Common HIPAA Violations and How to Avoid Them
July 23, 2018 // Ivan Perez
Most HIPAA violations are career ending, here are the most common types of HIPAA violations that physicians often commit and how to avoid them.
If you’re a licensed professional, then you’re likely familiar with HIPAA and HIPAA violations. What you might not know, is that most professionals are at a higher risk of a HIPAA breach than they think. There are four fundamental rules that determine HIPAA violations. But within these are thousands of regulations and conditions.
Justifiably so, keeping track of these legal dos and don’ts is as hard as it is important. It is especially hard for younger physicians just coming into residency. In light of that, here are the most basic principles governing HIPAA violations, as well as some of the most common causes and how to avoid them.
What is a HIPAA violation?
First off let’s just quickly go over the basics. HIPAA stands for Health Insurance Portability and Accountability Act. This law was designed to prohibit healthcare professionals from unauthorized disclosure of protected health information.
As to the rules that constitute HIPAA, the following four apply:
- Privacy Rule
- Security Rule
- Breach Notification Rule
- Patient Safety Rule
HIPAA fines can be career-ending, not to mention heinously expensive. As one example, Beth Israel Deaconess Medical Center in Boston was charged $100,000 because of a stolen laptop. In another case, four nursing students in Kansas were expelled from their program for posting pictures with a human placenta on Facebook.
Rest assured no amount of “likes” will make up for that problem. Either or, we’ve put together a few of the more common causes of accidental HIPAA violations and how to avoid them.
HIPAA and social media violations
The current law was first enacted in 1996. Understandably then, not all doctors are readily aware of HIPAA’s definition of privacy around social networks. Similarly, not all medical facilities or groups have a robust enough social media policy. That said, let’s look at a few common mistakes for physicians to avoid on social media.
Discussing patients by omitting their names
A California medical center fired five nurses for mentioning their patients on Facebook. And although it was determined that no identifying information was revealed, they were fired all the same. Omitting direct identifiers, such as the patient’s name or picture, might seem like a sound strategy. But this does not fully account for protected health information. Neither does it disqualify the possibility of revealing the patient’s identity.
Posting pictures of yourself while at work
Pictures tend to reveal a lot more than seen at a first glance. Think back to our earlier example of the student’s in Kansas and the placenta incident.
As a general rule of thumb, assume that even the simplest picture might capture unintended information. Be it a patient standing in the background or a name on a stack of papers. And while these are extremes, it’s better than having to deal with a costly lawsuit.
Failing to properly destroy old information
There are a few guidelines to follow when managing and disposing of health information. For one, all paperwork should be shredded or destroyed. Two, any digital copies or information stored on a hard drive should be deleted. Something as simple as selling off a photocopier with saved copies could warrant a HIPAA breach.
Discussing patient information with other providers
All providers at one point or another will seek out a colleague’s advice on specific cases. The important thing is how the information is shared. Discussions between providers regarding patients should occur in private places.
Moreover, consider the use of HIPAA-compliant messaging applications. Making use of good technology is another way to safely access and share patient information with other physicians.
Unsecured mobile devices
According to HIPAA requirements, any and all devices used for work should be encrypted. That said, be sure that any software tools or ERMs you use have stringent cybersecurity. Also, consider using cloud-based systems to safely store and access information.
Lastly, go the extra mile and protect your mobile devices with two-step authentication and strong passwords.
Preventing HIPAA violations
Staying up to speed with all HIPAA regulations is perhaps the best way to avoid any trouble. This is, of course, easier said than done. Make sure to study the primary regulations and details of compliance as closely as you can. Additionally, as a medical group, be sure to properly train your employees on HIPAA compliance and best practices. A general rule of life: be professional. It will help you more than plain good luck. Check out our online marketplace and our HIPAA breach insurance to see how we can help protect your career.