• E-mail
• Print
• RSS

"Little" HIPAA violations can still mean big fines

Nurse Leader Weekly, November 4, 2004

Want to receive articles like this one in your inbox? Subscribe to Nurse Leader Weekly!

Noncompliance with the "little things" can significantly add up and keep your hands full, especially because neither the privacy nor security rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) spells out every possible situation that could lead to violations and penalties.

"A violation of HIPAA is a violation, regardless of whether it is subjectively considered little or big," says Rebecca Herold, CISSP, CISM, CISA, FLMI, information privacy, security, and compliance consultant, author, instructor, and attorney at Rebecca Herold & Associates, LLC in Van Meter, IA. "The actual penalty involved will depend upon the situation, what safeguards and controls the covered entity [CE] has in place, and the demonstrated and documented compliance efforts being made by the CE," she adds.

The Department of Health and Human Services enforces civil monetary penalties (CMP) and the U.S. Department of Justice enforces criminal penalties. HIPAA imposes a fine of no more than $100 per person for failure to comply with a single regulation. The total fine is no more than $25,000 per calendar year per person for the same violation. This amount can quickly increase with violations of multiple regulations or by multiple individuals. More severe criminal penalties may apply for wrongful disclosure of protected health information (PHI).

Be mindful of the following:

* Leaving patient details (e.g., name, address, contact information, medications, medical condition, room number, vitals, etc.) on monitors that face an area where visitors and others may see them
* Putting patient charts outside the room facing out into the hallway
* Discussing patient symptoms/conditions within earshot of other patients or visitors or failing to close doors when discussing issues with or about patients
* Disposing printed PHI into dumpsters without shredding the papers first
* Asking patients to sign a card or other form indicating they have read and understood your privacy policy, but not having copies of the privacy policy readily available
* Storing PHI on laptops, personal data assistants (PDAs), or other devices without implementing proper precautions such as passwords, encryptions, and locks
* Taking and publishing photos with patients in the background
* Storing PHI on home PCs and not prohibiting family members from using the computers
* Posting patients' names outside their rooms
* Disposing IV bags with patient names in regular trash instead of a secure trash
* Leaving patient menus on trays and dumping them into the general garbage
* Misdirecting mail

Source: Adapted from Briefings on HIPAA (October 2004), published by HCPro, Inc.

Want to receive articles like this one in your inbox? Subscribe to Nurse Leader Weekly!

• E-mail to a Colleague
• Print
• RSS
• Archive