Every medical practice must follow the Health Insurance Portability and Accountability Act (HIPAA) regulations. These regulations offer protections for sensitive healthcare data. In the process, they also add significant requirements for providers and organizations. If you don’t stay on top of them, large fines and other penalties could come your way.
Avoiding HIPAA violations calls for a comprehensive approach to technology, procedures, and other aspects of running your practice. Let’s take a closer look at what HIPAA entails and how to avoid violations.
What Is HIPAA?
The Health Insurance Portability and Accountability Act was passed in 1996 in an effort to protect patient privacy (Alder, 2021). It outlines the rules and procedures that healthcare providers must follow to keep patient data confidential. It applies to information of all types, including paper, digital, and spoken.
HIPAA has various rules that address handling protected health information (PHI). For example, the Privacy Rule prevents healthcare organizations from sharing PHI without the patient’s permission or knowledge. The Security Rule addresses various measures an organization must use to protect PHI, such as technical safeguards and administrative measures. In all cases, healthcare organizations must take appropriate precautions to maintain the privacy and security of patient data.
Either individuals or organizations can commit violations, with penalties that include fines, jail time, and corrective action plans. Penalties can be civil or criminal, with different fines and jail times depending on the violation’s severity and type. While data release with malicious intent is certainly a concern, unintentional violations can also be problematic.
Common Examples of HIPAA Violations
HIPAA violations can be surprisingly simple — PHI can include seemingly innocuous information and many everyday interactions can lead to infractions.
HIPAA regulations outline 18 identifiers constituting PHI (“HIPAA PHI,” n.d.). Some of these identifiers include:
- Geographical subdivisions smaller than a state, such as cities, counties, and zip codes
- Birth dates, admission dates or dates of death
- Email addresses
- Account numbers
- License plate numbers
Unless someone needs the information for the patient’s treatment, it’s crucial to avoid sharing anything they could trace back to a specific individual. With this information in mind, here are some common examples of HIPAA violations.
1. Speaking in public places
A quick conversation in the hallway or lobby should never include PHI. Consider the following example of a dental HIPAA violation.
Dentists’ treatment spaces often have open layouts. If a dentist and a dental hygienist start discussing a patient in the hallway, another patient sitting in a chair could overhear without the providers’ knowledge.
Be careful when discussing important details and control as much of the environment as possible. Only share as much information in lobbies and common areas as necessary to facilitate care. If needed, staff members should head to a private space.
2. Social media sharing
A photo of staff members at the nurse’s station may seem harmless until you realize PHI is visible in the background. For example, a computer screen could reveal a patient’s chart. Another scenario could involve a photo of a patient celebrating the end of their chemotherapy treatment. Posting this photo on social media would violate HIPAA without the patient’s written permission. (Alder, 2023) Verbal consent is insufficient.
3. Technology problems
Modern practices depend on technology to provide patient care, but inadequate policies and lax security can lead to significant HIPAA issues. Violations could be as simple as a nurse leaving a computer logged in when walking away from a workstation. Other potential technology problems include improper device security protocols, non-compliant apps like notes and calendars, and unauthorized employee access.
4. A Lack of employee training
If employees don’t know how to protect HIPAA information, the organization can be held accountable for violations. Appropriate staff training and documentation are mandatory for HIPAA and crucial for preventing breaches.
5. Improper disposal of PHI
Practices that use paper documentation must be especially vigilant of disposal requirements. For example, a document in the trash is readable to anyone who gets their hands on it. You may need to shred documents or invest in electronic resources, such as practice management software that can send digital forms.
6. Non-compliant partnerships
HIPAA does not apply to businesses that aren’t covered entities. However, many of these entities partner with other businesses to facilitate care and operations. Providers can share PHI with these businesses if they conduct certain checks to confirm that the company can protect PHI (Office for Civil Rights, 2019). If a provider doesn’t perform due diligence and shares information with an untrustworthy associate, the provider can be held responsible for violations.
How to Avoid HIPAA Violations and Protect Your Practice
All healthcare providers must be proactive in avoiding HIPAA violations. Some attention to detail now could save you from massive penalties down the road.
Below are some strategies used to prevent HIPAA privacy violations.
1. Pay attention to the environment
Teach staff about the importance of keeping PHI under wraps. For example, instead of telling the front desk that Amy Peterson needs assistance, they can say that “The patient in Room 7” needs some help. Make every effort to control the environment for spoken and written PHI, such as installing computer privacy screens or creating cubicles for check-in. You can even minimize the amount of verbal communication that happens with virtual check-ins and similar tools.
Ensure staff stays alert and has a thorough understanding of how unintentional PHI sharing can happen, even among other providers.
2. Create clear policies and training
Avoid any ambiguity when it comes to your policies and procedures. Create guides for social media policies, technology use and access, reporting, and other areas of HIPAA compliance. Put these guides in an accessible location where workers can refer back to them easily.
3. Confirm authorization requirements
If someone asks you to share PHI, triple-check the regulations. Understand when you can and cannot disclose information to parties other than the patient, including family members, law enforcement, and colleagues who aren’t involved in the patient’s care.
4. Promote privacy-first technology use
Staff members should learn basic technology privacy practices as part of their training. Ensure your training covers areas like not sharing login credentials and logging out of their accounts when away from the screen.
You can make their jobs easier with technical features that support compliance. For example, you might set up devices to automatically log out after a short time. You could also implement a secure messaging platform that eliminates the need for non-secure methods like text and email.
5. Keep information on a need-to-know basis
Securely accessing data is another crucial part of training. Anyone viewing PHI should have a clear reason for doing so. No one can access data out of curiosity, even their own records. Providers should never take records with them to finish work at home or when moving practices. Ensure that everyone understands the limitations and requirements for accessing data.
6. Go paperless
Disposal requirements can be hard to keep up with, especially in a busy office. You can simplify these requirements with virtual resources, such as digital forms and paperless payments. Once you’re fully digital, you can store everything in a platform designed for compliant healthcare operations.
7. Only use HIPAA-compliant tools
Remember, any business with which you disclose PHI must be capable of protecting patient data. Only work with partners who comply with HIPAA through layers of security and point-to-point encryption (P2PE). Platforms designed for your line of work can address the unique demands of healthcare data privacy and help prevent violations.
Ensure HIPAA Compliance With Rectangle Health’s Solutions
HIPAA compliance can be challenging for any provider, but Rectangle Health makes it easier. Our Practice Management Bridge® provides a range of resources built for healthcare organizations. From payment processing and scheduling to patient communications and digital forms, the HIPAA-compliant Practice Management Bridge® delivers the help you need to work more efficiently while retaining high levels of security.
- Alder, S. (2021, September 9). When Was HIPAA Enacted? HIPAA Journal. https://www.hipaajournal.com/when-was-hipaa-enacted/
- Alder, S. (2023, February 30). HIPAA social media rules. HIPAA Journal. https://www.hipaajournal.com/hipaa-social-media/
- HIPAA PHI: Definition of PHI and list of 18 identifiers. (n.d.). Human Research Protection Program. https://cphs.berkeley.edu/hipaa/hipaa18.html
- Office for Civil Rights. (2019, May 24). Business associates. U.S. Department of Health and Human Services, National Institutes of Health. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html