In recent years, the number of employees discovered to be accessing or stealing PHI has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some. It is essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly. With any operating system and application containing PHI, privileged access must always be in place – minimum necessary – along with security measures for the systems: unique user IDs, password policies (complex, forced password change, restriction on reuse of passwords), account lockout after failed login attempts, systems locking after 10-15 minutes of inactivity.
All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment but potentially also a lengthy jail term and a heavy fine.
The tiers of criminal penalties for HIPAA violations are:
- Tier 1: Reasonable cause or no knowledge of violation – up to 1 year in jail
- Tier 2: Obtaining PHI under false pretenses – up to 5 years in jail
- Tier 3: Obtaining PHI for personal gain or with malicious intent – up to 10 years in jail
Educate your workforce on the importance of keeping PHI confidential, using only the information necessary in order to do their respective job, and to always treat the PHI with as much care as they would treat their own.
HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). ANATOMY_IT. can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.