3 Common HIPAA Violations

While the Health Insurance Portability and Accountability Act (HIPAA) has been a driving force protecting patient information for more than two decades, HIPAA violations continue to occur – especially as companies disassemble data silos and embrace the cloud in the name of digital transformation.

But isn’t the cloud more secure than paper documents? Why do these vulnerabilities continue to exist?

Most providers, healthcare leaders and IT professionals are still using workarounds to share data with third parties in such a way that intends to protect the Personally Identifiable Information (PII) and Protected Health Information (PHI) of each record. That word intention is key.

While these workarounds are prevalent, they’re imperfect at best and the risks and vulnerabilities continue to exist. It doesn’t have to be that hard. So why is it?

Stewarding Patient Data: What’s at Stake

When adding up all of the costs associated with lost business, detection and escalation, and post-breach response, highly regulated industries have the highest per-record cost of data breach. Healthcare comes in at an average per-record cost of $359, followed by education ($294), pharmaceutical ($227), and financial ($206).

Far from a slap on the wrist, penalties for HIPAA violations ripple through an organization’s revenue cycle with devastating effects. But the worst damage isn’t monetary; in the wake of such violations, patient trust is irretrievably lost.

Roughly one-third of customers will stop doing business with organizations who’ve been breached. Victims of a financial breach experience immense distress and may even endure years of unforeseen consequences. But an individual whose PHI has been exposed suffers a loss of privacy and dignity that can’t be recouped. Sensitive medical conditions and histories can’t be put back in the box—they can’t be unlearned by strangers. Let alone the social stigma that could be associated with such revelations to a general public at large. Definitely not the warm fuzzies anyone or company would like associated with their namesake.

To mitigate this, we need to be aware of the top HIPAA violations, how to avoid them, and the role of emerging technology in bolstering data privacy.

HIPAA Violation No. 1: Internal Exposures (Unintentional or Otherwise)

Did you know the people who actually work with the sensitive patient data on a daily basis pose the greatest risk? It’s true. Whether it’s a sensitive email that should have never been sent or an authorization granted to someone who shouldn’t have it, inadvertent violations happen in a flash.

For example, in 2011, a prominent health system on the West Coast was fined $865,000 when it was discovered that a physician employee had been habitually browsing the medical records of celebrities and other patients without authorization. That employee spent four months in federal prison for their HIPAA violation. Now imagine trying to get hired at a new practice with this blemish on your record?

Even if you pride yourself on a culture that puts data stewardship front and center, it’s important to note that your team is still sharing data with third-party organizations who may or may not follow the same strict internal protocols. If those third-party systems are compromised, it’s possible in some cases for hackers to reverse-engineer shared data and unlock the original PHI you sought to protect.

HIPAA Violation No. 2: Failure to Conduct a Top-Down Risk Analysis

With medical data being some of the most sought-after information on the black market, the danger posed by cybercriminals remains high.

Regulators understand this; suffering a breach isn’t a violation itself, but it will trigger an investigation. If regulators then discover that your organization hasn’t been regularly conducting risk assessments to identify whether any vulnerabilities exist, you’ll be on the hook.

Case in point: a large health insurance company based in the Pacific Northwest was fined a whopping $6.85 million—the second largest-ever HIPAA penalty at the time—following the investigation of 2014 data breach. Regulators determined that the exposure of 10.4 million individuals’ electronic protected health information (ePHI) could have been prevented had the company run an organization-wide risk analysis to identify all risks and taken reasonable action to reduce those risks to an appropriate level.

But what does risk-reducing action look like in practice? As we’ll explore in the third most common violation, HIPAA gets technical.

HIPAA Violation No. 3: Failure to Safeguard Electronic PHI (ePHI) on Portable Devices

Given the severity of today’s cyber threats and the rapid evolution of digital technologies, it’s not uncommon for larger medical companies to employ 50+ data stewards. Of course, not every company has the bandwidth to invest so heavily in specialized sentinels.

When smaller medical companies begin moving data through the cloud and entering third-party partnerships to drive growth, their intentions for data stewardship may be pure… but the road to HIPAA violations are paved with good intentions.

A single device left unprotected can lead to the impermissible exposure of thousands of patients’ ePHI—and commensurate fines. This might be a cell phone, a tablet, or any other type of office touch-screen technology.

Device encryption isn’t mandated under HIPAA, but organizations must implement “an alternative, equivalent security measure” should they decide against it. Privacy preserving methods for devices are a must if this is to be avoided.

How the TripleBlind Solution Ensures HIPAA Compliance

Standard encryption is currently one of the most effective ways to prevent data breaches, but it necessitates the use of a decryption key that can be cracked. And in the event of a compromised key, HIPAA must be notified immediately.

TripleBlind’s privacy enhancing computation is indeed a paradigm shift—not just a workaround. Our solution delivers protection for data in use, enabling healthcare AI and analytics without data being shared. When you’re able to achieve desired outcomes while keeping patient data tucked away safely within your company, the ‘HIPAA compliance grey zone’ disappears.

Learn more about privacy enhancing computation

If your company is looking for a more proactive way to approach risk management and HIPAA compliance, yet still foster a community based on innovation and collaborative practices, contact us today to learn more about how our privacy technology is helping healthcare professionals remain steadfast in their commitment to security and patient privacy.