7 common HIPAA compliance pitfalls and how to avoid them
When it comes to healthcare, patients expect that their private information will be protected. The Health Insurance Portability and Accountability Act (HIPAA) was created to help standardize the process of safeguarding this information. Unfortunately, many practices fail to implement even the most basic HIPAA requirements.
HIPAA Compliance should not be a one-time goal that is checked off and then forgotten. Rather, it should be an ongoing process of striving for better administration and patient security.
Here are 7 of the most common HIPAA compliance pitfalls, along with tips for overcoming them.
HIPAA privacy violations
It is essential that all healthcare professionals and personnel have a clear understanding of the HIPAA Privacy Rule. While protected health information (PHI) security is important, privacy is equally important.
All entities dealing with PHI must understand when it can and cannot be shared. Disclosing PHI that is not permitted under the HIPAA Privacy Rule can result in a financial penalty. HIPAA training is required for all new employees within a reasonable time after starting employment, or for employees whose role is changing. While training requirements are flexible, they are mandatory and essential for preventing privacy violations.
Social breaches
Accidental breaches in social situations can be quite common, especially in smaller communities. While patients may have a vague sense of HIPAA, most are not well-versed in HIPAA laws. They may make an innocent inquiry about a friend to the healthcare provider in a social setting, not realizing that revealing that information is a HIPAA violation.
While it is impossible to stop these inquiries, it is prudent to prepare providers for how to respond. Having a planned response in advance of these interactions will reduce the likelihood of accidentally releasing private patient information.
As a side benefit, this practice may actually increase patient confidence in your healthcare professionals.
Accessing patient information on personal devices
Everyone has to work from home at one time or another. While accessing PHI from your personal computer is not a violation in and of itself, it is considered risky behavior.
When accessing patient notes or records from home, you should never leave your computer unattended. You should also avoid working where others can see the information on the screen, at risk of exposing PHI. If you must leave your device unattended, such as in your car, lock the device and store it out of sight to prevent theft.
Many practices have faced heavy fines as a result of devices with PHI being stolen or accessed by the wrong people.
Loss of a device
Losing a laptop or other device that stores PHI is a HIPAA violation. To avoid penalties you must be able to prove that the data on the lost device was encrypted and/or that the device was secure. If possible, do not store PHI on mobile devices. If your organization must use mobile devices to handle PHI, set up controls to wipe data along with effective security.
Exceeding the 60-day deadline for breach notifications
While you should make every effort to protect client information, it is an unfortunate reality that data breaches do occur. The HIPAA Breach Notification Rule requires that you notify affected parties within 60 days of a data breach discovery.
In spite of this rule, exceeding this time frame is one of the most common HIPAA violations. Failing to notify people within 60 days may result in very steep penalties. If and when a breach occurs, make note of the 60-day time frame and remember that it is in your best interest to comply with it.
Mishandling medical records
If you still use paper records, you are at an increased risk of having those records become exposed. It is very important not to leave medical records in exam rooms, at the billing desk, or otherwise lying around. All records and files should be kept in locked filing cabinets to limit who has access.
If you’re making the transition away from paper records, it is also very important to dispose of medical records properly. Consider working with a secure document shredding company. For more information on proper disposal methods of PHI documents, read more at the U.S. Department of Health and Human Services website.
Failure to enter into HIPAA-compliant business associate agreements
One thing that is often overlooked is the necessity of entering into HIPAA-compliant business associate agreements with all vendors who have access to PHI. It is also necessary that you do your due diligence to verify your business associate’s compliance.
It is a common misconception that business associates are limited to medical vendors. When the Omnibus Rule was passed the definition of business associate was expanded to include anyone outside of your organization who processes, stores, transmits, or accesses your PHI.
This now includes IT providers who furnish infrastructure used for ePHI, such as those who provide:
- Cloud hosting
- Backup storage
- Apps to process PHI
- Tech support
- Data destruction
- Electronic security tools
Make sure you’re working with an IT provider experienced in HIPAA compliance. A good managed IT services provider can also help identify other areas you can improve your cybersecurity and HIPAA compliance measures.