HIPAA Compliance and Mistakes: Let s just say what everyone is thinking: Trying to be compliant with the Health Insurance Portability and Accountability Act (HIPAA) is tough! At HIPAAgps, we get that. We also get the importance of HIPAA compliance in protecting patient and client health information while providing the most efficient health care possible. We care about you and your patients, which is why we created the HIPAAgps online compliance platform and this guide to help you get on the road to becoming and staying HIPAA compliant. The primary goal of HIPAA is to allow for the increase of health care efficiency while making sure that organizations secure Protected Health Information (PHI), and thus reduce the risk of breaches to that information. HIPAA compliance requires active and dynamic action from everyone who works in or with your organization and deals with PHI. This includes your Privacy and Security Officer(s), Business Associates, management, employees, and sometimes even maintenance personnel. Each role within your organization and each of your business associates present different risks that you must manage to protect PHI, prevent breaches and protect your organization from severe penalties. To help your organization begin minimizing these risks and gain a better understanding of what the HIPAA standards require, we have compiled a list of 10 major HIPAA mistakes that occur in organizations, cause breaches, and ultimately lead to monetary penalties. Penalties for non-compliance with the HIPAA standards and for breaches can reach up to $1.5 million. We don t want breaches or fines to happen to your organization, and we know that you don t want them to happen either, so checkout this guide, and then visit us at HIPAAgps.com to get on the road to HIPAA compliance.
Writing down passwords and leaving them easily accessible. 1 Too often, employees write down their passwords on a sticky note, or some other piece of paper, and then leave the note in an unsecured drawer, an easily accessed personal notebook, or even worse, sitting on their desk. The point of a password protected account is to only allow access to specified personnel with access permission. By writing down a password and placing it in an easily accessible place, the employee gives a key to secured areas of your organization to whoever finds the note containing the password. To address this issue, encourage employees to use password protection apps that allow them to keep their passwords in an encrypted application or have them store the passwords in an encrypted file on their work or personal device. At minimum, ensure that they store the written note in a locked file within a locked room. Although it can be difficult to remember all the different passwords for different accounts, it is critical that your organization require employees to provide protection for their passwords and your systems. You can and should document this requirement within your Password policies and procedures, as required by the HIPAA standards. 2 Leaving health records open to public view. People are curious by nature, so leaving a paper health record file open at the front desk where patients check-in or a laptop containing PHI sitting open facing where people passing by can sneak a peek is asking for a breach. Expect wandering eyes. If one of your employees accidentally leaves a patient s file in the hospital cafeteria, there is a high likelihood that an unauthorized individual will have snuck a glance. Your organization would have to report the incident as a breach to the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS), which could result in a fine. Even if, to the best of your knowledge, the person who viewed the material did nothing with it, your organization would still have to report it. Your organization is responsible for protecting PHI from those wandering eyes. When paper or electronic health records are left open, unauthorized people have the opportunity to see PHI, and if they do, it s a breach. To address this, instruct your employees to take precautions to protect PHI from unauthorized views and remind them that they are responsible for safeguarding the PHI that they re given. A few recommended requirements include: turning paper documents over in public places, like a receptionist s desk, when not in use; facing computer screens away from the public or using privacy screens; and keeping paper health records on their person while in use and safely secured when not in use.
3 Walking away from an unlocked computer. Similar to leaving records out in the open, leaving computers unlocked when stepping away enables anyone who comes along to access your organization s system. This could cause a very extensive, problematic breach, especially if an employee walks away leaving his or her computer unlocked with PHI applications pulled up. Access to your electronic records system could easily lead to a breach of more than 500 individuals, which, by HIPAA regulation, requires that you report the breach to all of the affected individuals, the Office for Civil Rights (OCR), and the media; Talk about bad publicity. Remind your employees that they will be held liable if something is inappropriately accessed on their account. They need to know that even though locking the computer for a quick bathroom run may seem silly, it s far from it. Serious breaches can happen in that amount of time, and they could lose their job because of it. It s also important to have automatic logoffs in place, but they should only be a failsafe, not a trusted go-to safeguard. Employees should always lock their computers when stepping away. It s a simple practice, but it s often overlooked.
4 Not using encryption and/or remote-wipe capabilities on mobile devices. Proper precautions like encryption and remote-wiping for mobile devices are crucial. Many organizations have been caught in a breach because they did not have these safety measures in place. They had mobile backup devices or flash drives with patient data on them, and they either lost the devices or they were stolen. The real issue here is not that the device was lost or stolen, although preventing that scenario should be a top priority, the real issue is that they did not encrypt the device, so now anyone can access the PHI it contains. Consequently, the organization has to assume that the PHI was accessed, forcing them to notify the OCR of a breach. Also, there are usually multiple patient accounts on one device, which can easily lead to a media firestorm. The organization then loses patient trust and pays a penalty for the breach. To protect against this scenario, always encrypt everything that stores, accesses, or transmits ephi. If possible, use remote-wipe capabilities to sanitize the device when it s misplaced or stolen. 5 Lack of tracking for mobile devices. An easy way to set your organization up for real trouble is by not keeping an inventory of your mobile devices. Lack of tracking can open your organization to the liability of a breach. If someone takes a flash drive with PHI, but no one knows where it went, your organization must assume there is a breach of PHI. This is another risk that can be easily managed. Implement sign-in and sign-out sheets. Also, make sure that employees know that if something happens to any PHI-holding devices while it is checked out under their name, they will be held responsible. By using the inventory process and a check-out procedure, you can protect your organization from a very avoidable situation. Plus, you will be able to show an auditor that you did implement a proper HIPAA mobile-devices inventory and you know who the responsible employee is. Having and knowing this information can help minimize the penalties in case of a mobile-device breach.
6 Throwing PHI in the trash rather than disposing of it properly. To start, let s first make sure that we are all on the same page with this issue: PHI materials, paper or electronic, should never be just tossed into the trash. Proper disposal procedures must be followed. This is another mistake that many organizations have made. Someone throws PHI in the trash, which is easily accessible to the public, and someone else gets their hands on it and then uses it for nefarious means. For example, a ruthless paparazzi reporter, who has been stalking a celebrity that comes to your office, digs in your trash and finds a patient note about the celebrity that details their recent diagnosis, and then posts a story about it. That is most definitely a breach that could not only have serious consequences from the OCR, but that celebrity could also sue for the breach of privacy and for damaging their reputation. You could also run into identity theft and fraud allegations, if you are not careful to follow proper disposal procedures. Your organization must be very clear about what your disposal procedures are, and you must have a policy and procedure document detailing this information to meet the HIPAA standards. Make sure that your workforce members know your procedures and agree to implement them. Your organization must ensure that all PHI materials are disposed of properly, which may require shredding or media sanitization.
Leaving doors unlocked or door keys accessible. 7 Although this may seem like a given, it can often be the cause of a breach since it is so easy to forget the importance of this security measure. Once again, your organization must protect PHI from those wandering eyes. By not locking the doors, or leaving the key in the door or filing cabinet, PHI becomes susceptible to a breach. For example, a nurse practitioner working at an elderly care facility left her key to the PHI cabinet sitting on her desk. When she returned to get the key, it was gone, and a PHI file cabinet had been opened. Even though no files were missing, the organization had to report the incident as a breach. Avoid this situation by ensuring that all doors are locked and keys are not left accessible. You can require that your workforce members keep their keys on them while working and securely stowed while not in use. An unlocked door or key lying on a desk presents serious breach risks that your organization can easily avoid. You have to inform your workforce members of the importance of protecting their keys. It should be common sense, but without a sense of urgency in protecting their keys and PHI, an employee could easily make a simple mistake that leaves your organization vulnerable. 8 Sharing or using PHI without paying attention to surroundings. Caregivers in organizations are often the culprits of these mistakes, but it can also be an issue in clerical settings. You never know what people will pick up from a conversation. If you re a doctor and you need to share treatment information with a surgeon, you should be aware of your surroundings and take all reasonable and appropriate steps to safeguard PHI as you disclose the information. In this case, that may mean speaking quietly so that the other patients and doctors walking along the hospital s hallway don t overhear you. Basically, to protect patient confidentiality, be aware of your surroundings. Speak to coworkers in a quiet voice so that you are less likely to be overheard. If possible, converse behind closed doors, or in a secluded area away from other people.
Increased risks for unauthorized disclosures come with many aspects of our digital age, like social media. Employee use of social media can lead to breaches and major issues for organizations. Too often, employees post work-related information online without checking for PHI first. For example, an employee may wish to simply extend well-wishes for a neighbor by posting something like: One of my neighbors came into the office for surgery today. Please pray for a speedy recovery for her. Even when a PHI post is made with the best intentions, it s still a breach. 9 Using social media improperly. Your employees must leave it to the individual to determine if and how his or her PHI should be shared. It is important that your organization inform your employees of what all constitutes PHI, and that you have policies and procedures in place that address social media and other Internet-use issues. Remember, if the information shared can in any way identify a person and relate that person to your facility, treatment or any other HIPAA-defined characteristic, then it s an unauthorized disclosure and a breach. Many organizations choose to take a firm stance that prohibits sharing any work-related information on social media. Some also restrict picture-taking at the office because there is always the chance that PHI could get caught in the background and then posted online. Using the HIPAA standards, your organization must determine the best social media policy for you. 10 Clicking links in emails. This is a common social engineering hack and a mistake that leads to many breaches. Oftentimes, multiple employees will receive the same email that appears legitimate. It will contain a link to something that most people would be interested in, like a funny video or an offer for something free. It is designed to be tempting and to lure people to click the link. However, the link doesn t provide what the receiver thought it would; instead, it loads malware to their computer. Through the malware, a hacker now has access to your system and can view PHI and steal it for whatever reason he or she wants. To combat this electronic attack, inform your employees of how to handle suspicious emails and unknown links. If they receive a suspicious email or feel unsure about an email link, they should immediately notify your IT department or their supervisor. Many times, they will not be the only one to receive the link, so quickly passing along the information throughout the organization is important to mitigate the risk of a breach.
The Road to HIPAA Compliance: Remember, it is your organization s responsibility to protect PHI. Your patients and clients are trusting that you will care for their information. HIPAA compliance requires that you meet several standards to protect PHI, and missing even the smallest regulation could result in a breach and serious consequences for your organization. Don t fall prey to these mistakes! Make sure that your organization has the necessary policies and procedures in place, and that all of your organization s workforce members are aware of their roles in regard to safeguarding PHI. To find out more about the many HIPAA requirements and how to become and stay HIPAA compliant, visit our website at HIPAAgps.com. We want to help your organization perform and keep track of your HIPAA compliance risk assessments, documents, employee training, business associate agreements and so much more. Let us help you get on the road to HIPAA compliance!
2015, HIPAAgps, LLC. All rights reserved.