- Sharing login credentials with a coworker
- Improperly accessing medical charts
- Sharing patient information on social media
- Responding to online patient reviews
- Leaving portable electronic devices unattended
- Failing to respond to patient record requests
- Improperly disposing of patient medical records
- Failing to report breaches to the compliance officer
- Not following the practice’s HIPAA policies and procedures
- Not paying attention to HIPAA training
Sharing Login Credentials with a Coworker
Login credentials should always be kept private, especially at work. Healthcare employees must each be given unique login credentials. When workers have their own usernames and password to enter systems that have access to patient information, it is easier to track when someone misuses them.
Improperly Accessing Medical Charts
Tying into those employee login credentials, all employees do not need access to the same patient information. System administrators should give employees the necessary access levels to perform their job functions, but not more. A large portion of HIPAA violations occur from employees accessing information that they shouldn’t.
Sharing Patient Information on Social Media
Social media has infiltrated every aspect of our lives, including the workplace. This can pose a considerable risk when healthcare workers are posting from work. Employees should be discouraged from taking photos or videos at work, particularly in areas where patient information may be visible. Even patient information in the background of an image can cause a violation.
It is important to note that your practice can use social media or a website to promote your business. Remember to receive signed patient consent before sharing any of their information.
Responding to Online Patient Reviews
It may seem harmless to respond to an online patient review, but it may not be a good idea. Believe it or not, several healthcare practices have been fined for improperly responding to patient reviews.
Confirming a patient is a patient in any way is a violation. A simple “Thank you for your review” or “Please call our office” are the best responses. Acknowledging a complaint with ”I’m sorry to hear…” confirms the patient did come in and is considered a violation.
Leaving Portable Electronic Devices Unattended
Leaving a portable electronic device (laptop, mobile phone, tablet, etc.) unattended is never a good idea. But, when the device has access to patient information, it can cause a violation if the device is accessed inappropriately or stolen.
There was a reported violation where a healthcare worker allowed their child to use their work laptop while on vacation. The child took the laptop to the pool, and it was stolen. The laptop was unencrypted and had access to patient information. The incident caused a breach.
Failing to Respond to Patient Record Requests
Under HIPAA, patients have the right to request copies of their medical records. Your staff will often be managing these requests. All staff members must be aware of how to respond to these requests.
You have thirty days to meet a patient’s request for their medical records.
Staff failing to meet HIPAA right of access requirements was the top reason behind healthcare practice fines in 2022.
Improperly Disposing of Patient Medical Records
Improper disposal of medical records has caused multiple HIPAA violations. Doctor offices have left boxes of medical records on the side of the road or dumped them in public dumpsters, causing breaches. Properly disposing of medical records is a vital part of HIPAA compliance. Paper patient records should always be shredded before disposal, and electronic records should be wiped from devices before disposal.
Failing to Report Breaches to the Compliance Officer
Reporting breaches in a timely manner, to concerned parties, is part of HIPAA compliance. Your practice should have a dedicated Compliance Officer to oversee your HIPAA program. This individual is responsible for determining whether an incident is reportable to the Department of Health and Human Services.
Much of what we have discussed are reportable incidents or could lead to them. These incidents or “breaches” can lead to HIPAA fines, especially if they are not reported promptly.
Not Following the Practice’s HIPAA Policies and Procedures
The common HIPAA mistakes discussed can easily be avoided with HIPAA policies and procedures. Policies and procedures provide guidelines for staff on how to meet HIPAA requirements. For your policies and procedures to be effective, you should provide staff guidelines specific to your practice.
Not Paying Attention to HIPAA Training
Annual HIPAA training must provide a comprehensive overview of HIPAA and your practice’s policies and procedures. Once employees have completed their training, it is essential to have them sign an attestation that they understand the material and will follow its guidelines.
While training employees on HIPAA is great, there are some questions to ask to determine if it is effective.
- Do employees understand what is expected of them?
- Is their knowledge tested?
- Are they retrained when appropriate?
You can handle staff HIPAA training in many ways, but an online platform, such as The Guard, is the best and most effective way to train employees.