To avoid HIPAA violations, it’s important for healthcare organizations to put into place strict guidelines that protect patient privacy. HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue. When it comes to data breaches, a single event may result in numerous violations. For example, the loss of a laptop containing personal health information (PHI) of 1,000 patients may constitute 1,000 violations. Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices. Below are some tips for reducing the risk of violations.
#1 Train your employees and periodically test them. The first way to ensure staff members are following HIPAA regulations is to educate and inform each employee – and update their training when any changes are made or new information is released regarding those regulations. After a training session, don’t assume that staff members retain what they learned. It is important to be continually vigilant in monitoring for HIPAA compliance in their daily work. One strategy is to periodically pose questions to test their knowledge – such as a pop quiz during staff meetings.
#2 Be mindful of mobile devices. The most common HIPAA violation today is mobile devices – that store patient health information – being lost or stolen. It’s the obligation of the healthcare facility and business associates to keep their mobile devices secure and out of the wrong hands. If an employee accidentally loses a laptop or leaves it unattended and it gets stolen, the employer pays for that mistake. It’s worth continually reminding employees to be aware of where mobile devices are at all times and to shut them down and lock them up when they’re not using them. Also, avoid texting patient information. Texting often results in quicker delivery of patient care – which seems harmless – but it means that the patient’s health care information now exists in cyberland and hackers may access this information. New encrypted programs have come out that allow confidential information to be safely texted, however, all parties must have the system on their phones, and use it.
#3 Be sure that health records are properly stored. Handling paper and electronic files can be tricky business. Misfiling a patient’s paperwork in a cabinet or saving it on the wrong computer drive or network is a costly mistake. Employees may be prone to this if they are distracted while filing. Constantly remind employees who deal with patient files to focus on what they’re doing and double check that they properly store and save files in the right folders and drives. And this includes properly disposing of paper files – violations may occur because an employee forgot or chose not to shred paper records before throwing them away. The best way to avoid this problem is to switch to an electronic filing system.
#4 Keep anything with patient information out of the public’s eye. Another way healthcare entities can be in violation with HIPAA laws is by having patient information in plain view to anyone who comes into the facility. Keep patient folders closed, don’t have appointment calendars openly displayed in patient areas and keep computer monitors and mobile device screens hidden from patients and visitors. Get everyone in the habit of keeping information concealed that needs to be.
#5 Use social media wisely. Social media is undeniably woven into the fabric of our daily lives, however, it can cause problems for healthcare workers who are charged with protecting their patients’ privacy and therefore the organization should have policies regarding their use of social media. In health care, videos and photography are often used for educational purposes. Subsequently, posting patient photos and videos is a common violation. Even if the patient’s name is not shared, a Facebook or Twitter friend may recognize the patient and know the facility and suddenly a patient’s privacy has been violated. The safest bet for employees and the organization to remain HIPAA compliant is by having a strict company policy not to post any text or pictures about what goes on in the workplace – on social media or even on their personal blog.