8 Surprising Ways Healthcare Providers Violate HIPAA Everyday

It’s been 20 years since the Health Insurance Portability and Accountability Act was passed by Congress. So you’d think we would all be pros navigating the intricacies of the law by now, right? Yet, there were over 102 million HIPAA violations reported last July! More recently, June 2016 was reported as the worst month for HIPAA violations with 11 million patient records exposed in 30 days’ time.

Many data breaches (up to 40%) are the result of a single hack, but the failure to plan for such invasions of privacy falls on the companies collecting the information. Another 40% of the time, internal wrongdoing — intentional or unintentional — is the cause for violation.

The stakes are high for companies that aren’t clear on the rules. Some HIPAA violators have paid as much as $5.5 Million. From impermissible uses of health information to lack of safeguards for protecting health information, medical companies need to get this right. “I didn’t know” or “I didn’t mean to” doesn’t hold up well to the scrutiny of prosecutors.

Part of our job as healthcare marketing consultants is to help you bolster your defenses against attacks on personal security, whether they come from afar or from within. Here are eight common violations we come across.

Image Source: Davis Wright Tremaine LLP

1. You’re using “Opt In” email encryption.

Healthcare businesses like the ease of using “opt-in” email encryption because it allows for email-as-usual if the sender so desires or HIPAA-compliant encryption when selected. There’s the caveat: when selected. There is some margin of human error involved in the system. Say an employee begins writing an email, steps out for a cup of coffee, returns, and hits “send” without thinking — or explicitly encrypting (by checking a box or entering a code word like “secure” in the subject line). That employee has just violated HIPAA, and there are no “take backs.”

The Fix: Get a HIPAA-compliant email provider who has signed a Business Associate Agreement with your company. Encrypt everything sent from email addresses that send or receive electronic personal health information. Or employ an opt-out mechanism instead.

2. You’re using your smartphone for business.

It’s not uncommon to text other people in your practice about patient scheduling. For instance, you may leave your office and get a text from a nurse that your patient (name and contact number included) had a reaction to a medication you prescribed. Sending or receiving this text passes through multiple points of possible interception and is a violation of the law. Even texting something as seemingly innocuous as a patient’s appointment time is a violation of HIPAA.

The Fix: Use a HIPAA-compliant SecureChat app for your mobile device for strong encryption, audit trails, proper archiving, and the necessary Business Associate Agreement required for compliance.

Image Source: LuxSci.com

3. You snapped a photo or video of a patient on your smartphone without permission.

Out of the millions of HIPAA violations, there have been only 22 cases that involved workers willfully taking humiliating or degrading photos or videos of patients to post on social media. More often than not, medical professionals take photos to share with colleagues to receive a second opinion on a condition or to share a status update for conditions like infections that need to be monitored from day to day. In other cases, nurses may snap photos of their patients — with their expressed consent — to share on social media, but it is still considered inappropriate and unprofessional by HIPAA standards. There are so many instances of this online, it’s hard to believe people are actually committing a crime.

The Fix: Use apps like DocbookMD that allow photos to be taken within a secured app — without any data stored on your phone or accessible without the necessary pass codes and agreements. Never post identifiable pictures of patients or hospital facilities on social media, regardless of the intent.

4. You let your child play with your smartphone.

These days, many young children borrow their parents’ phones to play games. However, if your phone contains an app that can access personal health information records, then you are putting yourself at risk for a HIPAA breach if this information is seen or sent unintentionally.

The Fix: Use the pin-lock feature on your messaging app, password-protect your phone… and get your kid something like the Kindle Fire for playing games because $99 is a lot cheaper than the thousands you’ll pay for a HIPAA violation!

Image Source: Scrypt.com

5. Your web intake forms aren’t secure.

Who wants to sift through endless amounts of paperwork or enter data manually, when they can access electronic information filled out by the patients themselves? Web intake forms are a very efficient way to collect information and there are endless programs that can help you create such forms — but (you guessed it!) not all are HIPAA-compliant.

The Fix: Work with a dedicated HIPAA compliance solution to meet your web intake needs. Update your website form pages with Transport Layer Security to ensure the protection of sensitive data.

6. There are shared logins in your system.

A common, yet sloppy, move involves having shared logins or email addresses for a particular health information system. However, HIPAA requires every person within an organization to have a unique login and password. Regular audits are necessary to track employee logins and uses of the system for full accountability.

The Fix: Don’t be lazy. Assign unique logins and highly secure passwords.

7. You took the “set it and forget it” approach to HIPAA.

We find many healthcare organizations initially took great strides to get into compliance with HIPAA when the law first came out in 1996. Then they sat back and forgot about it. Every new employee was not necessarily trained in HIPAA compliance, nor were people trained on how to spot and report breaches. New modifications to HIPAA are being added all the time, so you need to be current on your understanding of the law.

The Fix: Train your employees how to be HIPAA compliant. Conduct annual risk assessments. Put policies into place that ensure regular HIPAA reviews and the minimization of data leaks.

8. Your smartphone or tablet was lost or stolen.

The size and portability of mobile devices makes them an ideal target for theft, not to mention an easy item to lose in the hustle and shuffle of a busy life. Some reports have suggested that up to 70% of data breaches are due to lost or stolen equipment — and with big consequences! An unencrypted laptop was stolen from Concentra Health Services’ Physical Therapy Center in Springfield, Missouri in April 2014. The company failed to report the incident to the U.S. Department of Health and Human Services and was fined $1.7 million following an audit.

The Fix: Keep better inventory of mobile devices used by staff. Keep mobile technology stored in lockers. Install radio frequency ID tags on portable devices. Report theft or loss immediately. 

The Bottom Line:

HIPAA compliance is not easy. It’s also not cheap. Though the government would like you to believe it’ll only cost your organization $1,000 or so to remain compliant, most small healthcare companies are spending $4,000 – $12,000 on technology, training and solutions. Bigger companies can spend anywhere from $50,000 – $100,000 on HIPAA. Working with a healthcare marketing consultant to ensure HIPAA compliance requirements have been met and well maintained is another layer of protection from the millions of dollars you could face in fines for a data breach, not to mention the tarnish of your good reputation and rapport with your patients. Let me analyze your business for free. Not only will I ensure you're compliant, I'll give you custom marketing recommendations and show you how to double your lead volume in the next 6 months!

--

Originally posted on 8waysin8days.com.