Healthcare institutions and their business associates must be in compliance with the HIPAA Privacy, Security, and Breach Notifications Rules and need to implement a range of controls to avoid HIPAA violations. But despite having controls to minimize the possibility of HIPAA violations, breaches still happen.
In many industries, hackers and cybercriminals are to blame for most security breaches. In healthcare, many breaches are cased by insiders. Healthcare institutions can do something to strengthen their defenses and can employ technologies to detect breaches as soon as they happen. Healthcare employees must also do their bit to prevent HIPAA violations occurring.
How Can Employees Help to Prevent HIPAA Violations?
Healthcare privacy breaches frequently happen because of negligence or a failure to understand the HIPAA Rules. Healthcare companies must therefore provide employees with full training to raise awareness of HIPAA requirements. Employees need to know the permitted uses and disclosures of PHI and how to keep ePHI secure at all times. There must be regular refresher training sessions for employees to make certain they do not forget HIPAA Rules.
Employees are also responsible for HIPAA compliance and must help their employers avoid HIPAA violations. Even fairly trivial HIPAA violations can have serious consequences. Organizations could be subject to sizable fines. HIPAA violations can destroy organizations’ reputations and can even result in harm being caused to patients. Employees found to have broken HIPAA Rules, even unintentionally, could be terminated from work and, in serious instances, could face criminal charges.
As a healthcare employee, it is therefore important to avoid HIPAA violations. To avoid some of the most common HIPAA violations committed by employees, consider the advice detailed below:
Do Not Reveal Passwords or Share Account Details
All employees should have a unique login, which grants them access to sensitive data. It is consequently important to keep login details private. Never share or write down login details. Login data is used to monitor user actions, which include activities concerning ePHI. If your co-worker knows your login details, and wrongly accessed ePHI using your credentials, the violation is likely to be considered to have been committed by you.
Don’t Leave Portable Devices or Records Unattended
The Office for Civil Rights breach portal is filled with data breach reports involving lost or stolen devices and improperly handled PHI. Under HIPAA Rules, a lost or stolen unencrypted device with ePHI is a reportable breach. OCR investigates breach reports involving lost or stolen devices to find out whether there has been a violation of HIPAA Rules. If devices are found to have left devices unattended, financial penalties could be issued. Portable devices must be monitored at all times and secured when not in use.
The same is applicable to paper records. Healthcare employees should not leave documents with PHI in places where unauthorized persons, other healthcare workers or patients can view them. To prevent HIPAA violations, remind employees to take care of patient files to avoid accidental PHI disclosures.
Do Not Text Patient Data
Text messages are a fast and simple way of communication, whether through the SMS network, Facebook Messenger, or WhatsApp . Sad to say, these common messaging services do not have the required controls to avoid accidental ePHI disclosures to unauthorized persons.
For instance, SMS messages aren’t encrypted and may be intercepted. WhatsApp is encrypted, yet does not have proper authentication controls. In case a text messaging service is to be utilized, employers should have entered into a HIPAA-compliant business associate agreement (BAA) with the service provider. When sending ePHI, only used permitted channels like a secure, healthcare text messaging services.
Do Not Dispose of PHI Together with Regular Trash
Though most healthcare organizations now use electronic health records, many still hold paperwork containing PHI. Any document that contains patients’ PHI must be secured all the time and disposed of safely and securely when not required. HIPAA calls for all PHI to be made unreadable, indecipherable, and not reconstructible when it is no longer needed. Your employer must impose strict rules that cover PHI disposal. Paper records must not be dispose of together with regular trash.
Do Not Access Patient Records Out of Curiosity
Employees who access patient health data without a valid reason are committing a serious violation of patient privacy. Although most healthcare employees value the privacy of patients, each year sees many cases of healthcare employees snooping on patient records.
Healthcare employees only have permission to access patient data if required for treatment, payment, or healthcare operations. For treatment reasons, employees should only view the information of their own patients.
The HIPAA Security Rule demands that covered entities keep access logs to help them identify inappropriate accessing of ePHI. Those logs should be regularly checked. Based on the system set up, a flag may be quickly raised to identify improper access of PHI or the next audit will show which employees have violated patient privacy.
When medical files are accessed without authorization, the employee concerned is likely to be terminated, and potentially could face criminal charges. Any employee discovered to have accessed medical records without authorization is likely to find it difficult to gain future employment in healthcare.
Do not Take Medical Records When Changing Employer
Employees who leave their practice might be tempted to take medical records with them. A number of new employers might even entice them to do this as the data may be used to get patients to change providers. Nonetheless, taking medical records, whether or not there’s a historical relationship between the employee and the patient, is considered data theft and may result in criminal charges.
Never Disclose PHI (Including Images) on Social Media
A lot of healthcare organizations impose policies addressing the use of social media by employees and plainly state that details of work activities must not be discussed through social media. Posting a tweet that contains a patient’s personally identifiable information is a HIPAA violation. The same is applicable to posting on Facebook, including posts in private Facebook groups.
PHI includes medical information, and pictures and videos. In such instances, not including the patient’s name with the photograph is immaterial. Patients can easily be identified from images.
Selfies shot at work and shared on social media accounts would violate HIPAA Rules if there are patients included in the picture and there was no prior written consent from the patient. If you are unsure about HIPAA Rules, do not publish anything work related on social media without talking to your compliance officer first. The National Council of State Boards of Nursing (NCSBN) has a helpful guide for nurses about using social media.
There have been several high-profile cases of nurses and healthcare personnel who took photos or videos of patients and published them on social media platforms. Unacceptable posting of PHI can result in substantial financial penalties for the covered entity and employees can also lose their jobs, licenses and even face lawsuits.
Report Potential Violations of HIPAA
If you are convinced that a colleague has committed a HIPAA violation, action should be taken to address the issue. Let your supervisor or compliance officer know of the potential internal HIPAA violation so that action can be taken promptly to resolve the issue.
If you think your healthcare organization is not doing enough to avoid HIPAA violations, check with your compliance officer. If HIPAA Rules are not being followed, you can also submit a complaint to the HHS’ Office for Civil Rights.