More than twenty years since its inception, the Health Insurance Portability and Accountability Act (HIPAA) has made significant strides in keeping patients’ healthcare information private. However, even now, HIPAA violations still occur on a regular basis—often as a result of unintentional actions, leading to fines that can range from $100 to $1.5 million. In addition, providers may be at risk for sanctions or even loss of license. Here, in no particular order, are the 10 most common reasons for HIPAA violation citations; it’s worth reviewing these with your staff periodically to remind them to be careful with discussions, files, and devices.
- Employees disclosing information – Gossiping about patients to friends and family is certainly outlawed, but even telling coworkers about a case is a HIPAA violation that can result in a significant fine. Employees must be mindful of their environments and restrict their conversations to private places and the appropriate people.
- Employees accessing patient files illegally – Whether out of curiosity, spite, or as a favor, employees must not look up patient information if they are not already authorized to do so. Using or selling PHI (protected health information) for personal gain can result in prison time.
- Lost or stolen devices – Laptops, tablets, and smartphones are vulnerable to theft due to their small size. Any PHI on these devices needs to be password protected and encrypted in case the device falls into the wrong hands.
- Medical records mishandling – Paper charts and records must be managed carefully to avoid accidentally leaving them where another patient might see them, such as in the exam room. Medical records must be locked away from the public’s view.
- Texting patient information – Providers often text patients information such as vital signs or test results, but the information is at risk of falling into the wrong hands. The proper way to send such sensitive data via text message is to use encrypted apps, but the apps must be installed on both the provider’s and patient’s devices.
- Accessing PHI on home computers – Many clinicians use their home computers or laptops after hours; if the screen is accidentally left on and another family member uses the device, this becomes a HIPAA violation. The computer/laptop must be password protected and, ideally, locked whenever the clinician is away from the computer.
- Social breaches – Many people remain unaware of HIPAA laws and thus think nothing of asking a clinician in a social setting about a friend or family member who is a patient. To avoid violations or awkwardness, it is best for providers to have pre-planned an appropriate response to avoid accidentally releasing private information.
- Social media – Posting any patient photos, even anonymously, is a HIPAA violation because someone may recognize the patient or know the physician’s specialty. Employees must refrain from sharing any patient information on social media.
- Authorization requirements – HIPAA covers the use of PHI for treatment, payment, and healthcare operations. Using or disclosing patient information for any other purpose requires written consent from the patient.
- Lack of training – Sometimes, clinics overlook the fact that volunteers, interns, and any employees with access to PHI must be trained on HIPAA regulations—not just managers, administration, and medical staff. Compliance training is a simple, proactive way to avoid violations.
Perhaps the best way to avoid HIPAA violations is to make HIPAA training a regular part of your practice’s policies and procedures. With the proper priority, updated materials and manuals, and annual training, many violations can be easily prevented.
To learn more about common HIPAA violations and how to avoid them, visit Becker’s Hospital Review here.