Businesses that operate within the medical industry know all too well how important it is to follow all of the rules and guidelines concerning patient information and data. The penalties for HIPAA violations can be severe, ranging from several thousand dollars up to a million dollars or more. 

While some HIPAA violations are obvious, others may be easy to miss. In this article, we’ll take a look at five unexpected HIPAA violations that many small businesses do not know to look out for. 

1) Data Forms on Your Website

Forms on your website that users are able to fill out are a great way to collect data and generate leads. However, form data is typically not encrypted at rest and is also often sent via unencrypted email. If a user enters medical information into one of these forms, it could amount to a HIPAA violation for the website owner. The form doesn’t even have to ask for medical data directly – if a user inputs medical data into a blank textbox on the form the consequences are often the same. 

2) Digital Copiers

Many business owners are unaware that digital copiers store data. If you don’t take the time to secure your copier and/or wipe its data when you go to sell it, you could leave your business vulnerable to a HIPAA violation. 

3) Phishing Emails

All it takes is for one employee in your business to fall prey to a phishing email for your entire network to be exposed. While a breach in security resulting from a phishing scam can constitute a HIPAA violation, you can protect against these breaches by keeping your security software updated, making use of firewalls, and using strong passwords that you change frequently. 

4) Improper Disposal of Records and Hard Drives 

Any record – digital or physical – that contains personal health information (PHI) must be wiped clean and/or destroyed before it can be disposed of. If this information is left in a trash can or left in a folder on an employee’s computer, it could fall into the wrong hands, leading to a very serious HIPAA violation. There are companies that provide hard drive destruction services and it is highly recommended you find a local provider and regularly shred your hard drives. They will actually come to your location and shred the drives in your presence and then give you a certificate of destruction.

5) Loss or Theft of Devices

If a device containing PHI is lost or stolen, it could result in a stiff HIPAA violation for the business responsible for the device. This means that it is essential to encrypt all devices that store PHI and train your employees to report the loss or theft of their business devices immediately. It’s also important to train your employees not to use unencrypted personal devices for business purposes. 

Conclusion

HIPAA violations can be a major blow for businesses, and they are often times difficult to protect against. If you would like to learn more about how we can help shield your business from HIPAA violations through strong, effective security, we invite you to contact us today. 

Boring Business Systems is an I.T. Support and Managed Services Provider serving the greater Tampa and Lakeland area. In addition to network support and desktop support, Boring also specializes in cybersecurity and works with many companies that are subject to HIPAA compliance.