7 Myths Regarding PHI Data Breaches
Guarding protected health information (PHI) is a constant topic in today’s culture. With numerous PHI data breaches in the healthcare industry, it’s easy to worry that your information could be subject to hackers or thieves at any time! For individuals, there are a lot of ways to protect your personal information, but when we’re talking about PHI, the focus should be on any business in the healthcare industry. The main regulations that these businesses have to deal with are under HIPAA (Health Insurance Portability and Accountability Act). Sadly, many in the healthcare industry have fallen prey to certain myths regarding what HIPAA covers, so they don’t pursue diligence in their PHI protection. This leads to more and more data breaches every year, so it’s time for anyone in the healthcare world to commit the time (and money) to become fully compliant with HIPAA, or deal with the consequences.
HIPAA Isn’t Mythical
Myths are those things that have long been believed, whether there’s proof to the story or not. It’s an idea or belief that is widely held, but is really false. For thousands of years, societies and cultures have perpetuated myths that are still here with us today – the Loch Ness monster, ancient Greek gods, stories about the Titanic – all things that can’t be proven and remain almost comical in nature. This is not how HIPAA should be thought of or treated. Here are 7 of the top myths regarding HIPAA that you need to know right now:
Myth #1: HIPAA doesn’t apply to MY specific facility.
Fact: HIPAA applies to any and all healthcare providers who transmit, store, or handle protected health information, facilities of all sizes and purposes. PHI (which includes a patient’s name, SSN, address, etc.) is subject to the HIPAA privacy rules. As long as you handle PHI, in any form or fashion, you need to comply with HIPAA. This also includes any subcontractors who have access to your patient data. Any entity this data goes through — for example, a database provider in the Cloud — needs to be HIPAA-compliant as well.
Myth #2: HIPAA only applies to electronic health records.
Fact: HIPAA covers ALL patient records, regardless of their format. While electronic health records are what most facilities use these days, that doesn’t mean that anything on paper shouldn’t be protected. As long as the information can be stored, handled, transmitted, breached or stolen, it needs to be protected, according to HIPAA.
Myth #3: Patients can sue healthcare providers for HIPAA violations.
Fact: Even in the case of a violation of the HIPAA privacy rules, patients cannot sue healthcare providers. If a healthcare provider fails to comply with HIPAA regulations, the patient must file a written complaint. If there are reasonable grounds for an investigation, the Secretary of Health and Human Services may do so at its own discretion. Best case scenario, there may be some civil penalties and criminal sanctions imposed on the non-compliant healthcare provider, but patients don’t have as much say as they may think.
Myth #4: Hospitals and other healthcare facilities are required to give patients their health records.
Fact: Records can be requested, but are not guaranteed to be given. Some records may be deemed harmful for a patient, like mental health records, which could cause the patient to harm themselves. Most of the time, when the rules are followed and all requirements for a records request have been fulfilled, the patient is more than likely to receive them, and if not, the facility is obligated to notify the patient in writing.
Myth #5: A healthcare facility is compliant because they use the HIPAA NPP (Notice of Privacy Practices) and they’re careful about confidentiality.
Fact: A facility must have completed the required security risk analysis that covers 54 standards and specifications under HIPAA; must have written HIPAA policies and procedures; and must train staff members, providers, and volunteers on policies and procedures. Following HIPAA protocol isn’t just about having your patients sign a form – it’s a regulation that will have to be revisited as often as needed, implementing any updates handed down by the U.S. Department of Health and Human Services in a timely fashion.
Myth #6: HIPAA violations aren’t that costly – my facility can handle the damage.
Fact: While paying a fine for a HIPAA violation may not sound that worrisome, the financial damage done by a breach that stemmed from a HIPAA violation can be extremely costly, even fatal to a smaller facility. Providers that have not made adequate efforts toward compliance are considered to have committed “willful neglect”. They are subject to fines upwards of $50,000 from the Office of Civil Rights. This neglect is what leads to a breach, which, depending on the number of records breached, the average cost to an organization is over 3 million dollars.
Myth #7: A breach won’t happen at my facility because we protect ourselves again malware and hackers.
Fact: The main source of data breaches today are from lost or stolen devices, not hackers breaking your computer system. Right now, the loss of a device containing confidential information accounts for almost 41% of all breaches, where hacking or malware only accounts for about 25% of total breaches. Healthcare facilities often overlook the amount of sensitive information their employees have on their personal devices, like laptops and smartphones.
Is Your Facility Compliant?
If you’ve overlooked the requirements for being fully HIPAA compliant, it’s time to make a change, and that change should include having a document and device destruction policy. Secure Destruction is one of the top destruction companies in the greater Birmingham and Huntsville, AL areas, and we can assist you in developing a system for destruction, ensuring that your facility won’t be subject to PHI breaches or HIPAA violations. Contact us today to make sure your facility is protected!