Healthcare providers are required under the HIPAA Privacy Rule to protect and keep confidential any personal health information. There are limits and conditions on its use and disclosure without patient authorization. The Rule gives patients’ rights to their health information, including rights to obtain a copy of their medical records or request corrections.
Those affected by a HIPAA violation can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license.
The most common reasons for HIPAA violation citations are:
- Lack of training: This a common violation for employees who are not familiar with HIPAA regulations. Compliance training is one of the most proactive and easiest ways to avoid a violation. HIPAA laws require all employee, volunteers, interns, and anyone with access to patient information to be trained.
- Employees disclosing information: Employees must be mindful of their environment, restrict conversations regarding patients to private places and avoid sharing any patient information with friends and family. Employees should be discouraged to gossip about patients to friends or coworkers, this is also a HIPAA violation that can cost a practice in fines.
- Social media: Posting patient photos on social media is a HIPAA violation. Even if no name is mentioned, someone may recognize the patient and know the doctor’s specialty and put the two together, this would be considered a breach of the patient’s privacy. Employees should be aware that the use social media to share patient information is considered a violation of HIPAA law.
- Lost or stolen devices: Theft of protected health information (PHI) through lost or stolen laptops, desktops, smart phones, and other devices that contain PHI may result in violation fines. Necessary safeguards should be put into place such as password protected authorization and encryption to access patient information.
- Mishandling medical records: Another common HIPAA violation is the mishandling of patient records. All printed medical records must be kept locked away and safe out of public’s view, practitioners and staff should be sure no chart is left in a room after the patient has left from being seen. Any electronic information should be also password protected and out of view the public eye. An example would be for front staff to position computers so patients couldn’t view anything on the screens.
- Authorization Requirements: A written consent is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations, or by the Privacy Rule. It’s always best practice for an employee to get prior authorization before releasing any information.
- Accessing patient information on home computers: Most clinicians use their home computer or laptops after hours to access patient information to record notes or follow-ups. This action could potentially result in an unintended HIPAA violation. Make sure computers and laptops are password protected and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.
Privacy and security of a patient health information should be a priority for all healthcare professionals. Make sure your office’s materials are current, update your manuals, and conduct annual HIPAA training to prevent potential violations. Most violations can be easily prevented by implementing HIPAA regulations into the practice’s policies and procedures, ensuring that all individuals with access to patient access to patient information receive the proper training.
For more information, feel free to contact us here.