The HIPAA Law which protects protected health information (PHI) is well known by healthcare personnel and staff in most clinics, hospitals, and physicians’ offices. However, there are often questions about HIPAA’s rules and regulations. Healthcare providers that are not updated with the new changes in the law can risk potential violations which will not only damage their practice’s reputation but could also lead to civil and criminal fines.
The Health Insurance Portability and Accountability Act – HIPAA- came about in 1996 to set certain standards for the security, confidentiality, and transmission of personal health information. Under the HIPAA Privacy Rule, healthcare providers are required to protect and keep personal health information confidential. HIPAA also has very specific rules, limits, and conditions about the use and disclosure of information without the patient’s consent. The Rule also gives patients a right to their health information that includes being able to obtain a copy of their medical records and to request corrections.
HIPAA also has exceptions to the rules applied when the ability to offer quality healthcare services is being hindered. One example is two physicians discussing a patient when both are treating him. Other situations like peer-reviewed activities or disclosures required by health plans to solve billing issues are exempted.
The Department of Health and Human Services defines Covered Entities to be health plans, healthcare providers, and healthcare clearinghouses which include hospitals, dentists, chiropractors, physicians, optometrists, schools, NGOs that offer healthcare services and government agencies. However, parties affected by HIPAA do not end there. Any Business Associate of a Covered Entity with access to PHI (Protected Health Information) must also comply with HIPAA.
HIPAA violations can have serious consequences. It can result in a huge fine to a practice ranging from $100 to $1.7 million. Healthcare providers also risk the loss of their license if they violate HIPAA. It is easy to violate HIPAA if rules and regulations are not followed correctly. There are common reasons why a healthcare provider might violate HIPAA and these situations can be avoided along with adopting best practices to stay HIPAA compliant.
Here are some of the most common reasons for HIPAA violations.
Employees can gossip and talk about patients with coworkers or friends but this is a HIPAA violation that can cost a practice a large fine. Employees need to be trained to be very careful about what they say when talking about a patient and to be mindful of their environment. Patient conversations have to be restricted to private places and sharing of any kind of patient information with friends and family has to be avoided.
Mishandling of Medical Records
It is easy to commit a violation by mishandling a patient’s records. If a practice uses manual or written patient charts and reports, a nurse or physician can accidentally leave these files in the patient’s exam room which is available for another patient to see. Printed medical records have to be kept under lock and key and safely out of reach of unauthorized people.
Stolen and Lost Devices
Theft of PHI through stolen or lost devices such as desktops, smartphones, laptops, and others that contain patient information will result in HIPAA violation. Mobile devices are really vulnerable to theft because of their small size therefore, it is imperative to protect them with a password and encryption system in order to access patient-specific information.
Texting Patient Information
Texting patient information like test results, vital signs, and other important data is an extremely easy and convenient way that providers can give away information quickly. It may seem and sound harmless but it can potentially place patient’s data in the wrong hands of cybercriminals who could access and misuse the information. There are new encryption programs that allow confidential information to be securely texted but both parties have to install it on their wireless device. This is typically not the case therefore, it is best to avoid texting PHI.
Misusing Social Media
Posting patient pictures on social media is a direct HIPAA violation. It may look harmless especially when a name is not mentioned but someone may recognize a patient or know the doctor’s specialty. This can result in a breach of a patient’s privacy. It is important to ensure all employees are aware that posting images on social media of a patient is a HIPAA violation with serious consequences and potential fines.
Unauthorized Access to Patient Files
Unauthorized employees can access patient information and this is a common HIPAA violation. Whether they do it out of spite, curiosity, or as a favor for a friend or relation it is absolutely illegal and can cost a practice its license. Individuals that sell or use PHI for personal gain can be subjected to large fines and prison.
In small rural areas, accidental breach of patient information is common in social situations. Most of the patients are not aware of HIPAA laws and can innocently inquire to their healthcare providers in a social setting about their friend or relative who is a patient. While these inquiries can happen very often, it is best to pre-plan a response to handle the situation and avoid the potential release of private patient information.
Written consent is needed for the use or disclosure of an individual’s personal health information that is not used for payment, treatment, healthcare operations, or allowed by the Privacy Rule. If an employee is not sure, it is better to get written consent and prior authorization before releasing any type of patient information.
Accessing PHI On Home Computers
Most healthcare providers and clinicians use their home computers or their laptops after working hours to access patient information to record notes or maintain follow-ups. This can result in a HIPAA violation if the screen is left on accidentally and a family member uses the computer. It is important to ensure that your laptop or computer is password protected and mobile phones with patient information are kept out of the reach of unauthorized people. This will reduce the risk of patient information being accessed or stolen.
Lack of Training
The privacy and security of patient health information need to be a priority for all healthcare providers and medical professionals. It is important to ensure your materials are updated with the latest HIPAA laws and information, and that you conduct annual HIPAA training to avoid potential violations. Most HIPAA violations can be easily prevented by implementing HIPAA regulations into practice policies and SOPs and by making sure that all individuals with access to patient information have the proper training.
Lack of training is one of the most common reasons for HIPAA violation. When an employee is not familiar with the HIPAA regulations, violations are likely. In healthcare organizations, often just the managers, medical staff, and administration are received training even though HIPAA requires all employees, volunteers, interns, and anyone who can access patient information – to be trained. Compliance training is one of the most proactive steps to easily avoid HIPAA violations.
Communication is an important aspect of healthcare service and most HIPAA violations can take place through it. A healthcare provider can use telemedicine to make communication and accessing patient health information easy and secure. Hucu is a completely HIPAA compliant, free text messaging application that healthcare providers can use within their facilities and implement it in their daily processes. Through Hucu, healthcare providers can access PHI safely as it requires password-protected authorization. To know more about how Hucu can help you avoid HIPAA violations, read how it works.
Subscribe to our monthly newsletter