Preventing HIPAA Violations Using Employees
Healthcare groups and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and put in place safeguards to prevent HIPAA violations. However, even with controls in place to minimize the risk of HIPAA violations, data breaches still take place.
In most sectors, it is hackers and other cyber criminals that are to blame for the majority of security breaches, but in healthcare it is insiders. While healthcare groups can take steps to improve their defenses and introduce technologies to identify breaches quickly when they occur, healthcare employees also need to help stop HIPAA violations.
Employees Can Help to Stop HIPAA Violations
Healthcare privacy breaches often happen due to carelessness or a lack of understanding of HIPAA Rules. Healthcare groups should therefore ensure employees receive full training on HIPAA and know the permissible uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be given regularly to ensure HIPAA Rules are not forgotten.
Employees must also take responsibility for HIPAA compliance and help to stop possible HIPAA violations. Even relatively minor breaches of HIPAA Rules can have severe consequences. Organizations can be liable for substantial fines, HIPAA violations can cause damage to groups reputations, as well as damage to patients. Employees discovered to have violated HIPAA Rules, even accidentally, face termination and in severe cases, may face criminal charges.
As an employee, if you want to cut HIPAA violations, review the HIPAA violations below and make sure you do not make these common mistakes.
How Employees Can Prevent HIPAA Violations
Listed here are some of the common ways HIPAA Rules are breached by employees.
1, Never Share Passwords or Share Login Credentials
Every employee is given with a unique login, through which they will be granted access to sensitive information. It is therefore vital that those login details stay private. Login details should never be shared or written down. Login idata is used to track the actions of users, including activities involving ePHI. If another staff member has your login credentials, and improperly accesses ePHI using those credentials, it will be your job that is threatened.
2. Never Allow Portable Devices or Documents to be Unattended
The Office for Civil Rights breach portal sees lots of reports of data breaches involving lost and stolen devices and mishandled PHI. A lost or stolen device including ePHI is reportable under HIPAA Rules if the device is not encrypted. The Office for Civil Rights reviews reports of lost and stolen devices to determine if HIPAA Rules have been breached. If those devices are found to be unattended, financial penalties may be issued. Portable devices must never be left unattended and when in use.
The same applies to paper file. Even when busy, healthcare employees must never leave documents that includes PHI in areas where they can be seen by unauthorized individuals, picked up by other healthcare staff, or seen by other patients.
You can avoid HIPAA violations by reminding employees who are not taking enough care with patient files about the risk of accidentally sharing PHI.
3. Do Not Share Patient Information by Text
Text messages are a quick and simple way to communicate, whether via the SMS network, WhatsApp, or Facebook Messenger. Unfortunately, none of the common messaging services have the required controls to prevent accidental disclosures of ePHI to unauthorized people.
For instance, SMS messages are not encrypted and can easily be intercepted. WhatsApp is encrypted, but lacks proper authentication controls. In order for a text messaging service to be implemented, your employer must have completed a HIPAA-compliant business associate agreement with the service provider. If you need to share ePHI, only do so through approved channels such as a secure, healthcare text messaging platform.
4. Don’t Throw out PHI with Regular Trash
While most healthcare groups have now moved to electronic health records, documents are still used in a lot of places. Any document including the PHI of a patient must be kept secure at all times and disposed of securely when no longer needed. HIPAA requires all PHI to be rendered unreadable, indecipherable, and unable to be put back together when it is no longer required. Your employer should have strict rules governing the disposal of PHI which prohibits the disposal of documents with regular trash. You must be very careful to ensure that any paper copies of PHI are disposed of securely.
5. Never Access Patient Records Out of Curiosity
The accessing of patient health records by staff, without any legitimate reason for doing so, is a serious breach of HIPAA Rules and patient privacy. While most healthcare employees respect the privacy of patients, there have been many cases over the years of patients snooping on the records of patients.
Healthcare workers are only permitted to view patient records if they are required to do so for treatment, payment and healthcare operations. For treatment reasons, employees are only permitted to view the records of their own patients.
The HIPAA Security Rule states that covered entities to maintain access logs to ensure inappropriate ePHI access can be identified. Those logs must be regularly overlooked. Depending on the system in place, a flag could be quickly raised or it may take until the next audit for the privacy violation to be discovered, but improper accessing of PHI will be spotted.
If medical records are accessed without permission it is likely to result in termination, and possibly criminal penalties against the individual involved. Such actions are also likely to make it hard to obtain future employment at other healthcare groups. Your employer can also face heavy fines and considerable reputation damage.
6. Don’t Bring Medical Records with You When You move Job
When employees depart a practice, they may wish to take PHI with them. Some new employers may even ask for this – the information could be used to recruit patients or sell them medical services or equipment. However, taking medical records, even if there has been a longstanding relationship with the patient, is data theft and could lead to criminal charges.
7. Don’t Look at Your Own Medical Records Using Your Login Details
The HIPAA Privacy Rule permits patients to obtain copies of their health records on request, but healthcare workers do not have the right to access their medical records using their login credentials. Normally, healthcare providers require staff to go through the same process as patients. In order to obtain access to their health data, they must file a request for a copy of their health information via their HIM department.
8. Do Not Publish ePHI on Social Media (Including Photos)
Many healthcare groups have developed policies covering the use of social media by their employees and clearly outline that details of work activities should not be shared via social media accounts. The publishing of a tweet containing personally identifiable information of a patient is a serious HIPAA breach. The same applies to posting on Facebook, even in a closed Facebook group. That includes ePHI and any other details about a patient.
PHI includes health information, but also photographs and videos. In such instances, it doesn’t matter if the photograph does not include the patient’s name. Patients could easily be identified from the image.
Selfies taken at work and published to social media accounts would breach HIPAA Rules if patients are included in the photograph if previous consent has not been obtained in writing. It would also be a HIPAA breach if PHI can be identified in the photographs – documents and charts etc. If in any doubt about HIPAA Rules, don’t publish it on social media without speaking to your compliance officer. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on social media.
Report Potential HIPAA Violations to Relevant Agencies
If you think a colleague has broken HIPAA Rules it is important to take action to stop similar incidents from occurring in the future. Report possiblr HIPAA violations internally to your compliance officer so that action can be taken quickly to address it