The success of your HIPAA compliance program will very much depend on the actions of your employees. Without proper HIPAA guidelines, the employees working within your organization can easily lose track. And a minor mistake can eventually lead to an unforeseen contingency.
On that note, we will list some HIPAA guidelines for employees, including a few very common scenarios where employees violate the HIPAA law.
Things that your employees must know
What is PHI?
You and your employees must take special care to protect your client’s Protected Health Information (PHI) regardless of whether you are a covered entity or a business associate. But what exactly is PHI?
According to the HIPAA Journal, PHI is:
Any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, concerning the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
The 18 identifiers that qualify as PHI are:
- Account numbers
- Any unique identifying number or code
- Biometric identifiers (fingerprints, retinal scan)
- Certificate/license numbers
- Dates, except the year
- Device identifiers and serial numbers
- Email addresses
- FAX numbers
- Full face photos and comparable images
- Geographic data
- Health plan beneficiary numbers
- Internet protocol addresses
- Medical record numbers
- Social Security numbers
- Telephone numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
Now that you know what is PHI, let’s see some of the ways where PHI may get compromised.
Common Ways Employees Violate HIPAA
As I have mentioned earlier, without proper HIPAA guidelines, employees may easily commit a mistake or act in a way that is non-compliant. Most of the common HIPAA violations, whether intentional or accidental, are caused by employees. And most of these cases of malfeasance usually occur due to laziness or lack of proper training.
With that being said, as an employer, it is your responsibility to make sure that all employees receive proper and up-to-date training to better handle patients’ PHI.
So here are few ways PHI may get breached, stolen, or compromised:
Snooping on patient files
Stats provided by HIPAA Journal reveals that snooping was the largest single cause where PHI got exposed according to the survey with 27% of having experienced a breach when an employee viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work colleagues.
An individual accessing any client’s PHI without any work-related purposes is acting both carelessly and unprofessionally. Whether there is malicious intent or does so inadvertently is illegal and can cause harm to your practice.
To prevent this from happening, you can enforce policies and procedures that restrict access to patients’ records unless required for work purposes.
Medical records mishandling
According to HIPAA law, all printed medical records containing PHI must be kept in a secure place. If a staff or a nurse leaves a patient file in a random place and that file can be read, accessed, or stolen by someone else, that is a clear violation of HIPAA. Therefore, patient charts, names, or any other identifying information should not always be covered. Furthermore, PHI or any other similar records should not be left unattended. There should a strict policy in place that requires immediately storing charts, tests, and other patient documents upon completion of an exam.
This is where most of the violations have occurred recently. Posting patients’ pictures or any other personally identifiable information without their consent on social media is a clear breach of HIPAA rules. Employees must have a clear understanding of what to post and what not to avoid any major infringement. Before posting anything on social media, make sure that you get the patient’s approval first. There should comprehensive guidelines for employees with regards to HIPAA and social media use.
Conversations about patients
It is very humane to talk about what your day was like, for example, say, how you have dealt with a patient. Employees must be careful not to ever talk about a patient they have previously seen, whether at home or work unless they are currently working on their case. Furthermore, employees should be careful about not discussing a case in the hallway or in places where their conversations could be overheard. Employees should not also talk about patients with their families, friends, or any other coworkers. Employees must be encouraged to not talk about patients or even referring to them by their last name when in the presence of others not involved in the case.
Stolen or lost device
Anyone can run away with a laptop or a mobile device. It does not take many skills to do that. But the problem occurs if the device that was stolen or lost stored PHI. If it was determined that the device is a workstation, then there should be proper controls implemented. For example, encryption, two-factor authentication process, or biometric authentication.
Messaging patient information
Many employees may share patient information via their phones or through unsecured messaging platforms simply out of convenience and speed. But doing so may expose the information to greater risks. These are the places where cyber hackers look to attack. Before sharing any information through messages, make sure that the information is properly encrypted.
Exposing PHI when working remotely
Many doctors and employees have started working from home since the COVID-19 pandemic started. This leaves a lot of room for errors. For example, unsecured servers or maybe leaving the information on the screen unattended. Such actions are not violations; however, they could attract unwelcoming eyes. This could lead to serious problems. When employees and doctors work remotely, they should make sure that their workstations at their homes are also properly secured and have all the necessary controls implemented.
Get Your Employees Trained With HIPAA Ready
Employees must be aware of their actions. Actions, whether intentional or unintentional, can have serious consequences on themselves, the business as well as the patients. Should they be found guilty of a breach, they may be faced with severe penalties or even jail time.
Instead, provide proper and up-to-date regular training to your employees. HIPAA training can sometimes become tedious and monotonous. That is why we have developed simple and effective training materials that come with the HIPAA Ready compliance management app.