How to Avoid Breaking HIPAA Compliance
HIPAA violations can go unnoticed for months – even years before being discovered. According to Buck’s recent HIPAA Readiness Survey, a jaw dropping 42% of respondents either (a) didn’t know when their company last performed a risk or threat analysis, or (b) indicated their company last performed an analysis between one and five years ago. That’s asking for trouble. You don’t know what you don’t know. So, if you’re not orchestrating company-wide risk assessments, you might be violating HIPAA – without even knowing it.
Three Risky Behaviors That Can Lead to a HIPAA Violation
To be HIPAA compliant, you don’t need to be perfect. Perfection is impossible – and the U.S. Department of Health and Human Services knows that breaches will occur. The goal of HIPAA isn’t to eliminate risk, it’s to mitigate risk as much as possible.
Inability to Perform Enterprise-Wide Risk Analysis
We might as well start with the largest data breach in U.S. history. In October 2018, Anthem, Inc. agreed to pay $16 million and implement a robust corrective action plan to settle extensive HIPAA violations. Anthem was the target of a series of cyberattacks, which exposed the electronic protected health information (ePHI) of over 78 million people. One of Anthem’s HIPAA violations was failing to conduct an enterprise-wide risk analysis.
To ensure HIPAA compliance, companies must perform recurring comprehensive risk analyses. Otherwise, they risk systemic vulnerabilities falling through the cracks – until the fateful day when a hacker exposes them.
Related: Financial and Reputational Risk of a Data Breach
Noncompliant Business Associate Agreements
If your company provides PHI to certain vendors, you must have a HIPAA-compliant business associate agreement in place. Keyword: HIPAA-compliant.
Just because you have an agreement with a certain vendor, it doesn’t mean it’s HIPAA-compliant.
In March 2016, North Memorial Health Care settled potential HIPAA violations after (1) failing to implement a business associate agreement with a vendor, and (2) failing to perform an enterprise-wide risk analysis (see, these are common mistakes!). The damage? A $1.55 million payment and a corrective action plan.
Avoid hefty fines, make sure your agreements are HIPAA-compliant.
Related: Would Your Business Pass a HIPAA Compliance Audit?
Disclosing PHI without Consent
In April 2016, New York Presbyterian Hospital agreed to settle potential HIPAA violations after disclosing the PHI of two patients to news outlets. In addition to following a corrective action plan, New York Presbyterian Hospital had to pay a $2.2 million fine. Unauthorized disclosure of PHI is a common HIPAA violation.
Handling PHI requires significant care and knowledge of HIPAA privacy rules. That’s why it’s important to mandate recurring HIPAA training for employees, as they should know to obtain written consent before disclosing PHI.
For a detailed list of notable HIPAA violations and penalties over the last few years, check out this link.
Secure, Compliant, and Personalized Communications from Sepire
If you’re in need of a HIPAA-compliant direct mail vendor to help you connect and communicate with patients, look no further than Sepire. We’re experts in the print space, and have the certifications to prove it.
Sepire’s security protocols, proprietary technology workflow and WBENC certification provide a true differentiator in the marketplace – and they provide you with a vendor that place your and your customers’ best interests as a top priority. As an expert in the healthcare direct mail space, Sepire carries all the required certifications you need from your vendors—and a few others that set us apart.
Contact us to learn how our proprietary technology workflow safeguards your customers’ data.