HIPAA, or the Health Information Portability and Accountability Act, which governs the secure use and handling of patient health information, has been around since 1996. However, many healthcare providers still find it challenging to maintain compliance with the legislation, especially as new methods of data storage, access, and sharing are constantly being developed.
While the Act is critical for appropriate management and protection of patients’ sensitive information, many hospitals take it for granted, and one in three doctor’s practices doesn’t have any compliance plan in place. This is quite disturbing considering the exorbitant non-compliance penalties, which can incur fines of up to $250,000, depending on the breach. That’s an amount that won’t go unnoticed by any business, so a regular review of compliance practices among the staff is strongly advised.
Common HIPAA Violations
Some of the most common HIPAA violations include a failure to properly secure PHI records on mobile devices, impermissible disclosure of sensitive information, or loss of device with patient data. A vast number of these errors could be avoided if the office and medical staff were familiar with the critical HIPAA stipulations and the risks that non-observance entails.
If the word ‘HIPAA’ makes you cringe, you’re in the right place. Explore these examples of common HIPAA infringements among healthcare personnel and see if your facility is not committing some of them.
Is your staff regularly trained in HIPAA regulations and policies?
Keeping up with HIPAA regulations is not easy. And even if your staff got acquainted with them in the past, a single training session is not enough. The knowledge about the current requirements, policies, and obligations must be regularly updated. But how to deal with that task if managing a comprehensive HIPAA compliance program is unfeasible for many small and medium healthcare practices?
Although there’s no official certification program or exam for compliance with the Act, many training companies offer on-site and remote courses for healthcare staff. The cost of participation is considerably lower than the expense of non-compliance fines. There are also plenty of free online resources available to help your personnel stay informed.
Are your employees cautious about sharing PHI data?
HIPAA strictly specifies the circumstances when patient data can be shared. In most cases, the medical and admin personnel may only share PHI upon a patient’s written authorization. However, there are certain situations when no such authorization is required. They include sharing information with other healthcare providers for treatment purposes, discussing a patient’s health with family members, or disclosing patient records in an emergency when the patient is incapacitated or not available.
It’s essential that your staff understands what’s considered an unauthorized use of patient details, and what exceptions can be made. For example, even using a person’s full name out loud may already constitute a breach. Make sure your personnel is aware of that.
Do they send patient information by email?
Expedient communication in a healthcare setting is crucial for a positive treatment outcome, and email is one of the most efficient methods of delivering information. HIPAA does not expressly prohibit email as a means of forwarding and exchanging PHI, yet it imposes some security requirements on healthcare providers for its use, such as secure encryption.
As a rule of thumb, one of the best policies to ensure compliance for email communication is reducing it to the minimum. There are numerous alternative solutions available instead, such as Electronic Health Records, Patients Portals, or secured messaging.
Does your personnel follow the preferred method of contact with patients?
Exchanging patient information with other healthcare providers is one thing, getting in touch with patients - another. HIPAA also acknowledges this distinction. Every patient has the right to indicate how they want to be contacted and healthcare organizations must abide by it. Using another channel of communication in such a case is considered a HIPAA breach.
What’s interesting, if your patient prefers to interface via email, your personnel is allowed to use this method, even if the messages are unencrypted. As long as the patient is aware of the security risks involved, his or her preference takes priority. Find out more about this regulation here.
Does your stuff use HIPAA compliant third-party vendors and suppliers?
Our final point is particularly vital as it’s frequently neglected. By law, the HIPAA Privacy Rule applies only to covered entities. However, if you are outsourcing any tasks to third-party suppliers, regulatory obligations extend into your contractors and service providers. They include your IT suppliers, legal & accounting, practice management, phone answering services, translators, billing companies, and so on.
Make sure any business carrying out operations on your behalf follows HIPAA standards and uses the information they are provided with for the sole purpose and extent of conducting their business.
Assuring confidentiality and security of patients’ records is a top priority for healthcare providers. Therefore, it is in your best interest to ensure all personnel adheres to HIPAA regulations. Your organization stands a better chance of remaining compliant if you keep educating your staff about the legislation, reinforce their knowledge of regulations and best practices, and ensure all parties involved in your healthcare services observe the same high standards of patient identity and privacy protection.
Are you looking for HIPAA-compliant call forwarding services?
Learn more about the benefits of specialty call answering and start a FREE 30-day trial period. No contract or CC payment required.