Components of DOT Security’s Services
Explore each of the core elements that combine to form DOT Security’s complete offering
See how it all comes together
DOT Security’s holistic service- A plan to get back up and running if a problem occurs
- Comply with data security laws and industry regulations
- Expert planning and training to improve overall security
- Protection for a controlled internal environment
- Coverage for individual systems and devices
- Control who can get into your networks
- Improved insight into data and communications
- Extra fortification for your most sensitive data
Risk Assessment
InsightsCybersecurity insights and analyses
Dive into the world of modern cybersecurity with explanations, predictions, and expert opinions
Find blogs, infographics, videos, and more
DOT Security insights- Definitions for industry terms and acronyms
- The complete beginner’s guide to everything cybersecurity
Compliance Services
Can You Find the HIPAA Violations?
February 28, 2023
5 Minutes
It’s no secret that HIPAA is complex. It involves a lot of safeguards for healthcare organizations to implement to help them secure patient data but keeping track of everything you need can be too much for inexperienced or understaffed IT or cybersecurity teams to handle. Some of these safeguards are very simple, some are more complicated, but they’re all necessary.
Additionally, there are so many safeguards now that it’s easy to let them slip through the cracks. To help sharpen your ability to spot a HIPAA violation, play the game below to see if you can identify simple HIPAA violations that occur every day at covered entities that can result in major consequences.
Sign up for our newsletter!
This scene takes place in the reception area of a clinic which is a common place for HIPPA violations to occur because so much information is passed around between doctors, patients, administrators, and third parties in this space. See if you can spot all three HIPAA violations below!
See if You Can Spot All the HIPAA Violations
With so many different type of people like third parties, patients, doctors, and more, the waiting area of a covered entity is often the site of many HIPAA violations. See if you can the find ones in the image above.
Violation 1: Failure to Perform a Risk Analysis
Failing to perform an organization-wide risk analysis is one of the most common HIPAA violations because it is a big task to audit an entire organization and not something a non-cybersecurity professional would think of.
Essentially, this risk analysis would help a healthcare entity understand where its biggest risk and vulnerabilities are that could expose or threaten the exposure of PHI. Without an analysis, these vulnerabilities wouldn’t be recognized and, therefore, can’t be addressed and secured.
Organization-wide risk analyses are easy to push off due to their complexity. Your team may not understand what it actually entails or not have the necessary resources to complete it. But it’s a key part of becoming HIPAA compliant and failure to perform them can result in million-dollar settlements and fines in the hundreds of thousands of dollars.
Violation 2: Misplaced Devices
Another common HIPAA violation, misplacing devices is so easy with how many devices we use today, but leaving a tablet, computer, laptop, phone, or any other device that has PHI or can access it, out in the open is a definite HIPAA violation because it exposes PHI to risk. Devices left out in the open can be stolen, lost, or corrupted.
This is especially risky if you aren’t encrypting data (another HIPAA violation).
Fines for HIPAA non-compliance due to lost or stolen devices can be up to $1.5 million.
Violation 3: Third-Party Disclosure
PHI should only be disclosed to authorized people (patients themselves, healthcare providers, administrators who need it to do their jobs, and authorized third parties), but any unauthorized disclosure is a violation of HIPAA and will result in a fine or other penalties.
HIPAA Violations in the Exam Room
Next, let's take a look inside an exam room. Can you spot the HIPAA violations in this scene?
Violation 1: Improper Disposal of Documents
HIPAA mandates that any unused documents containing PHI must be destroyed. This means that any papers, documents, folders, or anything else left in trash bins, recycling bins, dumpsters, or other receptacles is a violation. Instead, covered entities are expected to completely destroy these hard copies through burning, shredding, pulverizing, or similar means.
For electric files, HIPAA requires covered entities to completely wipe hard drives or servers, not just dropped in your computer's recycle bin or dropped into an 'archive' folder.
Violation 2: Unsecured Records
All PHI must be secured. Whether it's encrypting digital files or shredding physical ones, HIPAA states that all PHI must be rendered unusable, unreadable, or indecipherable to unauthorized individuals.
Violation 3: Denying Patients Access to Health Records
Under HIPAA, patients have the right to access their own PHI. For a covered entity to deny access, they must provide a written denial. Denial of PHI must also be for a reason covered by HIPAA. Some grounds are reviewable by a third party, but others are not. For example, a denial is reviewable if a covered entity has determined that access to the requested PHI is reasonably likely to endanger the life or safety of a person or to cause substantial harm to a person.
It is unreviewable in specific circumstances like inmates requesting PHI from correctional institutions where it would jeopardize their recovery or health or when the PHI is being used in a legal proceeding or research study (in this case, the requestor would have had to agree to a suspension of their access rights).
Either way, all covered entities must have their denials in writing, in plain language, and aptly describe the basis for the denial.
HIPAA Violations in the Back Office
Next, let’s examine some of the potential HIPAA violations that can occur in the back office of a covered entity. Can you spot every HIPAA violation in this scene?
Violation 1: Verbal Sharing of PHI
Nurses, doctors, and other healthcare workers need to be careful where they speak about HIPAA-protected information. PHI spoken about too loudly and within earshot of non-authorized people can result in leaked information and a HIPAA violation.
These conversations need to be kept private and away from employees non-essential to treatment, office workers, other patients, third parties, guests, and anyone else who might be around the office area of a practice.
Violation 2: Unsecured Access
It’s not enough to secure PHI using encryption, locked file cabinets, or protected computers, you also must restrict any access to these devices and places. Only people who have authorized access to the PHI should be able to reach it, even if they can’t get into whatever it’s stored in. This means having keycard-only access to storage facilities or rooms with computers that can access PHI to ensure only authorized people can access it all.
[H2] Violation 3: Undecrypted Data
All PHI must be shared using devices and applications that securely send it using encryption. This means you should not be sending PHI via standard email practices or using devices that don’t have security controls installed.
In Conclusion
HIPAA violations are not only costly because of huge fines and settlements, but they also have major impacts on your public reputation which can lose patients and make finding new ones next to impossible.
The key to maintaining compliance and protecting yourself from these fines and reputational harms is to have the necessary safeguards in place to protect PHI. To help you understand exactly what you need, we’ve compiled every safeguard into one easy-to-use checklist. Download the checklist now and see what it takes to maintain compliance with HIPAA.