HIPAA violations occur every day. The best way to avoid HIPAA violations is for them not to occur in the first place. HIPAA laws are complex and they are subject to continuous change. The best defense is a good offense and in today’s medical environment there are no excuses for untrained personnel and careless mistakes.
Some of the more common HIPAA Violations are:
- Maintaining Unsecured Records.
All patient and PHI (Person Health Information) related records must be in a protected environment. A locked Desk, Filing Cabinet, or office. Digital records must be protected by password controls and optimally have strong encryption. Patient data should never be left on desks overnight or in unsecured locations. Most HIPAA violations fall into this category. - Lack of Employee Training.
All staff that handles ePHI or HIPAA materials should be properly trained on the requirements and regulations that govern one’s particular practice. Even IT personnel should have training as they are usually able to access PHI in their daily IT duties. Training is not optional. It is a part of the HIPAA laws. One cannot plead ignorance of the law in the event of a violation. - Gossiping and/or sharing information.
Talk around the watercooler is natural in most offices but the topics cannot stray into PHI about patients no matter how tantalizing it is. Medical information should only be discussed in a professional setting related to treatment or official matters regarding the patient. Gossiping about a patient’s condition is one of the primary reasons that HIPAA laws exist. Many celebrities and public figures had their private medical data leaked and in the days before HIPAA there were no penalties in place beyond direct civil legal action. - Hacking
Just Google “Medical Records Hacked” and you’ll find thousands of stories of hackers stealing medical records and selling them on the dark web. That post-it note with your login to the EMR is enough to effectively bankrupt the entire practice. Practicing strong IT discipline and enforcing complex passwords will ensure that the front door to your records remains unbreached. There are still ways to get at medical information through bugs and attacks but the first line of defense is at the individual employees desk. See the HHS Cyber Policy guidance for more information. - Improper disposal of health records.
One of the more important guidelines of HIPAA is the proper disposal and removal of PHI. Anything containing Social Security numbers, medical diagnoses, or treatments must be shredded, destroyed, and wiped from hard drives and removable media. Even the iPads that are used for patient sign-in contain PHI and must be properly disposed of. Old computer equipment should not be sold or upgraded without properly wiping all hard drives and removable media. Even if a computer is broken the hard drive may contain PHI and if that falls into the wrong hands can cost millions in fines. - 3rd party disclosure
Again, discussion of a patient's treatment should only be between the doctor, staff and billing departments, and the patient. Accidental disclosure; an employee faxing the records to the wrong office is not treated as an accident in the eyes of the law and is as damaging as a purposeful release. Ensuring that the recipient has a need to know and double checking fax numbers and email addresses ensures that a patient's PHI does not end up in the wrong hands.
In summary, PHI and HIPAA regulations are clear in all guidance. There is no grey area when it comes to HIPAA. Making sure your staff is trained (including IT staff) and enforcing strong oversight of your practice’s compliance is critical to ensuring you stay on the right side of the law.
