied Healthcare Division.

And remember, in addition to covered entities, business associates with access to patient information are also subject to HIPAA.

The violations resulting in corrective action, such as civil money penalties and a three-year period of monitoring, have remained fairly consistent since 2003. The top five are:

1. Impermissible uses and disclosures of protected health information

This can include disclosing to an employer information about an employee that was not authorized or placing a customer insurance card in the wrong customer’s prescription bag.

2. Lack of safeguards of protected health information

An Indiana health care institution agreed to pay $800,000 in June 2014 after OCR found employees had left 71 boxes of patient records unattended on a retiring physician’s driveway near a busy shopping area.

3. Lack of patient access to their protected health information

Patients have the right to access their PHI within 30 days of a request. A mental health facility was sanctioned for telling a patient they could only see their own records in session with a therapist. A private practice was found to be in violation of HIPAA for only providing a summary of medical records, but not the full record, to a minor’s mother.

4. Lack of administrative safeguards of electronic protected health information

Due to our ever-expanding use of technology in the health care setting, this is a growing area of violations.

An Anchorage mental health services provider was ordered to pay $150,000 in December 2014 after abreach caused by malware left unsecured the PHI of 2,743 patients. The culprit? Outdated, unsupported software.

5. Use or disclosure of more than the minimum necessary protected health information

This means only accessing the patient information you need to know to do your job. For example, a complaint was filed against a dental practice for using red stickers with “AIDS” on the outside of patient records that were visible to staff and other patients. There have been investigations involving a nurse practitioner looking at her ex-husband’s records and a medical assistant at a college clinic making a comment about the pregnancy of a well-known student-athlete.

A UCLA School of Medicine researcher was caught snooping into the medical records of his supervisor, celebrities, and others. His case highlights that violators of HIPAA can face criminal charges, and ignorance of the law is not a defense: After he was sentenced to four months in prison, an appeals court rejected his argument that he didn’t know his behavior was illegal.

HIPAA Training for Staff

Even if no one files a complaint against your organization, you may be audited because the U.S. Department of Health & Human Services (HHS) is required to perform periodic audits of both covered entities and business associates. The Office for Civil Rights (OCR), a division of HHS, is tasked with enforcing HIPAA’s Privacy Rule, the area of HIPAA that addresses saving, accessing, and sharing PHI and ePHI (PHI in an electric format).

Annual training of employees is a must, but how do you know if you’re learning the most current HIPAA information? VGMU Online Learning has a two-part series of HIPAA courses designed to teach the basics to anyone, even those not in health care. A third course focuses on the duties of a privacy officer, a role required by HIPAA to be in compliance. The courses are regularly updated by Jill Blaser, VGM Education design and development manager, who monitors OCR for updates.

Blaser also works closely with Rick Hibben, privacy and compliance adviser for VGM Homelink, who uses VGMU courses for both new employees and annual training.

“With a company our size, online training is the only way that we can ensure that our training requirements are met. It is important that any training requirements meet regulatory requirements,” Hibben said.

“Any updates that my coworker and I add to our HIPAA and General P&P are communicated by email to all staff members in order to keep them apprised of any changes that may affect them,” he added.

Hibben doesn’t stop with online training: New employees also go through face-to-face training during orientation on HIPAA to help them understand HIPAA requirements.

What you should know

  • Do you fall under HIPAA? (You are a covered entity.)
  • Should you have business associate agreements on file?
  • Need more information about insurance coverage for investigation and defense of HIPAA violations? Contact John Pacitti, vice president, Allied Healthcare Division, VGM Specialty Underwriters at 913-275-5050 or [email protected].
  • Is educating about HIPAA on your to-do list? VGMU Online Learning HIPAA classes are included in a VGMU subscription or can be purchased separately. For more information call Megan Kraft, team lead, VGM Education 888-786-6628.

Want to know more about OCR investigations that have resulted in fines or other enforcement?