Being HIPAA compliant is mandatory for our Healthcare sector. However, there are still many instances of violations on a daily basis that employees, managers and CEOs alike…
Healthcare providers face heavy fines if they violate HIPAA regulations, but it still happens all too often. In many cases, these violations don’t arise from malice, but instead, poor understanding of the regulations on the part of the staff or administration of the health care center. Fortunately, this makes it so that better training will correct many of the problems.
Focusing your attention on the most common types of violations will allow you to see a big improvement from a relatively small investment of money and time. To help you zero in on them, we present the 10 most common HIPAA violations:
1. Failing to provide patient records on a timely basis
Patients have the right to electronic copies of their records, but employees who are used to the old, more restrictive release policies may fail to deliver them or take their time in doing so. Remind staff of the new rules and ensure that requests are handled within legal time limits. Improve the facility’s record keeping organization if there is a problem simply finding the records in time.
2. Failing to honor the expiration date on records
Patients are able to specify dates after which records cannot be released. All too often, these dates are ignored and records go out past this time.
3. Releasing information to the wrong people
A patient can designate who is allowed to see his or her records. Laxity in matching up requesters with authorized recipients results in violations.
4. Releasing too much or the wrong information
Another aspect of records that is under the patient’s control is which information can be released. Employees who respond to all requests by sending out the entire file will fall afoul of this part of HIPAA.
In this case, the snooping is done by those considered “insiders”: Office staff who shouldn’t have access to the records, nosy family members, romantic partners, friends, and others may all try to get a look at records they shouldn’t be seeing. Password protection, clearance levels, and other such measures can help prevent snooping when properly implemented, but it’s also important to take some more basic measures. Operational sloppiness can result in records being left on desks or counters right in the open, and when that happens, all it takes to snoop is to look down.
6. Sending out the wrong patient’s information
This happens by mistake rather than policy, but it still must be prevented. Ensure that your records department uses multiple identifiers for each patient so that things like duplicated names don’t lead to such errors. Your system should be able to tell each and every John Smith in your database apart from all of the other ones.
7. Unsigned Forms
HIPAA forms must be signed in order to be valid. Make sure each patient signs their form!
8. Incomplete paperwork
All HIPAA forms must be accompanied by a signed section or paper notifying patients of their right to revoke their HIPAA authorization. Without this part, the entire authorization is invalid.
9. Unprotected electronic data storage
The plethora of devices available today makes it easy to run afoul of this part of the regulations. Be sure that all data storage devices – including phones and tablets – properly encrypt and otherwise protect their stored information. Also, be sure that devices do not transmit “in the clear” when it’s time to send files out.
10. Improper record disposal
Nearly every healthcare organization eventually needs to get rid of some patient records. Be sure that all targeted paper records are shredded, and that all unwanted electronic data is sufficiently wiped.
Many of these problems can be prevented by thoroughly training staff in how to comply with HIPAA and then strictly enforcing policies to make sure the training is followed. Even so, it is important to remember that while things like outright hacking are uncommon, they are responsible for some of the biggest HIPAA-related data breaches. Therefore, excellent data security should never be forgotten.