Here is a list of common HIPAA violations that we find while performing a HIPAA Risk Assessment:
Using Dropbox to store PHI
Everyone loves Dropbox! Dropbox is simple, easy to use and convenient. It makes backing up and sharing data very easy. Unfortunately Dropbox is NOT HIPAA compliant. So use Dropbox for personal use but do not store Protected Health Information (PHI) on Dropbox.
Sending PHI via email without encryption
Encryption is not a requirement under the HIPAA Security Rule but if you are going to transmit (send) PHI via email it should be encrypted. Sending unencrypted email is like sending a postcard. The email (postcard) has no envelope and anyone that touches it can read the contents. Encrypting email is like putting it in a sealed envelope that only the recipient can read the contents.
According to the HHS Security Standards: Technical Safeguards (PDF) guidelines:
Using Yahoo, AOL or Free Gmail to send PHI
The HIPAA Omnibus Rule expands the definition of HIPAA Business Associates to cloud providers. Some of the cloud providers include Google, Yahoo, AOL, Amazon, Microsoft (and Dropbox – see above). As HIPAA Business Associates, cloud providers are required to sign Business Associate Agreements (BAA) with Covered Entities. Unfortunately Yahoo, AOL and Dropbox will not sign a BAA. Google will sign a BAA if you use the paid Google Apps service. So if practices are using free Gmail, Yahoo and AOL for email and there is PHI stored in email using these services would be a HIPAA violation.
Sharing accounts or passwords to access PHI
Anyone that accesses PHI must use a unique user identification. User accounts and passwords should not be shared.
According to the HHS Security Standards: Technical Safeguards (PDF) guidelines:
Not reviewing audit logs
There are more and more stories of hackers or employees accessing PHI inappropriately or stealing PHI and using it for illegal activity. Without reviewing audit logs of access to PHI, many organizations might not even realize that PHI is being accessed inappropriately. The HIPAA Security Rule requires periodic review of audit logs.
According to the HHS Security Standards: Technical Safeguards (PDF) guidelines:
Not training employees on HIPAA security
The HIPAA Security Rule requires that all employees receive security training on how to protect PHI. Organizations must also provide retraining and security reminders to ensure employees continue to understand the risk to PHI and how to protect it. Looked at another way, training is not “one and done”! Organizations must continue to train and retrain employees. Training employees on HIPAA security is one of the best ways to protect PHI.
Next Steps
Is your organization guilty of some or all of the above HIPAA violations? With increased HIPAA enforcement coming, now is a good time to ensure that you are HIPAA compliant. The good news is that complying with the HIPAA Security and Omnibus Rules does not have to be expensive or complex but it does require an organization to take HIPAA requirements seriously.
[framed_box bgColor=”#ffd390″]Free HIPAA Security Training!
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your colleagues and Business Associates.
Now it is easy to train your employees on protecting patient information!
[/framed_box]
1 Comment
Leave your reply.