HIPAA -- the rules and regulations overseeing patients' protected health information (PHI) and how providers and practices must handle it -- can be challenging to deal with. But with civil and criminal penalties possible for violators, it’s vitally important that you and your practice understand your responsibilities and follow through on them.
Here are the five most common HIPAA violations that any individual or organization handling PHI should be especially careful to avoid.
1. Impermissible Uses and Disclosures of PHI
If PHI is accessed, shared, used or disclosed in a way not permitted under HIPAA, that constutes a violation. And this compliance issue often comes down to the “failure to have proper, ongoing training to prevent the release of private patient information,” says Glenn Phillips, a senior consultant at Forte Online.
Joey Feyereisen of ReachIPS agrees. “The first risk is in the training and monitoring of that training regarding how information regarding PHI is gathered and communicated."
Getting people up to speed means they have to store and share data differently than they used to, Feyereisen explains. “There are a lot of analog items -- checklists, reports, sticky notes -- that need to be put into a safe policy and have auditing around that."
2. Lack of Safeguards for PHI
This wide-ranging issue covers bad practices with data management. “Issues around technical compliance include everything from passwords and screen savers on end-user equipment, to the actual network itself, to the transport of data, as well as how data is stored at rest and at backup,” Feyereisen says.
“The biggest area of non-compliance we see is the accessibility of USB slots on end user and server equipment, enabling potential breach of data from a $8 thumb drive.”
3. Lack of Patient Access to Their PHI
Patients have the right to access their health records under federal regulations and, in some cases, federal and state law. Many clinics have policies for accessing that information, such as requiring patients to fill out of a certain kind of form.
If you have a health information management department, ensure that its policies are up to date and that patients are aware of their rights and responsibilities, as well as any procedures they need to follow to access their information.
4. Uses or Disclosures of More Than the Minimum Necessary PHI
People who work in health care are trained to help, and may sometimes feel that giving more information than is asked for can be helpful. Unfortunately, that can be a HIPAA violation.
“Once key physical and technical security measures are put in place, human factors are likely the greatest source of breaches,” says David Harlow, principal at the Harlow Group. “These are non-technical vulnerabilities created by staff that are not fully attuned to the importance of HIPAA compliance. The best way to address these issues are frequent in-service trainings followed by tests to ensure that staff have retained the information presented.”
5. Lack of Administrative Safeguards of Electronic PHI
“Failure to have a thorough, written security policy and procedure” is a major cause of HIPAA noncompliance, says Phillips. Other common issues include failure to have a viable disaster plan that also includes security considerations, and failure to follow the existing security policies and procedures,” he says. Put a viable plan together and stick to it.
To learn more about HIPAA risk assessment and HIPAA compliance, join us tomorrow, Wednesday, Nov. 13, for our 30-minute webinar "HIPAA Risk Assessment: What You Need to Know."
Logan Solutions uses a combination of clinical practice expertise and technological skill to help physician practices throughout the U.S. implement, customize and improve their EMR and Dragon Medical software systems. Contact us to find out how our clinical-practice expertise can help your practice with its clinical documentation software needs.