No medical practice or hospital wants to be found noncompliant with HIPAA and be dealt a hefty fine. With HIPAA audits taking place this year, many practices are probably asking themselves: What are the most common HIPAA violations and mistakes made that lead to HIPAA noncompliance and fines?

Lack of Business Associate Agreements: A HIPAA business associate agreement (BAA) is a contract between a HIPAA-covered entity such as your medical practice, and the organization or person that is providing services to your practice. The intention of the BAA is to protect personal health information that may be shared or seen by both parties while services are being provided.

Underestimation of ePHI: Another common mistake is that medical practices don’t identify all of the ePHI it creates, maintains, receives, or transmits. A medical practice must be aware of all of these instances, document them in a Security & Risk Analysis, and have a documented risk management policy in place for each.

Healthcare Data Security: The third common mistake is that medical practices lack encryption, lack data transmission security, and use unpatched or unsupported software. All HIPAA-compliant entities must either implement encryption or document why encryption is not reasonable or appropriate in that specific circumstance. Data is transit must be encrypted in order to be HIPAA compliant. Utilizing unpatched or unsupported software creates a security risk for your practice so the use of patch management technology is encouraged as it automates this process.

Workforce Security: HIPAA compliance doesn’t just mean protecting your practice from outsiders. Staff within your practice should only have appropriate access to personally identifiable information about patients. If staff do not need to see or access certain patient information in order to complete their job functions, their permissions should not grant them access to that data.

Data Management: The improper disposal of ePHI and health data is another common mistake, this is commonly seen with the improper disposal of data and data backup/disaster recovery plans. Your practice should have policies and procedures in place to ensure proper and secure disposal processes are used. A related mistake is not sufficiently backing up data and/or creating a robust contingency plan. Your practice must have plans in place for disaster events, emergency situations, or to protect itself in the event of a ransomware attack.

Which of these five areas do you think your practice needs to improve?