There are 18 million people that work in healthcare today. While many of those people are diverse in their backgrounds and responsibilities, they all have a common thread they are bound by – HIPAA.
For the uninitiated, HIPAA stands for Health Insurance Portability and Accountability Act. Within HIPAA are several privacy guidelines that healthcare workers need to abide by to keep practicing and to avoid getting fined.
Unfortunately, several violations of HIPAA get committed by countless organizations every year. Are you curious to learn examples of unintentional HIPAA violations?
If you are, keep reading.
In this post, we break down a handful of the most common, often unintentional violations that your healthcare team needs to watch out for.
1. Peeking at Healthcare Records of Non Patients
There are very few conditions that would allow you as a healthcare professional to review patient medical records. You’ll almost certainly need to be involved in a person’s health in some sort of meaningful way.
If you’re not and you sneak a peek, you could be liable for thousands of dollars in damages.
Healthcare workers have peeked and family or friend’s medical records in the past, with good intentions, only to get punished for doing so.
2. Holding Non-Compliant Vendor Agreements
Almost every healthcare practice does business with a vendor. For example, if you have a software provider that holds your medical records, they’re a vendor you compensate on a schedule or compensated with a single payment at some point.
These vendors should know better than to enter into non-HIPAA compliant contracts with medical workers, as should you. For vendors that are just starting out though and may not have done their diligence, their contracts may not comply and you signing them puts you at risk.
Always have third-party legal counsel overlook agreements with anyone that could be touching your patient health information (PHI).
3. Not Conducting Regular Risk Analysis
As your business grows and the world changes around it, new risks are posed to PHI. It’s the duty of healthcare providers to regularly assess that evolving risk to see if proper privacy diligence is no longer what it used to be.
Many healthcare organizations will turn to vendors to conduct that HIPAA risk analysis on an annual basis. Some do so more frequently.
If you’re not conducting any form of risk analysis, even if your information handling practices are up to snuff, you could get fined for indifference.
4. Failing to Remedy Identified Risks
When you have a risk assessment done on potential HIPAA violations, you’ll receive a report from the vendor that conducts it. They will not patch those risks on your behalf, at least initially.
Therein lies a secondary step you’ll need to take which is to act on the information you receive as to where your patient’s data is at risk.
If you don’t act on information, you’ll turn into one of the many examples of unintentional HIPAA violations that get cited on blog posts like these.
5. Not Instituting Appropriate Access Controls
Several people may have access to the systems that hold patient records. Chances are, not all of those people need to be able to do everything that the application allows for.
It’s your responsibility to use access controls to limit permissions people have within sensitive applications so everything is on a need-to-know basis.
Your systems administrator or software supplier should be able to set access controls up on your behalf to ensure that they are appropriately restrictive and within the realm of HIPAA compliance.
6. Having Portable Device Blind Spots
While healthcare workers have largely not had the luxury of working from home during this COVID period, if you have had team members doing a lot of remote work, you must assess how they’re accessing data outside of the office.
Transmitting patient records outside of your office poses serious risks of data interception. To remedy that issue, all data needs to be encrypted and should be travelling through a virtual private network.
Again, these necessities can get managed by a systems administrator as there are a lot of intricacies that go into safeguarding mobile data. If you don’t take adequate precautions on this front, you’ll almost certainly be opening yourself up to six-figure fines.
7. Not Issuing Breach Notifications Promptly
Breach notifications need to be issued to governing authorities and patients after your team realizes that a data leak may have or did occur. These notifications need to be sent out within 60 days.
If they trickle out later, you’ll be fined.
8. Improper Information Disclosure
In today’s social media age, many healthcare providers feel compelled to share stories they come across during their careers. Many of those stories are protected by HIPAA though and consequently, any details you share about patients, even if you hide information for privacy reasons, can put you at risk.
Countless posts recounting patient stories of triumph have been flagged by identified patients, advocacy groups, and governing bodies for take-down and posters have been punished accordingly. Consequently, it’s always best not to share stories without having patients sign legally binding consent forms.
You Now Have Examples of Unintentional HIPAA Violations to Avoid
Taking in examples of unintentional HIPAA violations is helpful for the simple reason that knowing what to avoid can save you from getting burned. Of course, the examples we’ve shared are by no means comprehensive. There are several other pathways to violate HIPAA that you should be made aware of via your legal council.
We hope this post enlightened your medical practice. Do you want more insightful HIPAA law information? If so, our team welcomes you to explore additional content on our blog.