Sometimes, it can be difficult to look at HIPAA critically. For many physicians and practice managers, the phrase "HIPAA violation" registers as "monetary penalty," and a pretty hefty fee at that.
But remember, HIPAA exists for a reason: to safeguard patient information. You may not catch every small HIPAA breach, and you may not be fined every time you unknowingly break a rule, but why wouldn't you do everything in your power to avoid any violations at all?
With the long bureaucratic to-do list many physicians are already following, it's easy to think HIPAA can be looked at later. Remember, however, when you risk violating HIPAA, you're also risking the information of your patients, as well as your credibility and reputation as a professional. We've made a list of HIPAA violations you may be risking right now. If any of these opportunities for a breach are threatening your practice, fix them right away. As they say, an ounce of prevention is worth a pound of cure.
1) You aren't using email encryption.
If we learned anything from the Sony Pictures data breach, it's the importance of encryption, even for seemingly innocuous files. Had the company encrypted its emails, hackers would've had a difficult time accessing the emails that became public last fall. As a matter of fact, Sony Pictures announced in December 2014 that the emails which had been stolen didn't just contain sordid gossip and celebrity salaries, but also included employees' medical information! Talk to your security team about encrypting emails, and have your HR department address email security with staff on a regular basis.
2) You forgot about paper files.
Using an EHR instead of paper files is one way to further protect patient information. However, be wary of charts, paperwork and forms that may be leftover from your pre-EHR days, or that patients bring in from other practices. Remember, too, that leaving charts or sign-in sheets unattended in accessible areas is risky, even if the information contained isn't medical in nature. Make a habit of putting paper files where they belong, even if you don't rely on them, and shred any patient records before you dispose of them.
3) You emailed the wrong patient.
This is an easy mistake to make, but it can have terrible consequences. You can put patients at risk, and you can lose their trust, simply because you didn't double-check your recipient or an email attachment. This is one of those "better safe than sorry" moments. If you're already using a secure email client and encrypting your servers, don't make your efforts in vain from a simple slip-up!
4) You reveal patient data in the waiting room.
In a blog post on HIPAA violations at Physicians Practice, Ericka L. Adler outlines a lot of easy slip-ups that happen in the waiting room. If your staff discuss patients' names, addresses and health plans at check-in, or if you keep a board with today's appointments in sight of patients, you're breaching patient confidentiality! Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you're just calling a patient to alert them to a portal update or to confirm an appointment, they deserve privacy.
5) You don't have safeguards for portal information.
Speaking of patient portals, make sure yours is easy-to-use and has compliance guidelines that are simple to follow. Create different accounts for different family members, and do not share log-in information unless authorized by the patient to do so. Require identity verification for password reminders, and remind patients to access their patient portal when they have a secure internet connection, not just on coffee shop WiFi.
6) You use Skype, Facetime or a messaging app.
We've talked about this topic before, but it bears repeating! Avoid using Skype or Facetime to communicate with patients. They simply aren't made to be HIPAA-compliant, and while you can ensure your Internet connection is secure, there's nothing you can do to make sure everything is safe on the patient's end if you aren't using a software program made for telemedicine. You may also be tempted to text or instant message through an app like Kik or What'sApp, but these aren't a safe option either. Pick which channels you use to communicate patient information, and stick to them. Portals and email may not be as convenient as instant messaging, but they aren't as inconvenient as a data hack.
7) You don't protect PHI and PII.
Are you treating protected health information and personally identifyable information with the same amount of caution? Remember, as a physician, you have access to much more than patients' flu shot records. Protect a patient's SSN, address and even insurance group the way you would their medical charts. Hackers and data thieves will target any information they can find, so make sure you are protecting all a patient's information.
8) You haven't set guidelines for staff.
If you asked your office staff to explain their responsibilities with HIPAA in mind, what would they say? Since your office staff will likely have the most contact with patients' raw data, they're your first defense against data breaches. Create policies which explicitly outline what staff can and cannot do with patient data, including where and when they can talk about records. If you're going to be outsourcing any managerial duties, or you've recently started using temporary workers, make sure you're clear with guidelines for those employees as well. Don't just go over HIPAA during staff training. Make sure security procedures are easy to find in your practice, and staff will be able to follow them more closely.
9) You aren't stringent about signatures.
It may seem like overkill, but collecting signatures like a star-struck tourist in Hollywood is a good way to reduce liability for your practice. Don't accept paperwork that doesn't have a legible signature, and make sure you keep track of document expiry dates, in case you need new authorization from patients. In general, if a patient hasn't signed off on it, don't do it. Require patient signatures for everything, from payment permissions to portal sign-ups. It's something you will thank yourself for down the line if patients come to you with concerns.
10) You don't protect your practice's technology enough.
If your practice's computers were stolen today, what is the first thing you would do? If you answered "panic," then maybe you should consider investing in security cameras. Physical theft of technology is a real risk for HIPAA breaches, as exhibited by a case in California, where two unencrypted laptops were stolen from a hospital system and put 729,000 patients' data at risk. Protect your practice's technology with encryption, as well as physical safeguards, the way you would lock up paper records.
Remember: Just because you don't get fined for a HIPAA violation, that doesn't mean it isn't a negative for your practice. Any data breach can ruin your practice or change the lives of patients, even without your knowledge. Treat all patient information with the same amount of respect and caution, and enjoy the peace of mind that comes with being proactive.
Have you made a simple HIPAA mistake? How did you fix it?
Let us know in the comments!