Despite the best efforts of healthcare organizations and their business associates to protect data and follow HIPAA’s Security, Privacy, and Breach Notification Rules, information breaches can and do still happen.
While cybercriminals are the breach bogeymen for most business sectors, healthcare often finds itself let down by its own staff. Even with the best procedures and technology in place, at the end of the day it is up to employees to make sure they act in compliance with HIPAA.
Employees Can Help Reduce HIPAA Violations
Misunderstandings and lack of due care towards HIPAA Rules are common causes of information leaks. Staff should be trained to ensure they are properly aware of when and how it is acceptable to share protected health information (PHI) and the appropriate steps to take to safeguard data. Periodic re-training sessions should also be offered to maintain the level of knowledge.
Staff members should feel empowered to protect PHI and fulfil their roles as stewards of information, in line with HIPAA Rules. Small HIPAA violations could lead to large financial penalties, as well as damaging corporate reputation and putting patients at risk. Even accidental violations have the potential to threaten the employee’s career and may be treated as criminal acts with legal consequences.
If you are an employee of a HIPAA covered entity, it might be worth exploring the list of common mistakes below to make sure you are not accidentally violating HIPAA in your workplace.
How Employees Can Prevent HIPAA Violations
Here are some simple mistakes that healthcare employees often make, violating HIPAA.
Do Not Disclose Passwords or Share Login Information
Staff login details are unique and private to each staff member. They are an employee’s key to access PHI and other information. If login details are shared or written down, it is possible that an unauthorized person could view PHI or that another authorized person could misuse another account to incorrectly alter or share PHI. As user activity is tracked and registered, the person whose account identity was being used could be the one to face consequences.
Do Not Leave Documents or Portable Devices Unsupervised
The Department of Health and Human Services’ Office for Civil Rights (OCR) receives a large number of breach reports resulting from portable devices being lost or stolen and PHI being mismanaged. The loss or theft of an unecrypted device that stores or can be used to view PHI is reportable to the OCR under HIPAA Rules. OCR will then investigate the report to determine whether any Rule has been broken or if a violation has occurred. If the investigation finds that devices were unsupervised, it may result in financial sanctions. Devices should not be left unattended while active.
Physical records must also be secured. Healthcare facilities can be tumultuous places, but documents containing PHI must still be protected and never left somewhere other staff, patients, or unauthorized individuals could view them.
Help your colleagues avoid HIPAA violations by reminding them of the risks of accidental PHI disclosures.
Do Not Transmit Patient Information by SMS
Many people use text messages to transmit information simply and near instantaneously in their personal lives, but they should never be used to send PHI. SMS networks, Facebook Messenger, and even popular encrypted message services like WhatsApp do not meet the HIPAA requirements for information sharing platforms.
Text message services must include user authentication measures, be sufficiently secure, and a HIPAA compliant Business Associate Agreement (BAA) must be in place between the covered entity and the service provider. PHI can only be shared via protected and approved channels, such as a specialized healthcare texting service.
Do Not Throw PHI Away With Normal Waste
Even though the majority of PHI is stored and shared digitally, physical copies and print outs are still created for some tasks. As mentioned above, PHI documents should not be allowed to be viewed by unauthorized individuals and this holds true even when they are being disposed of. PHI must be disposed of in a state that is unreadable, indecipherable, and unable to be reconstructed in order for it to be HIPAA compliant. Covered entities should implement strict procedures to ensure physical copies of PHI are not thrown out with regular waste and are securely disposed of. Staff must be sure to observe these procedures.
Do Not Access Medical Records Out of Curiosity
Accessing PHI without valid cause intrudes on patient privacy and violates HIPAA Rules. Even though most healthcare employees would not do this, it is not entirely uncommon.
Healthcare employees can only access PHI when it is needed to facilitate treatment, operations, or payment. In the case of viewing records relating to treatment, they are only allowed to view the records of patients they themselves are treating.
Access logs which record activity are needed for HIPAA compliance and the logs must be controlled regularly. Whether measures are in place to signal inappropriate access as it occurs or whether later checks reveal it, HIPAA violations will eventually be found.
Unauthorized access can result in employees being fired or even prosecuted. As well as this, it can affect future employment prospects and may result in financial penalties for the employer.
Do Not Bring Medical Records if You Change Jobs
Some people may wish to transfer PHI to their new employer if they change job. Companies may even request this of new hires in order to target new patients. This is not authorized and can lead to criminal charges, even if the employee has been dealing with the particular patient or patients for a long time.
Do Not Access Your Own Medical Records
While the HIPAA Privacy Rule allows patients access to copies of their information, this is only possible on request. Staff should not access their own records, and normally must follow the same procedure as patients by requesting the information from their HIM department.
Do Not Transmit PHI or Photographs Via Social Media
Social media policies detailing how employees may and may not use social media exist in many healthcare organizations. It is generally noted that information related to their professional duties should not be posted or transmitted using social media. Publishing a tweet, Facebook post, or similar message containing patient information or PHI, even in a closed group, is a violation of HIPAA Rules.
Photographs and videos are also included when we talk about PHI, even if patients’ names and other information are not visible or mentioned in the media shared.
Selfies and other photographs that show patients cannot be uploaded to social accounts unless written permission is received from all patients depicted before it is uploaded. If any PHI is visible in the photograph, such as x-rays or documents, this would be a HIPAA violation. A good rule of thumb would be: if in doubt, don’t post. You can speak with your compliance officer to double check. A social media guide for nurses is available form the National Council of State Boards of Nursing (NCSBN).
A number of cases where healthcare employees uploaded inappropriate photographs and videos of patients to social media have been reported recently. These can lead to fines for the employer, loss of employment and licenses for the employee, and lawsuits for all involved.
Reporting Possible HIPAA Violations
If you suspect someone in your organization has committed a HIPAA violation, you must report it to your supervisor or compliance officer so that it can be investigated and procedures be put in place to stop it happening again.
If you feel your employer is not taking sufficient action against potential HIPAA violations, you should speak with your supervisor or compliance officer. If HIPAA Rules are being repeatedly or habitually violated, you can report it directly to the OCR.