HIPAA violations occur everyday. The best way to avoid HIPAA violations is for them not to occur in the first place. HIPAA laws are complex and they are subject to continuous change. The best defense is a good offense and in today’s medical environment there are no excuses for untrained personnel and careless mistakes.
Some of the more common HIPAA Violations are:
All patient and PHI (Person Health Information) related records must be in a protected environment. A locked Desk, Filing Cabinet or office. Digital records must be protected by password controls and optimally have strong encryption. Patient data should never be left on desks overnight or in unsecured locations. Most HIPAA violations fall into this category.
All staff that handle ePHI or HIPAA materials should be properly trained on the requirements and regulations that govern one’s particular practice. Even IT personnel should have training as they are usually able to access PHI in their daily IT duties. Training is not optional. It is a part of the HIPAA laws. One cannot plead ignorance of the law in the event of a violation.
Talk around the watercooler is natural in most offices but the topics cannot stray into PHI about patients no matter how tantalizing it is. Medical information should only be discussed in a professional setting related to treatment or official matters regarding the patient. Gossiping about a patient’s condition is one of the primary reasons that HIPAA laws exist. Many celebrities and public figures had their private medical data leaked and in the days before HIPAA there was no penalties in place beyond direct civil legal action.
Just Google “Medical Records Hacked” and you’ll find thousands of stories of hackers stealing medical records and selling them on the dark web. That post-it-note with your login to the EMR is enough to effectively bankrupt the entire practice. Practicing strong IT discipline and enforcing complex passwords will ensure that the front door to your records remains unbreached. There are still ways to get at medical information through bugs and attacks but the first line of defense is at the individual employees desk. See the HHS Cyber Policy guidance for more information.
One of the more important guidelines of HIPAA are the proper disposal and removal of PHI. Anything containing Social security numbers, medical diagnosis or treatments must be shredded, destroyed and wiped from hard drives and removable media. Even the Ipads that are used for patient sign in contain PHI and must be properly disposed of. Old computer equipment should not be sold or upgraded without properly wiping all hard drives and removable media. Even if a computer is broken the hard drive may contain PHI and if that falls into the wrong hands can cost millions in fines.
Again, discussion of a patients treatment should only be between the doctor, staff and billing departments and the patient. Accidental disclosure; an employee faxing the records to the wrong office are not treated as accidents in the eyes of the law and are as damaging as purposeful release. Ensuring that the recipient has a need to know and double checking fax numbers and email addresses ensures that a patients PHI does not end up in the wrong hands.
In summary, PHI and HIPAA regulations are clear in all guidance. There is no grey area when it comes to HIPAA. Make sure your staff is trained (including IT staff) and enforcing strong oversight of your practice’s compliance is critical to ensuring you stay on the right side of the law.