What is a HIPAA Violation? 26 Examples
Photo from Unsplash
Originally Posted On: https://helloalleva.com/what-is-a-hipaa-violation-26-examples
What is a HIPAA Violation? 26 HIPAA Violation Examples and How to Avoid Them
The Health Insurance Portability and Accountability Act protects patients’ privacy, prevents fraud and protects personal health information. Compliance is critical for behavioral health facilities.
A single HIPAA violation can result in a fine of up to $50,000 to the provider and a potential loss of license. So, it goes without saying that it’s incredibly important to avoid them. What is a HIPAA violation? It’s a failure to comply with “any aspect of HIPAA standards,” according to HIPAA Journal. It’s when there’s a breach of HIPAA protected health information, also known as PHI. Some of the most common types of protected health information for patients include names, social security numbers, dates of birth, addresses, email addresses, and phone numbers.
Now that you know what a HIPAA violation is, we’re going to give you 26 examples so you can avoid making these mistakes.
EXAMPLES OF HIPAA VIOLATIONS
1. Employees Divulging Patient Information
Patient information needs to be kept private. Employees talking about patients to coworkers or friends is a HIPAA violation that can land you in a world of hurt. Employees can’t share patient information with friends, family members, third-party vendors or organizations . Also, employees should only discuss patient information in private places and only with other medical personnel. There’s no reason to share such information with anyone else.
2. Medical Records Falling into the Wrong Hands
Mishandling patient records is one of the most common HIPAA violations. This frequently occurs when a clinic uses paper records or charts. This can result in the clinician accidentally leaving the record in the patient’s room, resulting in another patient seeing it. Patient records should always be kept in a locked space so they can’t be stumbled upon by others.
3. Stolen Items
If an item containing PHI, such as a laptop or smartphone, is lost or stolen, that’s also considered a HIPAA violation and can result in a hefty fine. To safeguard against this, any device containing PHI should be password protected. Be sure to lock down any device with PHI once you’re done using it. A password doesn’t do any good if the laptop is left open and logged in while you go do something else.
4. Lack of Proper Training
One of the best ways to avoid a HIPAA violation is to train your employees with the proper policy. You need to establish policies that ensure patients’ information is protected and kept confidential at all times. Employees who are properly trained on how to avoid HIPAA violations are much less likely to make such mistakes.
However, mistakes will be made. When such a breach occurs, you need to have a plan on how to appropriately handle it. Trainings should be held regularly to make sure all employees, old and new, are well aware of your policy. Training all new employees on your policy and hold quarterly trainings to keep it fresh in all employees’ minds.
5. Texting Private Information
While texting patient information may seem fast and effective, it also gives hackers the ability to get their information. You can’t put a patient’s name or information in a text. If you do and you’re caught, it can be a 5k fine per violation per text. And legally, you’re required to report those violations. There are programs that encrypt the information which allow it to be texted without concern. But the problem here is that it needs to be installed on the wireless device of both parties, and it rarely is.
A good electronic medical record (EMR) software will provide ways for clinicians to transfer such information efficiently and in accordance of HIPAA. Check with your EMR provider to see what can be done to make your communications compliant. If you’re looking for a new EMR, we’ll give you a free demo here. You can also learn more about the features of our EMR here.
6. Passing Patient Information Through Skype or Zoom.
Texting isn’t the only common kind of communication that’s a HIPAA violation. Skype is another way clinic employees frequently communicate about patients, but the same problems apply. Hackers can easily obtain that information. This is part of why it’s so important to have a good EHR. If you’re looking for a new EHR software, you learn what to look for here.
7. Discussing Information Over the Phone
Another potential HIPAA violation that’s easily overlooked is discussing information over the phone. But it’s vital. When you’re discussing a patient’s information on the phone, you need to be in a private place where others can’t hear you. Talking about a patient in a public area where others can hear you is a HIPAA violation.
8. Posting on Social Media
You absolutely can not post photos of your patients on social media. It’s a definite HIPAA violation even if no names or information is posted. People can easily identify the patient and the doctor, which can reveal unwanted information about their health. This should definitely be taught in policy training. No matter how harmless the intent, this can result in huge fines and is very easy to prove.
9. Employees Accessing Patient Files and Charts Without Authorization
This is a very common HIPAA violation and frankly, it doesn’t matter the cause. Employees can only access patient information when they’ve been authorized to do so. It’s illegal to do so even if it’s purely out of curiosity or to help a friend.
10. Using PHI for Personal Gain
This should go without saying that using or selling PHI for personal gain is illegal. In addition to a large fine, it can also result in prison time. Again, make sure this is taught in your training to new employees and quarterly trainings.
11. Written Consent
Before PHI can ever be disclosed for purposes other than treatment, payment, or healthcare operations, you must get written consent. If you or one of your employees aren’t sure, it’s always best to err on the side of caution and get written consent.
12. Home Computers
It’s not uncommon for doctors and nurses to use their own computers to access patient information after hours for notes. In itself, this isn’t a HIPAA violation, but it can very easily turn into one if the screen is left on and a family member sees the patient’s information. As we mentioned before, laptops, computers, and smartphones should always be powered down and password protected when you aren’t using them. Again, make sure this is taught in your policy trainings.
13. Inquiries in Social Settings
It’s very common for people to approach clinicians in a social situation asking about someone they know who is a patient. When you think about it, it makes perfect sense. Patients, their friends and family members have no reason to know HIPAA law. But that doesn’t make revealing PHI in these settings HIPAA compliant. The best way to avoid this is by having a planned response for these types of situations that doesn’t involve any personal information.
14. Poor Reporting Timing
No matter how well-trained or experienced a healthcare provider is, they can still have HIPAA violations from time to time. What’s crucial is to make sure the issue is responded to and resolved as quickly as possible.
HHS requires notification with extensive documentation within 10 days of the data breach with a minimum of 15 detailed components that relate to the entity’s internal investigation.
15. Releasing Records After Authorization Date
Patients have the ability to set an expiration for their authorization. Releasing confidential patient records after the date they set is a HIPAA violation. It’s important to pay attention to the details.
16. Missing Patient Signature
Patients can often miss a signature when filling out HIPAA forms. However, if the forms aren’t signed, they’re invalid. And if they’re invalid, releasing information is a HIPAA violation. The solution to this is simple and obvious. Make sure all HIPAA forms are signed.
17. Providing Security With Too Much Information
Security personnel in health clinics need to know the name and room number of patients so they can guide friends and family members to their rooms. That information is compliant. However, they don’t need any information like treatment or diagnosis.
18. Nurses “Need to Know”
Nurses need access to private information for the patients he/she is responsible for in his/her unit. But giving a nurse PHI to patients in another nurse’s unit is a violation of HIPAA. There’s no need for them to have access to information for patients they aren’t responsible for.
19. Regulations for “Minimum Necessary”
Health insurance companies typically need to know how many visits a patient has had to the clinic but nothing beyond that. They aren’t allowed to see the patient’s entire history. This can be easy to overlook as you already have to give the health insurance company some information about the patient and it may seem necessary to give more. But don’t.
20. Sending Private Information Via Email
Another common HIPAA violation is sending PHI in an email. This is for the same reasons as the other communication issues we discussed. For those of us that aren’t internet hackers, it might seem harmless. But hackers are able to easily access your email, making a patient’s information vulnerable.
21. Media Interviews of Patients
From time to time, a member of the media may want to interview a patient for a story. This happens less frequently, but you can’t allow the media to interview substance abuse patients. Doing so is a HIPAA violation. The reason is that it violates their privacy. Even if a patient is okay with it, we’d still recommend staying away from the idea completely.
22. Releasing Information Without Consent
This may seem obvious, nevertheless it happens. Releasing information about minors without parental consent is a HIPAA violation. Not only that, but it can cause issues with the parents or guardians and even result in a law suit.
23. Releasing The Wrong Patient’s Information
This is where you have to be extra careful. Anybody can make a mistake, but that doesn’t make it legal. If you or one of your coworkers releases information to the wrong patient, it’s a HIPAA violation. This tends to happen when you have patients with the same or similar names. Make sure you train your staff to double check what information they’re releasing.
24. Right to Revoke Clause
Any and every form your patients sign need to have a “right to revoke” clause. If they don’t, they’re not valid. And if they’re invalid, any information you release to a third party organization violates HIPAA.
25. Releasing Information to an Undesignated Party
You’re only allowed to give patient information to the exact person authorized on the form. Releasing it to anyone else violates HIPAA regulations.
26. Disposal of Records
When you dispose of a patient’s information, it has to be unrecognizable. Shredding is a great way to dispose of paper records.
How to Avoid HIPAA Violations
To conclude, HIPAA violations carry hefty fines and consequences. In order to avoid HIPAA violations, hold regular trainings on your policies and procedures, double check who you divulge information to, and password protect everything. As you can see, there are so many ways to violate HIPAA. Make sure you and your coworkers don’t discuss patient information in a way that others could hear or obtain it.
Lastly, and maybe most importantly, get an EMR software that makes communication easier. If your current EMR does that, make sure your staff is trained on using it in accordance with HIPAA. If it doesn’t, we would strongly consider getting an EMR that does.
Compliance is important. Learn more about how Alleva’s EMR can help to streamline your workflow, save your staff time, and prevent burnout.