HIPAA protected health information, or PHI, is any demographic information that can be used to identify a patient. Personal information such as names, addresses, phone numbers, dates of birth and social security numbers are all examples of PHI. Whenever this data is compromised, it’s likely that a HIPAA violation has occurred. HIPAA violations can be very expensive for your company, too. Each violation can cost anywhere for $100 to $50,000 with a maximum penalty of $1.5 million per year for violations of an identical provision.

Luckily, though, there are ways to reduce the risk of committing a HIPAA violation, and it begins by understanding the most common violations and how your organization may be vulnerable.

Compromised Devices

Lost or stolen devices: Losing your phone, laptop, thumb drive or other device with PHI on it is a huge liability for your organization, especially if you aren’t taking extra precautions to protect your data. Devices with confidential information on them should be password protected and encrypted for these unfortunate instances.

Insecure technology: Sharing ePHI can be risky without the proper protections on your devices and network. All communication and storage mediums need additional security to meet HIPAA compliance requirements. These include: two-factor authentication, data encryption and internal auditing procedures to name a few.

Hacking & Malware

Hacking: Instances of hacking make up 23% of HIPAA breaches. Hackers gain access to PHI by exploiting weaknesses in your system. Methods include cracking a weak password, exploiting outdated systems, phishing schemes and more. Often times, an elaborate plot isn’t necessary for them; hackers are opportunists, so if you don’t keep up with your security, they’ll find a way in.

Malware: Hackers will also use malicious programs to gain entry into your system. Malware can attack a vulnerability anywhere in your system including computers, servers and networks. Without the proper antivirus or antimalware protection, malware, viruses or spyware could be running on your system unbeknownst to you.

Human Error or Criminality

Lack of employee training: HIPAA requires that anyone who will be handling PHI receive proper training including volunteers and interns. Once all personnel have been educated on HIPAA requirements, they will be less likely to violate them on accident. Your responsibility to HIPAA compliance also extends to contractors and other associates. Any agreement with these entities should also include compliance plans or training requirements.

Improper third-party disclosure: Because of the Common Agency Provision in the HIPAA Omnibus Ruling, you are responsible for HIPAA compliance of any third-party entities you work with. Before working with any Business Associates or Business Associate subcontractors, you need to make sure there are compliance plans in place or you will be liable for improperly disclosing PHI to these third parties.

Mishandling information: Using paper records significantly raises your chances of mishandling PHI. It’s very easy for an unauthorized individual to see an unsecure paper document. Even using electronic record keeping can be problematic if employees don’t properly protect their devices.

Accidental breach: In an organization dealing with hundreds to thousands of patients, accidents are bound to happen. PHI can be sent to the wrong patient by mistake. Confidential information can accidentally be mentioned outside of the office. A social media post can include inappropriate details. Having a solid privacy policy and clear procedures in place can help prevent these occurrences.

Employee dishonesty: Whether for curiosity or personal gain, employees have been known to access confidential PHI data. Using or selling PHI is obviously illegal, and your organization should be aware of and monitor PHI closely.

Improper disposal: Any information, whether paper or electronic, needs to be properly disposed of when it’s no longer necessary. Papers should be shredded and hard drives should be wiped. Even your photocopier has a hard drive, and make sure you’ve considered mobile devices, as well, such as phones, tablets or laptops.

Achieve HIPAA Compliance With CompanyMileage

Our HIPAA compliant software helps you achieve compliance standards that meet or exceed federal requirements. Our three tiered system of data encryption, secure facilities and strict privacy policies shields your data with extra layers of protection. By storing PHI in a secure, cloud-based location, SureMileage and our mobile app, SureMobile, ensure patient information is easily accessible by authorized individuals while keeping it safe and uncompromised. Protect your data from improper handling or breach by trusting it with CompanyMileage.

To learn how our expense management software can deliver security and peace of mind to your organization, request a demo with CompanyMileage today.