HIPAA was passed to protect the privacy of patients, known as PHI (protected health information). HIPAA violations are increasing every day from accidental breaches from lost devices, to intentional disclosures for employee personal gain. HIPAA fines can cost millions of dollars, not to mention a loss of credibility to a practice. Below are nine common violations that can be avoided just by taking simple precautions.
Lost or Stolen Devices
During a break-in, electronics are the first to go. If those devices are not properly encrypted, patient information is readily accessible to anyone who obtains the stolen laptops, USB drives, backup disks, etc. Ensure that every device is properly encrypted with passwords at every level to protect PHI.
Computer hacking is commonplace today, with accidental downloads of viruses as well as hackers intentionally breaking into computers and networks. Downloading firewalls, creating password-restricted access and other things can protect computers and PHI from hackers.
Whether it is curiosity or malicious intent, employees try to access information that they do not have permission to view. This is illegal and should be dealt with harshly. Some health care professional even sell PHI for personal gain. Proper education of what employees are allowed access to and the consequences of trying to go beyond that access (firing, fines, and possibly prison time) will help prevent employee-directed breeches.
All information, paper or electronic needs to be properly destroyed so that others cannot access the PHI. Papers need to be shredded or burned, hard drives, thumb drives, and phones need to be wiped. One example of improper disposal is Affinity Health Plan, Inc. They returned a photocopier to the leasing company without wiping the drive and were fined $1.2 million dollars because the photocopier saved copies on its hard drive.
Third Party Disclosure
Telling friends or relatives of patients information is a breach of PHI, as is telling personal friends and relatives. There is a “need to know” stipulation of HIPAA where you tell those involved the minimum necessary facts they need to know in order to do their job. For example, a security officer may need to know the room number and name of a patient to direct visitors, but not specifics like their diagnosis or treatment. Talking to anyone about a patient who does not have clearance is illegal.
Releasing the Wrong Patient’s Information
This would technically fall under third party disclosure, however it is slightly different and typically done by accident. There may be multiple patients with the same or similar names, or due to human error the wrong records could be printed. Always double check that the right patient’s records are on hand before releasing them.
Untimely Release of Patient Information
If medical records are requested, HIPAA law requires that they are released in a timely manner. If they are not released quickly, HIPAA will fine institutions for the slow release. Make releasing medical records a priority in the office.
Records must be secure to protect PHI. Encrypt files on computers and require passwords to access data. Lock filing cabinets, offices and make sure you never leave boxes with PHI laying around the office for any reason.