Whether you’re opening a new medical practice, or starting a business to serve providers, preventing HIPAA violations is likely the last thing on your mind. Even when you make the effort to comply with HIPAA’s requirements for Privacy, Security and Breach Notification, data breaches can still occur.
As news reports of ransomware, cybercrime and hacking increase, it is very easy to forget that the overwhelming majority of breaches are the result of employee mistakes or misunderstandings. That means regular HIPAA training becomes crucial to minimizing the risk of breaches.
Preventing HIPAA Violations Is Everyone’s Job
Just over 20 percent of all breaches occur as a result of security failures, technical issues or cybercriminals. The rest are administrative, which is the area where employees interact with protected health information (PHI). Regular and effective employee training is the best way to address this potential blindspot. HIPAA requires annual refresher training as part of an effective compliance program, but informal training throughout the year reinforces your commitment to keeping PHI safe.
The goal should be to create a culture where employees understand that they are responsible for HIPAA compliance and are empowered with the necessary knowledge to comply. A data breach caused by a HIPAA violation damages your organization’s reputation in the community you serve. Patients may doubt whether you really care about their privacy. There is also the potential for significant fines from seemingly minor violations of HIPAA rules.
Whether you’re an employer or an employee, examine the common ways listed below that can help prevent HIPAA violations and protect your organization from the effects of a possible breach.
The Employee’s Guide to Preventing HIPAA Violations
Here are nine important steps to prevent HIPAA violations in your organization.
1. Don’t Leave Documents or Devices Unattended
Healthcare employees have careers that can be both rewarding and challenging, often at the same time. In the whirl of activity on a regular day, it’s easy to get distracted and step away from a computer or a file containing patient PHI. Remember that leaving PHI unattended on a computer monitor or in a paper file where unauthorized people can view it or pick it up is a potential violation of HIPAA rules. If someone like a patient, or even another employee not authorized to view the information did so, that would be a reportable breach.
Portable devices like laptops or smartphones have additional concerns. If a device like these containing PHI is lost or stolen and is not encrypted, it is a reportable breach. If the investigation determines that the device was left unattended or was handled in a negligent manner, that is a HIPAA violation and financial penalties can be assessed.
2. Don’t Share Login Credentials or Disclose Passwords
Every employee in an organization should have a unique login ID. These credentials are designed to allow sensitive information, such as ePHI, to be accessed in a way that is transparent and trackable. These credentials should never be written down or shared with anyone. If someone uses your credentials to access information inappropriately, you may have just put your own career at risk.
3. Never Dispose of PHI in an Inappropriate Manner
While technological advances have reduced the volume of paper records, those that remain must be handled in a secure manner. Most organizations have strict procedures for disposing of PHI in a HIPAA-compliant manner that leaves it unreadable, and unable to be restored. Always dispose of papers containing PHI appropriately.
4. Never Text Patient Information
In the United States, smartphone users send and receive five times more texts than they make and receive calls. Texting is commonplace, whether using SMS messaging, Facebook Messenger or another service. The problem is that none of the common messaging services can protect your information well enough to prevent the accidental unauthorized disclosure of ePHI.
There are secure platforms appropriate for sending healthcare information via text. If you choose to use one of them, be certain that you have a signed Business Associate Agreement with the service provider before you begin transmitting ePHI. Failing to do so is a HIPAA violation.
5. Never Share ePHI on Social Media
Some things should be very obvious. Posting information about a patient on any social media platform is a clear HIPAA violation, unless you have signed consent from the patient. This would even include taking a picture of a friend or family member and posting it online.
Even if no patients are in the picture, double-check it before you post. Are patient records visible? Could someone read PHI that might be visible in the photo. Today’s smartphone cameras have incredible resolution, so what may have been a smudge on a file a few years ago, could be a clearly-readable HIPAA violation. Incidents such as these have cost well-meaning employees their jobs, and resulted in shockingly high fines for the providers.
6. Don’t Access Patient Records Out of Curiosity
HIPAA’s rules regarding patient privacy are absolutely clear. Patient records should only be viewed as required for treatment, payment, or healthcare operations. Even under those conditions, they should only be viewed by the person directly responsible for their use (such as the person administering treatment, or the billing clerk preparing a statement).
The HIPAA Security Rule requires that access logs be maintained and reviewed as a way of identifying inappropriate access of patient ePHI. The large volume of violations identified through the years demonstrates that privacy violations from casually snooping through files will eventually be discovered. When it occurs, the old axiom “curiosity killed the cat,” can just as easily become “curiosity killed your career.”
If an employee is terminated for violating patient privacy in this manner, they could also face criminal penalties. Furthermore, there is little chance of being hired at another healthcare organization. No tidbit of information is worth that.
7. Never Access Your Own Medical Records Using Your Login
This may seem like a silly rule, but the basis of it goes back to the HIPAA Security Rule. The same policies that cover patient access to medical records also apply if the patient is a member of staff. Employees do not have the right to access their medical records using their login credentials.
8. Never Take Medical Records with You When Changing Jobs
Once again, patient records should only be viewed as required for treatment, payment, or healthcare operations. Taking records with you for any other reason, even if you have been caring for the patients for many years, is forbidden. How you were going to use the records does not matter. It would still be considered data theft and you could face serious criminal charges.
9. Report all Potential HIPAA Violations
While it may seem like a burden, HIPAA is there to protect everyone. Employees have a responsibility to report potential violations to the organization’s compliance officer. If something is a violation, action can then be taken to prevent it from happening again.
If you feel that your organization is not taking HIPAA rules seriously, talk to your compliance officer, or file a complaint with the Department of Health and Human Services Office for Civil Rights.
