As a HIPAA-covered entity, you’re undoubtedly aware of the many regulations related to maintaining your clients’ privacy and protecting their personal information. However, with so many intricacies in the rules, it’s easier than you might think to inadvertently commit a violation. Something as simple as conversation between co-workers could result in a significant penalty for your agency.
With that in mind, it’s important to not only educate and train your employees in the fundamentals of HIPAA compliance, but to address the details as well, and highlight those things that may seem completely innocent, but are actually serious violations. Understanding which actions are most likely to be in violation of the law is an important step toward ensuring compliance, so we’ve compiled this list of common mistakes and how your agency can avoid them.
1. Disclosure in Conversation
The number of ways that information can be disclosed in the course of an average day is actually quite startling. Consider the following violations:
- A patient asks their provider about a friend who also receives home health services from your company. Without hesitation, your employee reveals that the other patient is having some difficulties, knowing that the two are good friends.
- Two employees discuss a patient in the office, within earshot of some visitors.
- In a social situation, someone mentions that they know someone who receives care from your agency. You, or your employee, engage in conversation that effectively confirms that the person is a client of your company.
These are just a few examples of how you or your employees can violate HIPAA in conversation without even realizing it. As a matter of policy, employees should never discuss patients or patient information with anyone other than the patient or his or her authorized representative.
2. Failure to Physically Secure Information
Several of the largest health care data breaches in history were traced back to lost or stolen devices, including laptops, tablets, and mobile phones. HIPAA rules require covered entities to adequately secure all protected health information, whether stored in electronic or paper formats, but it’s very easy for your employees to become lax in this area. For example, do they leave their mobile devices unattended during patient visits? Are devices left in vehicles overnight?
Keep in mind that your agency can be held liable for not protecting PHI even when it’s not hacked or even exposed on a large scale. In one case, an HHA was fined nearly $250,000 for failing to secure PHI. The problem was that an employee stored medical files in her home, and when she moved out after a divorce, she did not take the files with her — meaning her ex-spouse had unauthorized access to the files. In addition, the employee stored files in her vehicle, which her spouse had access to. While the agency noted that the PHI had been removed from the office without authorization, the Office of Civil Rights still held the agency liable for failure to protect the data.
Given that most home health providers are attempting to balance security with providing their employees with access to necessary data, it’s important to develop strong policies regarding the physical protection of PHI. Using a cloud-based home health software product that offers advanced security protections is a good start, but in addition, your security policy should specifically outline:
- What data can be removed from the premises and by whom
- A login and authentication procedure that prevents unauthorized access
- A strong mobile device management program that allows for remote locking and wiping of lost or stolen devices, blocks multiple logins, and ensures up-to-date software
- How you will lock and secure physical files
The bottom line is that you need to consider the physical security of your data, and keep close tabs on what data is stored where and who has access to it.
3. Using Unsecured Devices
Physically protecting devices isn’t the only concern when your employees are mobile. You need to consider how information is being shared, and whether it is being shared over secure networks. Sending patient information via text using unsecured messaging systems, for example, is a HIPAA violation. Employees using their own home computers and not effectively securing access to work portals is also an issue. It’s vital that you offer access to secure networks and only allow approved devices to access your data to protect against violations.
4. Improper Release of Information
HIPAA authorization forms expire, and releasing patient information after the expiration date is a violation of the law. All too often, though, providers only check for an authorization on file, and fail to confirm the expiration date, thereby releasing information inappropriately. Train your employees to not only check for authorizations — and secure them when necessary — but to double check the expiration dates and get new documents if required. Releasing information just one day after expiration can result in a violation.
These are just some of the common mistakes that can lead to HIPAA violations and cause major headaches for your agency. By focusing your training and policies on all aspects of HIPAA, you can avoid them, while still providing excellent care.
If you need insight into tools and software that can help you better manage the security of your patient data while still maintaining patient privacy, be sure to click here to learn more about Complia Health’s family of solutions.