5 Surprising HIPAA Law Violations That You’re Probably Committing

HIPAA law violations occur under several circumstances, some of which are committed unknowingly. The following are five common HIPAA law violations that many healthcare workers may find surprising:

  1. Using your personal email account for PHI
  2. Leaving your computer screen unlocked or paperwork unattended
  3. Sharing patient details with an unauthorized individual 
  4. Using removable storage devices
  5. Inadequate password management

Using your personal email account for PHI

Although it may be convenient to forward a patient’s protected health information (PHI) to your personal email account, this is considered a HIPAA law violation. Covered entities (CEs) in many circumstances will forward patient PHI to their personal email account to catch up on paperwork. However, this is not permitted under the HIPAA regulation. Additionally, paper records are not permitted to be removed from your office space. For employees that work remotely, employers may set up remote access to work servers, however, employees are not permitted to save any patient information to their personal devices.

Leaving your computer screen unlocked or paperwork unattended

Many hospitals utilize computer on wheels (COWs) or workstations on wheels (WOWs). However, if you walk away from the COWs or WOWs without first logging out this is a HIPAA law violation. Unlocked devices pose a huge threat to patient PHI as anyone that walks by the device has the ability to read the sensitive information contained on it. The same goes for paper records, it is not permitted to leave them unattended. Paper records should be stored in locked rooms or filing cabinets.

Sharing patient details with an unauthorized individual

Accidental disclosures of PHI are a common. They may occur by disclosing PHI to someone claiming to be an authorized family member. This can happen over the phone or in person. Before disclosing a patient’s PHI there must be written consent from either the patient or their designated representative. 

Using removable storage devices

Removable storage devices are risky for anyone that works with sensitive information. Devices such as USBs can be easily lost or stolen. In addition, removing laptops or tablets from your organization’s physical site risks patient PHI. Portable devices should never be removed from your organization’s physical site, unless they are encrypted

Inadequate password management

Many of us are guilty of using the same password for multiple accounts. Although this makes it easier to remember your login information, it is ill advised. When you use the same login information for personal and work accounts, you are highly susceptible to breaches. Personal accounts and devices usually lack the advanced security tools that our work accounts have. Easy to breach personal accounts that have the same login credentials as your work account can give hackers access to your sensitive patient data. Even writing down your login information and keeping it in your desk, or sharing login information with colleagues can cause a breach.

It is your obligation as a healthcare entity to protect your patient’s PHI with strong passwords. Organizations that fail to implement secure passwords are likely to experience a healthcare breach and subsequent HIPAA law violation.

Preventing HIPAA Law Violations

These common HIPAA violations can be avoided with clear organization policies and procedures, coupled with employee training. There should be written policies and procedures surrounding the proper use and disclosure of PHI. These must be written for your specific organization to ensure that they apply to your business process. Policies and procedures are required to be reviewed and updated annually to account for any changes in your business. Lastly, all employees in your organization must be trained annually on your policies and procedures, as well as HIPAA requirements.