Identifying potential HIPAA violations is paramount to achieving and maintaining HIPAA compliance, avoiding potential fines, and protecting people’s data. Let’s learn how.
HIPAA Compliance
Because it deals with data subjects’ private health-related information, the Health Insurance Portability and Accountability Act, or HIPAA, is one of the strictest regulations. Violations can result in fines upwards of $50,000 in a civil proceeding, or even $250,000 and up to 10 years imprisonment in a criminal proceeding.
HIPAA is a US-based regulation that applies to health care providers, health plans and insurers, health care clearinghouses, and businesses associated with health organizations in the US. It mandates how people’s private health-related data can be gathered, stored, accessed, and used. And it’s enforceable even outside of the country.
Source: HIPAA Journal
But this article’s going one level deeper, tackling HIPAA complaint detection and how businesses can protect both themselves and their data subjects. However, if you’re looking for a breakdown on HIPAA, you’ll find it in our article “How To: Understanding HIPAA Compliance”.
HIPAA Complaint Examples
What is a HIPAA complaint, and what happens if you receive one?
According to the official HIPAA website, “If someone believes that a HIPAA-covered entity violated their (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, they may file a complaint with the Office for Civil Rights (OCR).”
Examples of common causes for a HIPAA complaint include:
-
- Unauthorized access, disclosure, or use of PHI (Protected Health Information)
- PHI is accessed, viewed, or shared without proper authorization, either intentionally or accidentally
- Unauthorized access, disclosure, or use of PHI (Protected Health Information)
- Failure to Implement Security Safeguards
-
-
- Failing to encrypt PHI, no proper access controls, unmonitored access logs, etc.
-
- Improper PHI Disposal
-
-
- PHI must be disposed of so that it cannot be accessed or read by unauthorized individuals (paper shredders, securely wiping electronic media, certified document liquidation service, etc.)
-
- Failure to Obtain Proper Authorization
-
- Entities must obtain proper authorization to use and disclose PHI, including using such data for marketing purposes or research
Receiving a HIPAA Complaint
As described above, anyone can file an official HIPAA complaint to the OCR, which will then contact the organization in question and perform a thorough audit to ascertain the validity of the complaint. HIPAA complaints can even be made on behalf of other people, and consequences can be severe if fault is found.
So, what do you do if you receive a HIPAA complaint? Well, the first step would be to gather all the relevant information stored on the data subject(s). This can be easier said than done, especially for larger organizations with terabytes of stored data, files, emails, and more.
But you can expect the OCR to request a full data report as part of its investigation process. The agency will also take a look at different data access points, who has access to what, and timelines of how data was gathered and moved around. And depending on its findings, the agency may impose civil money penalties (CMP) or even kick the investigation up to the Department of Justice for further review and consequences.
HIPAA Complaint Detection
It should be obvious that the goal of any HIPAA-adherent businesses or organizations is to achieve HIPAA compliance before ever receiving a HIPAA complaint. And, should a complaint come through anyway, it’s best to be prepared for the worst.
Another way to look at HIPAA complaint detection is as HIPAA violation evasion. Luckily, protecting people’s sensitive PHI as well as the well-being of the company can be achieved at the same time.
By using modern data discovery software, entities can perform in-house HIPAA audits before the OCR ever comes knocking. Such software allows users to perform thorough PHI (and ePHI) discovery across their entire environment.
It does so by scanning local and cloud storages, emails, databases, archived and password-protected files, images, signatures, and more. It can even handle both structured and unstructured data as well as scanned and rotated documents (e.g., MRI scans, prescriptions, etc).
Once the software finishes scanning for HIPAA-related data, it provides a thorough breakdown of every possible infraction and its risk assessment. Users can then decide how best to remediate any non-HIPAA-compliant data.
HIPAA Compliance with PII Tools
All the advantages of using sensitive data discovery software for HIPAA complaint detection listed above are made possible via PII Tools. This software instantly finds all the data related to a specific subject across your entire inventory, including the exact file locations.
And if you still end up receiving a HIPAA complaint, you can use the software’s PII Analytics feature to filter and search for affected documents on demand, making all types of ePHI access requests a matter of only a few seconds to solve.
PII Tools was specially designed with all major data and privacy regulations in mind, and HIPAA is no exception. The software helps users achieve HIPAA compliance by pinpointing and isolating at-risk data for remediation.
That way, if you ever do have the OCR breathing down your neck with a HIPAA complaint, you can rest easy knowing all your healthcare-related databases are secure and regulatorily compliant.
Are You Ready for a HIPAA Complaint? Then Get Ready with PII Tools Data Discovery Software!
