Healthcare providers face heavy fines if they violate HIPAA regulations, but it still happens all too often. In many cases, these violations don’t arise from malice, but…
Being HIPAA compliant is mandatory for our Healthcare sector. However, there are still many instances of violations on a daily basis that employees, managers and CEOs alike are often unaware of. We’ve collected another ten common violations so that you can guard against them.
1. Employees illegally accessing patient files:
Employees accessing patient information without being authorized is a very common HIPAA violation. Reasons may vary from curiosity to spite, or even as a favor for friends or family. Regardless of the reasons, the practice is illegal and can cost you. Employees that use or sell PHI for their own gain can be subject to fines and even prison time.
2. Texting patient information:
When vital signs or test results are needed immediately, texting is something that many turn to. It’s fast and easy and cuts down on having wasted time. That ease for the nurses and doctors, though, can also mean ease for cyber criminals. A phone is considerably easier to hack than secure practice computers, which can mean a great deal of patient information being leaked. While there are new encryption programs that make it safe to text confidential information, they are also comparatively bothersome. Both parties are required to have the app installed on their device, and that’s not usually the case.
3. Employees disclosing information:
When the work day is slow, most employees talk. Work, life, patients… All are topics that are up for discussion as a means to pass the time.
Sadly, the last is a HIPAA violation which can incur significant fines for a practice. Employees need to be aware of where they are and restrict conversations regarding patients to private areas. It’s also important to impress upon them not to share patient information with friends or family.
4. Lack of training:
One of the most often overlooked causes for a HIPAA violation is an employee who was not sufficiently trained on HIPAA regulations. Many practices will only train managers, administration and medical staff, although HIPAA law requires training for every employee. Volunteers and even interns also require the same training on HIPAA regulations if they are able to access patient information. By making the same training available to everyone, you are taking the most proactive and easiest step to avoid violations in the future.
5. Social media:
With the advent of social media, it seems that everyone has something to post online. And post they do: pictures of the office, to what they’re working on today, nothing is free from the possibility of going up on an employee’s account. There are even some that will post up patient photos or other data. This, however, is a glaring HIPAA violation. It might seem harmless so long as the name isn’t mentioned, but it doesn’t take much to put together pieces. Thanks to the 6 degrees of separation theory, it’s very easy for the following to happen:
- Alice sees the picture online, and knows the person
- Alice recognizes that the poster works at X Labs
- Alice takes to Google and finds out that X Labs specializes in XYZ illness
- Alice now knows that the patient has or might have XYZ illness
- Make sure that all of your employees are aware that using social media to share any form of patient information is a violation and can easily result in jail time.
6. Social breaches
In smaller towns and more rural areas, it’s very easy for an accidental breach of patient information to occur. A friend runs into their healthcare provider or clinician outside of the office and inquires about a mutual friend who is also a patient. Most patients aren’t aware of HIPAA laws, and so they don’t know that they are asking for their friend to breach that law. While these inquiries do happen often, it’s best to have responses planned well in advance to avoid accidentally releasing private information.
7. Authorization requirements
Written consent is required for the use or disclosure of an individual’s personal health information. Any information that is not used for payment, healthcare operations, treatment, or what’s covered by the Privacy Rule will require written consent. It’s best to impress upon your employees “when in doubt, get prior authorization.”
8. Medical records mishandling
Another common HIPAA violation is the mishandling of patient records. An example is a practice which uses written patient charts or records. A nurse or physician accidentally leaves a chart in an exam room with the wrong patient. That patient is now able to view someone else’s confidential information. Charts and records must be kept safe and locked outside of the public’s view.
9. Lost or stolen Devices
Mobile devices make the ability to access patient files while away from the office much simpler. It makes it possible for doctors to consult on patient files even when they travel, and makes transmitting data easier as well.
Unfortunately, things like laptops, smartphones and tablets are easily stolen. Necessary safeguards should be put into place, such as password protected authorization and encryption.
10. Accessing patient information on home computers
Our world constantly pushes the idea that employees need to be on call 24/7, that there is never a time when you’re allowed to be ‘away’ from work. Unfortunately for doctors and clinicians, this can be a bit closer to the truth than many would like to admit.
This leads to many using their home computers or laptops after hours to access patient information to ‘record a quick note’ or ‘go over a file just one more time.’ This could potentially lead to a HIPAA violation if the screen is left on and a family member or friend uses the computer.
Being HIPAA compliant is never easy; in fact it’s fair to say it’s difficult and time-consuming. However, by warning your employees against these ten potential violations and setting up rules, you can cut down on any problems. By regularly enforcing rules at all levels, you show your employees that violations will not be tolerated, and the number of problems will wane. We hope that this list has been helpful for you, and that you can use it to protect your company.
If you have any questions for us regarding HIPAA compliance, please contact us today.