By Jackie Roberson / Special to Healthcare Facilities Today

HIPAA violations are serious business. While officially, fines can run between $100 to $1.5 million for a single violation, the average violation is about $50,000. For healthcare providers specifically, HIPAA violations can also result in other sanctions up to and including the loss of license. 

Because the consequences are so severe, HIPAA covered entities — which includes any business that collects, stores, or transmits protected health information, even if they don’t provide patient care — spend a great deal of time and effort to adhere to HIPAA rules. That being said, despite those efforts, there is still one considerable risk to HIPAA compliance: Employees.

The biggest risks to HIPAA compliance

Often, conversations about HIPAA violations center around technological issues. And rightfully so: On the list of the 10 most common HIPAA violations, issues involving technology or the storage of records fill nearly half the spots. Failing to encrypt data, not securing it properly (both physically and in electronic form), hacking, and the loss or theft of devices. Other common violations include failing to dispose of data properly and not acquiring the proper authorizations for the release of data. For example, when releasing information to third parties, such as payment processors, providers must have authorization to do so.

The remaining compliance violations are all related to employee actions and behaviors. Now, saying that employees are a major risk to HIPAA isn’t to imply that your staff is willfully disregarding the rules and doing what they want anyway. In many cases, the violations are completely accidental, and your employee may not even realize that a mistake has been made until it’s too late. For example, an employee may inadvertently send the wrong patient information to the payment processor. Despite the action being accidental, the violation is still treated the same as a willful violation, underscoring the point that HIPAA is serious business. 

Beyond those errors, then, what do employees do that violates HIPAA? According to compliance experts, the most common violations include: 

• Gossiping/Discussing Patients in Public Areas. Co-workers talk to each other. However, talking about the latest episode of “This is Us” in the breakroom is very different than talking about an individual’s PHI. Even when conversations are work-related, if they take place within earshot of individuals who aren’t authorized to learn the information, then it is considered a violation.

• Unauthorized Access to PHI. Sometimes, employees will attempt to access records for nefarious or malicious purposes, such as gathering information to use against someone, or in the case of high-profile individuals, for the purposes of using that information for personal gain. In other cases, employees access information simply out of curiosity, or to help someone else out. Regardless of the reasons, accessing PHI without authorization is a serious violation.

• Social Media. The growth of social media has added a new dimension to HIPAA, as many employees don’t even realize that certain behaviors are violations. For example, sharing information about a patient, even without his or her name, is a violation. Someone innocently sharing a story about their work day (good or bad) could inadvertently run afoul of the rules. Another issue is photographs. A photo of an employee lunch, for instance, that has patient information in the background, is a violation, as well as any photo that includes a patient without his or her consent. In short, social media has increased the potential for violations, by creating yet another forum for them to take place.

Following the rules

Complying with HIPAA guidelines needs to be a top priority for any business dealing with PHI, and that means thoroughly training employees from day one in how to avoid violations. Many businesses treat HIPAA compliance training as a “one and done” exercise, providing an overview of HIPAA and some tips on how to keep data safe.

However, training needs to be more detailed and needs to thoroughly explain what is HIPAA, and employees need to be retrained on a regular basis to keep their knowledge fresh and help them understand how even innocent actions can have serious consequences. Educating employees about the seriousness of HIPAA violations, the extent of fines and sanctions, and best practices can help prevent many problems.

Try running role-playing exercises, for example, in which employees identify noncompliant activities and practice the correct way to protect information. Create a culture of compliance, and encourage all employees to report potential issues as soon as they see them so corrective action can be taken. When you do, you won’t have to worry about your employees being a risk — and you can focus on the risks that are out of your control.

Jackie Roberson is a content coordinator with Seek Visibility.