Responding to Online Patient Reviews
It may seem harmless to respond to an online patient review, but it may not be a good idea. Believe it or not, several healthcare practices have been fined for improperly responding to patient reviews.
Confirming a patient is a patient in any way is a violation. A simple “Thank you for your review” or “Please call our office” are the best responses. Acknowledging a complaint with ”I’m sorry to hear…” confirms the patient did come in and is considered a violation.
Leaving Portable Electronic Devices Unattended
Leaving a portable electronic device (laptop, mobile phone, tablet, etc.) unattended is never a good idea. But, when the device has access to patient information, it can cause a violation if the device is accessed inappropriately or stolen.
There was a reported violation where a healthcare worker allowed their child to use their work laptop while on vacation. The child took the laptop to the pool, and it was stolen. The laptop was unencrypted and had access to patient information. The incident caused a breach.
Failing to Respond to Patient Record Requests
Under HIPAA, patients have the right to request copies of their medical records. Your staff will often be managing these requests. All staff members must be aware of how to respond to these requests.
You have thirty days to meet a patient’s request for their medical records.
Staff failing to meet HIPAA right of access requirements was the top reason behind healthcare practice fines in 2022.
Improperly Disposing of Patient Medical Records
Improper disposal of medical records has caused multiple HIPAA violations. Doctor offices have left boxes of medical records on the side of the road or dumped them in public dumpsters, causing breaches. Properly disposing of medical records is a vital part of HIPAA compliance. Paper patient records should always be shredded before disposal, and electronic records should be wiped from devices before disposal.
Failing to Report Breaches to the Compliance Officer
Reporting breaches in a timely manner, to concerned parties, is part of HIPAA compliance. Your practice should have a dedicated Compliance Officer to oversee your HIPAA program. This individual is responsible for determining whether an incident is reportable to the Department of Health and Human Services.
Much of what we have discussed are reportable incidents or could lead to them. These incidents or “breaches” can lead to HIPAA fines, especially if they are not reported promptly.
Not Following the Practice’s HIPAA Policies and Procedures
The common HIPAA mistakes discussed can easily be avoided with HIPAA policies and procedures. Policies and procedures provide guidelines for staff on how to meet HIPAA requirements. For your policies and procedures to be effective, you should provide staff guidelines specific to your practice.
Not Paying Attention to HIPAA Training
Annual HIPAA training must provide a comprehensive overview of HIPAA and your practice’s policies and procedures. Once employees have completed their training, it is essential to have them sign an attestation that they understand the material and will follow its guidelines.
While training employees on HIPAA is great, there are some questions to ask to determine if it is effective.
- Do employees understand what is expected of them?
- Is their knowledge tested?
- Are they retrained when appropriate?
You can handle staff HIPAA training in many ways, but an online platform, such as The Guard, is the best and most effective way to train employees.