As I’m sure we are all aware, in 1996 Congress passed the Health Insurance Portability and Accountability Act also known as HIPAA, then in 2013 with the Omibus Ruling the U.S. Department of Health & Human Services, Office of Civil Rights (or OCR) began to enforce the regulations. Over the last several years, we have watched many practices in our community assume that they are immune to both incidents, breaches, or even an audit.
As a Covered Entity (CE), you have a professional obligation to adhere to the matters of compliance as is stipulated by the law.
HIPAA standards seem to be ever-changing and can often be confusing for the average practitioner, business owner or manager in the medical field.
Sometimes, the best way to learn about what you should be doing when it comes to HIPAA compliance is to hear examples of what you should not be doing. So with that let me share 10 common Examples of HIPAA Violations we see in our community today.
#1 – Failure to promptly release information to patients.
- ‘Prompt’ can be a very relative term, but what you need to keep in mind is that you should have a protocol of when you release information and keep to that protocol with all patients. You are required to respond to patient requests as soon as possible with a limit of 30 calendar days from the date of the request.
#2 – Improper disposal of patient records.
- Shredding is mandatory before disposing of patient records.
#3 – Missing patient signatures.
- HIPAA forms without the patient’s signature is invalid. Make sure your staff is trained to always
check every document twice for signatures before the patient leaves.
#4 – Releasing the wrong patient’s information.
- Again, this goes back to training and making sure your employees are conscientious.
#5 – Discussing information with friends or relatives about patients.
- It might seem innocent to tell your spouse about the interesting case you saw in your examining room that morning. After all, who is she going to tell? Don’t make this mistake. Discussing patients with ANYONE not involved in their care is a violation.
#6 – Discussing private health information in public areas.
- Even if you ARE discussing information with someone else involved in their care, if you’re doing so in a place where others NOT involved can hear, you are in violation.
#7 – Discussing private health information on social media.
- There are a lot of rules here when it comes to what qualifies as private health information. A violation could be as simple as referencing the age and condition of a patient in a post. Make sure you know what is and is not acceptable on social media.
#8 – Not logging off a computer system that contains private health information.
- Even if you think no one can get to your computer, you need to log off when you are away from it. Yes, even when you go to the restroom!
#9 – Including private health information in an email that is not secured.
- Everything that goes through the Internet needs to be encrypted. Make sure you are working with a technology company that can help you encrypt everything that includes PHI properly.
#10 – Releasing information about minors without the consent of a parent or guardian.
- Always make sure you get SIGNED consent. Always. If the parents are divorced, you must get written permission from the custodial parent or guardian.
So there you have it, ten real-life examples of HIPAA violations. This should give you a good roadmap of areas you and your staff should be wary of, and for more information on how to better protect yourself, please download our free HIPAA Compliance Checklist and run a self-assessment or call of our certified security professionals to answer any questions that you might have.