HIPAA violations can go unnoticed for months – even years before being discovered.

According to Buck’s recent HIPAA Readiness Survey, a jaw dropping 42% of respondents either (a) didn’t know when their company last performed a risk or threat analysis, or (b) indicated their company last performed an analysis between one and five years ago.

That’s asking for trouble. You don’t know what you don’t know. So, if you’re not orchestrating company-wide risk assessments, you might be violating HIPAA – without even knowing it.

To be HIPAA compliant, you don’t need to be perfect. Perfection is impossible – and the U.S. Department of Health and Human Services knows that breaches will occur. The goal of HIPAA isn’t to eliminate risk, it’s to mitigate risk as much as possible.

Inability to perform enterprise-wide risk analysis

We might as well start with the largest data breach in U.S. history.

In October 2018, Anthem, Inc. agreed to pay $16 million and implement a robust corrective action plan to settle extensive HIPAA violations. Anthem was the target of a series of cyberattacks, which exposed the electronic protected health information (ePHI) of over 78 million people.

One of Anthem’s HIPAA violations was failing to conduct an enterprise-wide risk analysis. To ensure HIPAA compliance, companies must perform recurring comprehensive risk analyses. Otherwise, they risk systemic vulnerabilities falling through the cracks – until the fateful day when a hacker exposes them.

Noncompliant business associate agreements

If your company provides PHI to certain vendors, you must have a HIPAA-compliant business associate agreement in place. Keyword: HIPAA-compliant. Just because you have an agreement with a certain vendor, it doesn’t mean it’s HIPAA-compliant.

In March 2016, North Memorial Health Care settled potential HIPAA violations after (1) failing to implement a business associate agreement with a vendor, and (2) failing to perform an enterprise-wide risk analysis (see, these are common mistakes!). The damage? A $1.55 million payment and a corrective action plan.

Avoid hefty fines, make sure your agreements are HIPAA-compliant.

Disclosing PHI without consent

In April 2016, New York Presbyterian Hospital agreed to settle potential HIPAA violations after disclosing the PHI of two patients to news outlets. In addition to following a corrective action plan, New York Presbyterian Hospital had to pay a $2.2 million fine.

Unauthorized disclosure of PHI is a common HIPAA violation. Handling PHI requires significant care and knowledge of HIPAA privacy rules. That’s why it’s important to mandate recurring HIPAA training for employees, as they should know to obtain written consent before disclosing PHI.

For a detailed list of notable HIPAA violations and penalties over the last few years, check out this link.