In an increasingly digital world, HIPAA compliance has become more and more important—and more frequently violated.
And it’s not just a crime of those purposely looking to spread information. In an age when personal news and data is constantly being shared—even legally, across multiple platforms—it’s much easier for people to accidently release private details. This is especially true in healthcare.
According to a 2018 Verizon whitepaper titled Protected Health Information Data Breach, employees cause nearly 60% of healthcare breaches.
From social media, to hackers, to expanded avenues of communication, it’s important to make sure your practice knows how easy it is to compromise someone’s protected health information (PHI)—and how to avoid those mistakes.
As a practitioner or health and wellness business owner, we know you take a lot of care and consideration into the hiring of your staff. From technicians to administrators to bookkeepers, you understand the sensitivity surrounding the information available about your patients in your office, and you hold your employees to the same code of conduct as yourself.
This means that personal information is only shared in situations where it’s absolutely necessary for one’s care and treatment—never publically or in a way that is insecure.
However, it’s always critical to provide new (and existing) staff with proper education and training surrounding HIPAA compliance—especially as it continues to shift and evolve in our very interconnected world.
Whether you pay for an in-person or online HIPAA training course, or take it into your own hands to conduct a review of the HIPAA Omnibus Rule Employee Training & Implement Protocols with your new employees and periodically with your staff, it’s important that the expectations of HIPAA compliance and penalties of failing to adhere to them are clearly communicated on a consistent basis.
A big part of adhering to HIPAA regulations is taking the necessary steps to keep a patient’s identify secure. This means protecting any sort of information that could reveal the patient’s identity, including name, phone number, and address.
To this effect, even having a sign-in sheet out on a front desk for patient check in is deemed a HIPAA violation, since other patients are able to see the names of other visitors. Instead, a member of your staff should be manning the front desk to quickly and quietly help patients sign in for appointments.
Your staff must also be sure that they aren’t talking about any sensitive information within the hospital or office building—including in elevators, stairways, public areas, or even on the phone in earshot of others.
Obviously, phone communication with patients has existed for a while. And even though email and text messages are used more frequently now for scheduling and reminders, delivering any kind of results or important information still happens over the phone lines (if not in person).
According to the HIPAA Journal, the FCC has determined that if—and only if—a patient has provided a contact phone number to a healthcare provider, that provider may use that number to reach out to discuss:
“– The provision of medical treatment.
– Health checkups.
– Appointments and reminders.
– Lab test results.
– Pre-operative instructions.
– Post-discharge follow-up calls.
– Notifications about prescriptions.
– Home healthcare instructions.
– Hospital pre-registration instructions.”
In addition, “when a telephone call is made, healthcare providers must first provide their name and contact details. The FCC recommends that calls should be concise, and limited, in most cases, to 60 seconds.”
Don’t forget that a patient can give their consent to share information with a family member or loved one—a spouse, parent, child, etc. However, if they have not clearly indicated that person as someone who can receive this information, you must never share appointment details or lab results if someone other than the patient answers. This is also true for leaving voicemails. You can’t be sure that a person’s mobile device is secure, so err on the side of caution and never leave a message with sensitive information.
Email is a convenient way for physicians and practices to stay in touch with patients. It’s one digital concept that has transcended generational lines (we bet even your grandma has an email account) and become an accepted form of communication across nearly every industry.
However, when it comes to HIPAA, there is one glaring problem with email—it’s not automatically encrypted. You also can’t ensure that the person on the receiving end of your email is the patient, which you are able to verify over the phone.
There are steps you can take to ensure that your email exchanges with patients are private and HIPAA compliant. By encrypting your emails, gaining patient consent for sending electronic information, and including an all-inclusive privacy statement at the end of every email, you can feel confident that you are taking the necessary measures in the eyes of HIPAA regulations.
We know it’s a lot to consider, but we have your back. Check out our previous blog that covers email and HIPAA compliance: Your Guide to Staying HIPAA Compliant When Emailing Patients.
Truth be told, social media is a tricky domain when it comes to healthcare and privacy laws.
In 2018, a lot of private practices, hospitals, and specialty wellness businesses have a social media presence—as they very well should! However, when it comes to HIPAA, you have to be very careful about what you post to your accounts.
For example, showing your employees (with their consent, and without any patient files in view!), your office, or lifestyle images on your Facebook or Instagram account is a great way to stay in front of patients and offer them an insider’s glimpse of your practice. It could even make them feel more comfortable about upcoming appointments or procedures.
However, you must never share anything that could be considered an indicator of a patient (unless, of course, they give their consent for you to use a testimonial or something similar). Even using a photo without a name is a giant no-no.
To get a better understanding of how to use social media while also being compliant, we recommend reading our previous article 5 Ways to Stay HIPAA Compliant When Using Social Media.
And, when in doubt, don’t hit that “post” button.
Electronic Medical Records
In the age of electronic medical records (EMRs), medical information can easily be shared among healthcare teams and patients themselves. This allows everyone to stay properly informed, greatly helping a patient’s overall care.
In addition to ensuring that the systems and networks in which you are sharing EMRs are secure, some practices may still be holding on to outdated paperwork of patient files. Once a patient’s medical history has been included in their EMR, it’s important to eliminate the paper copies.
You can’t just toss them in the trash can to go out with the garbage—they must be properly shredded and disposed of to ensure that no unauthorized person gains access.
You may also be using electronic intake forms (smart decision!) to help gather patient information more quickly in an effort to reduce wait times at appointments. To ensure these digital forms are protected, you must have a trusted and secure digital partner like IntakeQ—we make it a priority to stay HIPAA compliant.
Unfortunately, some HIPAA breaches by employees actually are done with malicious intent. A 2018 survey from Accenture found that 18% (nearly one in five) of healthcare employees “said they would be willing to sell confidential data to unauthorized parties.”
To help deter such activities from happening, it’s a good idea to make the consequences of such obstructions clear upon hiring. Violating strict HIPAA laws in any capacity could result in termination, fines, or even criminal charges.
However, in most cases, HIPAA violations occur out of carelessness or accident. Still, it’s important to teach and uphold a strong code of conduct to help protect your patients, your employees, and your practice.