Medical errors are unavoidable. Sadly, these oversights sometimes result in tragic circumstances, as approximately 100,000 Americans die annually because of medical errors.
As we mentioned in a previous blog, medical errors are a leading cause of death in the United States, costing the healthcare industry roughly $20 billion. The Agency for Healthcare Research and Quality (AHRQ) lists eight common root causes of medical errors:
- Communication problems
- Inadequate information flow
- Human problems
- Patient-related issues
- Organizational transfer of knowledge
- Staffing patterns and workflow
- Technical failures
- Inadequate policies
Medical errors typically include surgical, diagnostic, medication, devices and equipment, and systems failures, infections, falls, and healthcare technology. Administrative mistakes, consisting of problems such as inaccurate or incomplete patient medical records, inadequate follow-up of patients after diagnostic tests, incorrect management of diagnostic test requests and results, miscommunications during transitions of care and patient misidentification, account for up to half of all medical errors in primary care.
Healthcare Data Rules and Regulations
Another costly type of error in healthcare, although it often affects patient safety much less than medical mistakes, is a lack of compliance with the Security Rule of the Health Insurance Portability and Accountability Act and its administrative, physical and technical safeguards. Providers and other healthcare entities tasked with creating, receiving or transmitting protected health information (PHI) are required to comply with HIPAA and can be fined and penalized for not doing do.
A more recent requirement with which healthcare providers must comply is the federal Information Blocking rule, also referred to as “Open Notes.” According to the Office of the National Coordinator for Health Information Technology (ONC), this rule, which makes it mandatory for all providers to make 16 categories of electronic records available electronically to a patient upon request as soon as that data is available, is designed to give patients and their healthcare providers secure access to health information increase innovation and competition by fostering an ecosystem of new applications to provide patients with more choices in their healthcare.
Common HIPAA Violations
The Information Blocking rule was implemented in April 2021, so not much information about providers’ level of compliance with it is available. However, since the enactment of the compliance date of the Privacy Rule in April 2003, the Office for Civil Rights (OCR) has received more than 283,429 HIPAA complaints and has initiated over 1,104 compliance reviews. In 2020, a total of 26,530 complaints were filed with the OCR due to a HIPAA-covered entity or its business associate allegedly violating someone’s health information privacy rights or committing another violation of the Privacy, Security or Breach Notification Rules.
The number of healthcare entities not fully in compliance with HIPAA regulations has resulted in marked problems. More than 29 million healthcare records were breached in 2020, including 642 reported data breaches of 500 or more records. The ten most common HIPAA violations are:
- Snooping on healthcare records
- Failure to perform an organization-side risk analysis
- Failure to manage security risks/lack of a risk management process
- Denying patients access to health records/exceeding timescale for providing access
- Failure to enter into a HIPAA-compliant business associate agreement (BAA)
- Insufficient ePHI (protected health information) access controls
- Failure to use encryption or an equivalent measure to safeguard ePHI on portable devices
- Exceeding the 60-day deadline for issuing breach notifications
- Impermissible disclosures of PHI
- Improper disposal of PHI
Hospitals are the most common violators of HIPAA privacy regulations, followed by private practices, outpatient facilities, pharmacies and health plans. Providers have the potential to not only lose revenue and their reputation but also patients, as most consumers lose trust quickly when their personal data is compromised by a third-party organization.
Effective Ways to Eliminate HIPAA Errors
There are three ways in which HIPAA violations are typically discovered:
- Investigations into a data breach by OCR (or state attorneys general)
- Investigations into complaints about covered entities and business associates
- HIPAA compliance audits
A HIPAA audit can result in fines and penalties for physician practices, but many providers still don’t have the correct policies and procedures in place to avoid one. Providers of any size should conduct a risk analysis incorporating the following elements as recommended by HHS:
- Scope of the analysis
- Data collection
- Identify and Document Potential Threats and Vulnerabilities
- Assess Current Security Measures
- Determine the Likelihood of Threat Occurrence
- Determine the Potential Impact of Threat Occurrence
- Determine the Level of Risk
- Finalize Documentation
- Periodic Review and Updates to the Risk Assessment
Another way for providers to avoid HIPAA non-compliance and errors is by regularly conducting staff training to address common HIPAA violations made by healthcare employees. When developed and implemented correctly, this training should focus on policies and procedures relevant to your employees’ responsibilities. It also should inform provider employees about cybersecurity, including the risks of using a USB drive from an unreliable source and how to identify emails with infected links or attachments that might contain ransomware.
A majority, if not all, of healthcare providers in the U.S. utilize technology in their profession. All provider staff members should know the three major rules from the HIPAA Security Rule that apply to technology:
- Any technology that stores PHI must automatically log out after a certain time to prevent access by someone without credentials.
- Anyone with access to PHI must have a unique login that can be audited based on their use.
- PHI must be encrypted.
- Texting from a non-secure system
- Texting non-opt-in contacts
- Sharing PHI without permission
- Giving the wrong employees access
- Sending messages to the wrong contact
Simply by being aware of common HIPAA errors, providers and their staff can increase compliance and take the initiative to avoid them. If not, they risk criminal HIPAA violation penalties, which range from a fine of $50,000 and up to a year in prison to $250,000 and up to ten years of jail time. Civil penalties vary from $100 – $50,000 per violation, with an annual maximum of $25,000 for repeat violations, to $50,000 per violation, with an annual maximum of $1.5 million.
RingRx was created with strict security standards at every level of our system, and our staff is certified and receives continuing education and training on all HIPAA regulations. Try a free 14-day trial with us to learn more!