Nine Security No-Nos for Healthcare Employees
Healthcare companies and their business associates need to adhere to the HIPAA Privacy, Security, and Breach Notifications Regulations and employ safety measures to avoid HIPAA violations. Nonetheless, despite having controls set up to lessen the chances of HIPAA violations, data breaches continue to happen.
For most industries, hackers and cybercriminals tend to be responsible for nearly all security breaches, however in healthcare insiders are mostly to blame. Although healthcare companies could take action to boost their defenses and use technologies that detect breaches quickly when they happen, healthcare personnel should also assist in preventing HIPAA violations.
Healthcare privacy breaches frequently happen due to negligence or insufficient familiarity with HIPAA Rules. Healthcare providers must therefore make sure employees get complete training on HIPAA and fully understand the permitted uses and disclosures of PHI and to protect ePHI all the time. Refresher training programs must also be conducted on a regular basis to make certain employees do not forget HIPAA Rules.
Personnel should also take on some accountability for HIPAA compliance and help prevent HIPAA violations. Even somewhat minor HIPAA Rules violation can get serious consequences. Businesses can be subjected to large fines, HIPAA violations could lead to the organization’s reputation damage, and also injury to patients. Employees found to have broken HIPAA Rules, even unintentionally, can get fired and in serious instances, may suffer criminal charges.
As an employee, if you would like to avoid HIPAA violations, keep in mind the advice below to avoid committing mistakes that would lead to HIPAA violations.
Do not divulge passwords or share login information.
Each employee receives a unique login account, where they are given access to important information. Hence, it is vital that those login information stay private. Login details should not be disclosed or written down. Login details are utilized to monitor user actions, which includes actions involving ePHI. In case another personnel knows your login information, and incorrectly accesses ePHI utilizing your credentials, it is your job that is at risk.
Do not leave portable gadgets or paperworks unattended.
There are many reports of data breaches due to lost and stolen devices that contain ePHI. All lost or stolen device with ePHI that are not encrypted must be reported under HIPAA Rules. The Office for Civil Rights investigates such reports to figure out if there was HIPAA Rules violation. If the devices were left unattended, OCR may issue financial penalties.
In the same way, paper records containing PHI must never be left unattended in areas where they can potentially viewed or picked up by unauthorized persons or other patients. If this happens, OCR may also issue financial penalties. Always remind employees to take extra care with patient files to avoid the risk of accidental disclosures of PHI.
Do not send patient information in a text message.
Text messages are a fast and simple means of communicating, whether through the SMS network, Facebook Messenger or WhatsApp. Sadly, not one of the popular messaging services possess the required controls to avoid accidental disclosures of ePHI to unauthorized persons.
For instance, SMS messages aren’t encrypted and could quickly be intercepted. WhatsApp is encrypted, yet it does not have proper authentication controls. For a SMS to be used, your company must have entered into a HIPAA-compliant business associate agreement with the SMS provider. If you want to send ePHI, do so only if you’re using approved channels like a secure, healthcare texting platform.
Do not get rid of PHI along with regular garbage.
Most healthcare providers already transitioned to keeping electronic health records, however, paper documents are still broadly used. Documents that contain the PHI of a patient should be kept secure all the time and discarded securely when no longer necessary. HIPAA mandates that all PHI must be made unreadable, indecipherable, and unrecoverable before disposal. So, documents with PHI should not be the disposed like regular trash.
Do not ever access patient information out of curiosity.
Employees who access patient health records without having legitimate reason are seriously violating HIPAA Rules and patient privacy. Although most healthcare employees respect patient privacy, there have been cases of snooping on patient health records. Healthcare employees can only view patient records if required such as during treatment, payment and operations.
Under the HIPAA Security Rule, covered entities must have access logs so that unauthorized ePHI access could be identified. Those logs should be routinely reviewed. If healthcare records are viewed without proper authorization, an employee could be terminated. He could also be charged with criminal penalties. It would likely be difficult for a person to get future employment in other healthcare companies. The employer may also be heavily fined and the company’s reputation is at stake.
Don’t take healthcare records with you when you transfer to another job.
Employees leaving a job could be tempted to take PHI with them. New employers sometimes encourage this and use the information to recruit patients or offer them medical packages or equipment. However, taking medical records is data theft and could end up in criminal charges.
Don’t access your own health information using your own login information.
HIPAA Privacy Rule permits patients to get copies of their health data upon request, however healthcare employees don’t have permission to access their health records using their own login information. Healthcare employees must go through the same procedure as patients when submitting a request for a copy of their health data via the HIM department.
Do not share ePHI including photos on social networking sites.
Many healthcare providers have policies regarding the use of social media. It clearly states that employees should never share details of work activities via social media. For example, posting on Facebook or sending a tweet about a patient’s personally identifiable information, photo, video or even gossip about a patient is a serious HIPAA violation. Taking selfies at work with the patient and posting it on social media without the patient’s consent in writing violates HIPAA Rules. To be safe, don’t post on social media anything without speaking first to your compliance officer. The National Council of State Boards of Nursing (NCSBN) has released a helpful guide on using social media for nurses.
Don’t fail to report potential HIPAA violations.
If you think a co-worker has violated HIPAA Rules you should do something to stop similar incidents from happening later on. Report potential HIPAA violations to your compliance officer immediately so steps can be taken to handle the problem. If you think your company is not doing what is necessary to avoid HIPAA violations, talk to your compliance officer. In case you know HIPAA Rules are being routinely violated, you could submit a complaint to the HHS Office for Civil Rights.