2020 was a busy year for the Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to dealing with a pandemic, they resolved 19 HIPAA violation cases. Over $13 million worth of fines were paid, costing more than what’s settled in the previous years, since OCR now can implement HIPAA violations.
As a manufacturer of healthcare products, you need to ensure that the medical devices you sell comply with HIPAA regulations. If you are unaware you are in violation of HIPAA and there is a breach of patient data, you can still receive a fine.
Knowing the commonly violated HIPAA regulations is the first step in ensuring your healthcare products are up to code.
What are the Most Commonly Violated HIPAA Regulations?
It can be difficult to stay current on all the HIPAA regulation changes and common violations. Here are the often-violated HIPAA regulations you should concern yourself with as a manufacturer:
1. Securing Patient Records
When protected patient health information is stored on an electronic device, it must be encrypted and safeguarded. While encryption isn’t a mandatory regulation, it is an effective way to prevent data breaches.
In 2017, the Children’s Medical Center of Dallas had to pay a penalty of $3.2 million to address several HIPAA violations that spanned several years. An unencrypted BlackBerry device used by the facility that 4 HIPAA Regulations You Should Be Careful Not to Violate contained almost 4,000 patient records was lost at the Dallas/Fort Worth International Airport in 2009. Additionally, in 2013, an unencrypted laptop that had over 2,400 patient records was stolen from the hospital.
The hospital knew the importance of encrypting patient information after what happened in 2009, yet they continued to distribute unencrypted devices to its staff. The failure to act by the hospital and document why their devices weren’t encrypted resulted in hefty fines.
If you don’t encrypt patient records, you will need to use another security method. Having antivirus software on medical devices and continually updating it will help protect against data breaches. Firewalls will add another protection layer, as well as difficult passwords that you must change often. You can also use some advanced privacy tools such as fingerprint authentication for critical data.
2. Performing a Risk Analysis
If a company doesn’t perform a risk analysis routinely, they are unable to determine where there are any vulnerabilities. Any potential risk will subsequently not be addressed, and hackers will be able to access private patient information.
In 2020, Premera Blue Cross had to pay $6.85 million in fines for a data breach that affected 10.4 million people. A data breach occurred in 2014 when a hacking group accessed Premera’s patient information system for over nine months. The hackers installed malware through a phishing email and had access to Social Security numbers, bank information, and addresses. The investigation discovered that Premera did not conduct a routine risk analysis to find and reduce any potential risks and halt unauthorized access to patient records. Due to those factors, Premera had to start a plan of action to correct where they were noncompliant.
Conducting a regular risk analysis and taking the proper steps to address any risks will help you avoid receiving this HIPAA violation. Some necessary steps are:
- Figuring out what patient information your organization has access to and how it is stored/transmitted.
- Looking at what current security programs you have in place and if they’re adequate for protecting patient information.
- Evaluating where your company has vulnerabilities and the probability of a hacker accessing your patient systems.
- Depending upon how vulnerable you and the likelihood of you being hacked, figure out your risk level.
- Document everything along the way, including how you will work to lower your risk.
3. Having Adequate Patient Information Access Controls
HIPAA requires that organizations limit access to patient records to authorized individuals. Not implementing proper controls is a common HIPAA violation and has severe financial consequences.
In 2018, Anthem had to pay $16 million in fines, the highest HIPAA penalty that was ever issued. Anthem failed to implement technical procedures and policies for their electronic health record (EHR) systems, allowing unauthorized individuals access to the information. They also did not perform a routine risk analysis to identify and address security incident detections before the breach. The breach resulted in hackers having access to the data of 78.8 million people.
4. Having a Business Associate Agreement
As a medical device manufacturer, you’re classified as a business associate. You will need to have an up-to-date HIPAA business associate agreement with any vendor you deal with that’s provided with or given access to patient information.
Raleigh Orthopaedic Clinic, P.A. of North Carolina had to pay $750,000 in 2016 for not entering into a business associate agreement with a vendor before sending through patient information. They sent the vendor X-ray images to have them made into digital files. They came to an agreement over the phone, but nothing was put into writing and it wasn’t HIPAA-compliant. In addition to the fine, Raleigh Orthopaedic had to enact a correction plan.
HIPAA Violation Penalty Tiers
There are different tiers to HIPAA violation penalties that you should keep in mind. The higher the tier goes, the higher the fine:
- First Tier: The organization didn’t know or couldn’t have known about the breach.
- Second Tier: The organization knew or could have known about the breach but didn’t act with neglect.
- Third Tier: The organization acted with willful neglect and they corrected the issue within 30 days.
- Fourth Tier: The organization acted with willful neglect and did not correct the issue promptly.
Take Precautions to Avoid HIPAA Violations Today
Following HIPAA regulations is essential as a manufacturer of medical devices. Failing to comply has catastrophic results, from million-dollar fines to employment termination and prison sentences. Communicate often with your quality assurance, regulatory affairs, and development teams to make sure the proper protocol is being followed for dealing with patient information. With everything being digitized these days, it’s vital to protect patient information and your company from any violations.
Share Moving Media is all about providing consistent healthcare tips, advice, and research. Subscribe to our weekly The Marketing Minute newsletter.