Patient privacy may be at top of mind when you’re faxing and emailing medical records, but breaches can (and do) still occur every day. With 2023 in the rear-view mirror, it’s a good time to take a look at the HIPAA breaches that struck healthcare entities over the past 12 months.
Check out three HIPAA breaches that occurred in 2023, along with tips on how you can avoid the same fate.
1. Practice Management Firm Leaves PHI Accessible to Internet
In May, an Arkansas business providing practice management and revenue cycle management services settled with the government for $350,000 following a data breach. At issue was a server that held the protected health information (PHI) of more than 230,000 people. The server was unsecure and accessible on the internet, the government said.
The information available on the internet include patient names, phone numbers, addresses, insurance info and even Social Security numbers in some cases. The organization not only had to pay a penalty, but also had to create a corrective management plan to prevent similar issues from occurring in the future.
How to avoid this fate: To avoid HIPAA breaches, every practice should be performing risk analyses throughout the year to ensure that PHI is secure. Even if your practice is using a third-party company to keep your digital data secure, it’s your responsibility to ensure they are doing so. This means that your risk analysis should include evaluation of their systems and processes and not just your own.
2. Hospital Employees Shared PHI With Personal Injury Lawyers
In April, several employees of a Tennessee hospital pleaded guilty to disclosing PHI about patients who had been in car accidents. They shared the patients’ names and phone numbers with a third party who then sold it to others, including chiropractors and personal injury lawyers.
The hospital employees faced penalties of up to a year in prison and $50,000 fines for revealing the patients’ protected health information.
How to avoid this fate: It’s essential to train your staff members about what constitutes HIPAA breaches. They must know what type of information is protected and what the penalties are if they violate the law. This education should not just occur during onboarding, but should be ongoing throughout the course of their employment so they stay on top of the possible violations.
3. Medical Group Failed to Give Patients Their Medical Records
In December, a multispecialty provider group with offices in two states agreed to pay $160,000 for failing to provide patients with timely access to their medical records. According to the HIPAA regulations, healthcare entities must provide medical record access within 30 calendar days after a request, but this organization was found to have taken between 84 and 231 days to get their records.
Although this isn’t classified as one of the HIPAA breaches, it is a HIPAA violation, resulting in the government monitoring the practice for a year to ensure it’s now compliant.
How to avoid this fate: Your practice cannot afford to withhold patients’ medical records if you want to stay on the right side of the HIPAA rules. Create a system that allows patients with swift access to their records and train everyone on your staff about how to provide timely access.
Some of the biggest HIPAA breaches have occurred due to mistakes made at the front desk. Ensure your practice doesn’t create any HIPAA violations with expert strategies from Tracy Bird, FACMPE, CPC, CPMA, CEMC, CPC-I. She’ll share the tips you need during her one-hour online training event, Head Off Front Desk HIPAA Nightmares. Register today!
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|