IT Security Blog | Rivial Security

Top 7 HIPAA Violation Examples | Rivial Security

Written by Randy Lindberg | 28 Jul 2021

Recently, we shared a post about HIPAA Compliance. In it, we explained the importance of protecting medical records and data related to the patients that doctors offices, hospitals, and even medical billing and insurance firms keep. In this post, we’ll explore the top 7 HIPAA violation examples in an effort to help ensure you’re not making these common mistakes. Some of the HIPAA violation examples listed may surprise you, but being aware of them will hopefully inspire you and/or your company to be more diligent about maintaining the security of sensitive data for the patients you serve.

 

1. Keeping Copies of Records in an Unsecured Manner

This is one of the HIPAA violation examples many companies don’t even realize they are guilty of. It’s so easy to make this mistake. Here’s a common way this violation can happen:

 

An employee at a medical billing firm is running a little behind on work. She copies over some of the files to her laptop that doesn’t require credentials to log in. She then takes home the laptop and works on the files over the weekend. What could be more innocent?

 

The reason this is a violation of HIPAA laws is this - what happens if her laptop is intercepted? All of the data could fall into the hands of an unauthorized user. In fact, even if her laptop stays safely in her possession the entire time she is out of the office - her husband or children could see the data. While the reality is they might not care about the data on this employee’s screen - the fact that they had the opportunity to view it, but were not authorized to is a violation of patient privacy.

 

The fix: Never copy files from secured computers or laptops onto unsecured devices. Furthermore, if you must copy any files to another device, do not take them out of the office building they are housed in.

 

2. Leaving Computers/Company Intranet Sites Logged In

While this may seem harmless considering most of your employees have been authorized to view patient data, what if someone who is unauthorized sees the files on the screen? Any personnel that should not see this data, but does, results in a HIPAA violation!

 

Here’s a common way this can happen: An employee forgets to log out, and sensitive data remains on their computer after they have left for the day. Then, the cleaning crew comes in and sees this data on the screen.

 

Suppose they see something they find humorous such as an awkward diagnosis or a weird name and snap a picture on their phone to share with their friends. Before you know it, the private details of a patient have been exposed to multiple people when they assumed it would remain private. This can be made much worse in the event the unauthorized viewer shares what they saw on social media and it goes viral!

 

The fix: Sessions on computers should require login credentials for all personnel. And, there should be auto timeouts after a period of inactivity. 

 

Need a social engineering test for your business? Contact Rivial Security to book a strategy session today!

 

3. A Website is Hacked

The sad reality is cybercriminals are becoming more sophisticated, and it’s the responsibility of website owners to defend their websites and the data held within them. A single outsider “breaking in” to your digital doors can expose untold amounts of private data.

 

The fix: You should be using malware scanning tools, and website security software to keep nefarious individuals out. And, if they do manage to get in, all data should be encrypted so that even if someone were to intercept it they would get nothing but gibberish.

 

4. Employees Sharing Login Details

Susan forgot her login information, but can’t get in touch with IT support. So Derek loans his to her because he will be going out of town for a few days. The problem is, Derek has more access than Susan does and now can view files she is not supposed to be able to see.

 

The fix: Do not allow employees to share login credentials. Furthermore, each login should only be able to be used by one person on one device at any given time. Access controls are critical to the privacy of patients.

 

Yes, this may mean Susan can’t do her work for the day, but violating HIPAA policies is not worth granting unauthorized access.

 

5. Granting Too Much Access to Personnel 

Simply put, not every employee needs access to all patient data. And, while we’re discussing this, employees should not be able to save any data to their company assigned computers, let alone their personal devices. 

 

The fix: Only grant access to the data on a need-to-know basis. This may mean having different access controls by department, or even by employee depending on the nature of their jobs. You can take limiting access a step further by removing identity information such as names, addresses, phone numbers, etc… from files where your personnel don’t need to see said data.

 

6. Allowing Anyone To Walk In to Your Offices

If you don’t have secured rooms, unauthorized users can gain access to and/or see data they should not be able to view. For example, a vendor that is stopping by to meet with the CEO should be required to visit a receptionist, sign in, and be escorted directly to that person’s office. If instead he can come into the building without a key or keycard, and walk directly to the intended office, the vendor has far too much access. While odds are he is only there to visit the CEO, what if he gets curious and looks at a computer or two, or three along the way? This free access can result in HIPAA violations.

 

The fix: Do not allow unauthorized users to walk freely throughout an office where sensitive data is housed. The more free reign you give to outsiders, the more chances for privacy breaches. Take this a step further by requiring keycards that let you know exactly who entered an office at any given time. 

 

7. Forgetting to Remove Access

This is one those HIPAA violation examples that might not even be on your radar. When an employee is fired, quits, is reassigned, promoted, etc… forgetting to remove or alter their access to patient data can be a problem.  It’s a mistake that is far too easy to make - especially when the employee still works within the company in some capacity. 

 

The fix: Have protocols in place for removing access or changing access if an employee’s status changes. This must be addressed immediately. Don’t wait. Every moment they still have access when they shouldn’t can result in the potential for a data breach.

 

Common HIPAA Violation Examples

Other common HIPAA violation examples include, but aren’t limited to:

  • Propping open locked office doors for any reason
  • Lost or stolen USB devices holding sensitive data
  • Lost or stolen laptops, computers, smartphones and other devices
  • An office break in
  • Posting data to social media - even if it seems harmless and certain details are redacted
  • Sending data via unsecured email accounts
  • Leaving personal data on messaging systems such as voicemails or answering services

 

Are you making any of these common violations? If so, you may want to reconsider your security and data access. Your patients and customers are counting on your company to keep their private data safe from unauthorized users. 

 

To learn more about how you can ensure HIPAA compliance for your business, contact Rivial Security for assistance with continuous compliance

 

Consider completing a social engineering test with us to ensure your employees understand best practice security measures.