Healthcare information security

Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It

Mahwish Khan
December 16, 2017 by
Mahwish Khan

HIPAA legislation was established by the US Federal Government in 1996. These are rules and standards designed to protect the security and privacy of patient health information. It has implemented national requirements for organizations and individuals designed to enforce certain technical, physical and administrative safeguards to maintain the integrity, availability, and confidentiality of protected health information.

The majority of any HIPAA violations are accidental and come down to ignorance; therefore, it is critical that your organization is aware of all of the potential risks. Here are the top 10 ways your company may be violating HIPAA and not even know it.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

The Top Ten Ways Your Organization Might Be Violating HIPAA

1. The lack of HIPAA Awareness Education.

HIPAA violations occur when employees have not been sufficiently trained in all areas of the law. One of the easiest and most proactive ways to avoid a violation is through continuous training throughout the year to employees.

HIPAA training requirements are extensive, and they are often the source of much confusion for organizations. There is no specific length for training; it is advised that training for privacy and security should be no longer than 20-40 minutes for each session that is covered. This will ensure that information is retained and applied by all employees.

2. Employees Unknowingly Revealing Confidential Patient Information to Third Parties.

Discussing information about patients to co-workers and friends is a significant HIPAA violation which can lead to a steep fine. It is essential that employees are mindful of their environment and that they limit their conversations regarding patient information to the workplace only, to avoid any massive penalties.

3. The Venue in Which Confidential Medical Information Is Accessed and Viewed.

The majority of clinicians use their laptops or home computers after hours to access patient information, for follow-ups and to record notes. If the screen is left open, and a family member accidentally sees this confidential data, then a HIPAA violation has occurred. Make sure that your laptop and computer are password protected and all other devices are kept out of reach to reduce the risk of patient information being stolen or accessed by unauthorized individuals. In this regard, using Two Factor Authentication (2FA) is recommended.

4. The Misuse and Mishandling of Medical Records.

One of the many common HIPAA violations is the mishandling of patient records. Sometimes written patient information is accidentally left on a chart in an exam room giving other patients access to it. Thus, all printed or written medical records should be properly kept out of the public's view.

5. Fully Understanding Disclosure Requirements and When Consent Is Needed.

Any personal information that is not used for the operation, healthcare, or payment that is permitted by the Privacy Rule of HIPAA requires written consent. If an employee has doubts, it is best to get authorization before any information is released to ensure that HIPAA regulations are being adhered to.

6. Storing medical information on unauthorized Smartphones.

A HIPAA fine may be issued if patient information is accessed through the use of an unauthorized smartphone, desktop or laptop. Due to the small size of mobile devices, they are extremely vulnerable to theft. Thus, every precaution should be taken (such using passwords, single sign-on solutions, 2FA, etc.) to access to specific patient information.

7. Revealing Medical Information at the Wrong Time and the Wrong Place

It is quite common for patient information to be breached accidentally in a social situation. Therefore, it is advised for the medical practitioner to be prepared not to reveal patient information at any type or kind of social gathering or event.

8. Texting Patient Information Without the Usage of Encryption Protocols.

An easy way to provide information quickly is to send a text message containing test results or vital signs via an authorized Smartphone. However, this also puts patient information at risk as cybercriminals can easily access the information if the communications line is unencrypted. Thus, the use of an encryption program will allow medical practitioners to text confidential medical information safely, but it must be installed on the authorized wireless devices of both parties.

9. Illegal Access to Patient Files by Unauthorized Employees.

All employees must be authorized to access patient information. To do so otherwise is illegal and can lead to a substantial fine. It should also be noted that individuals who sell or use PHI for personal gain are putting themselves at risk of a fine or prison time.

10. Using Social Media to Share Medical Information.

It is essential that all employees are made aware that posting pictures or sharing patient information via social media platform is a severe HIPAA violation. Healthcare companies should create specific rules that sharing or posting medical information on social media sites is strictly forbidden that can lead to substantial, financial penalties.

Preventative Measures

Identity thieves go to great lengths to locate patient information. Thus, a successfully destroyed medical record is one that has been rendered indecipherable, unreadable and cannot be reconstructed. As a result, many healthcare providers and hospitals have adopted the use of shredding machinery. These include the following.

Mobile shredding. This involves making use of shredding box trucks that have been equipped with industrial shredders. All of the required medical records are destroyed in the presence of the medical practitioner.

Once the shredding has been completed, the company provides a formal certificate of destruction. This guarantees that the shredding was HIPAA and Fair and Accurate Credit Transactions Act (FACTA) compliant.

Offsite shredding. A truck collects the documents and transports them to a secure offsite shredding facility. After the medical records have been shredded, the same type of certificate is issued.

Take Away

The security and privacy of patient health information should be of utmost priority for all medical professionals. You can prevent violations by conducting annual HIPAA training. HIPAA regulations should also be implemented into company policies and procedures so that it becomes ingrained in the everyday corporate culture.

References

http.//www.hipaaone.com/7-ways-employees-can-help-prevent-hipaa-violations/

https.//www.ama-assn.org/practice-management/hipaa-violations-enforcement

http.//www.onlinetech.com/resources/references/what-is-a-hipaa-violation

http.//examples.yourdictionary.com/examples-of-hipaa-violations.html

https.//www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

https.//www.paubox.com/blog/hipaa-violations

Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.