Hospital must adhere with the HIPAA Privacy, Security, and Breach Notifications Rules and put in place security measure to stop HIPAA breaches. However, even with these measures in place to manage the danger of HIPAA violations, data breaches still happen.
In the majority of industry sector, cybercriminals that to blame for most security breaches, but in healthcare it more common due to internal members of staff. While hospitals can take steps to improve their defenses and implement technologies to identify breaches quickly when they happen, hospital workers need to help prevent HIPAA breaches.
Employees Can Help to Prevent HIPAA Violations
Employees help to prevent HIPAA breaches by paying attention to the refresher training course provided and applying this to their work. Even comparatively small HIPAA breaches can have severe consequences. Groups can be liable for massive fines, HIPAA breaches can cause damage to organizations’ reputations, as well as harm to patients. Hospital staff found to have breached HIPAA Rules, even by mistake, face termination and in some serious cases, may face criminal charges.
How Hospital Workers Can Prevent HIPAA Violations
Detailed here are some of the common ways HIPAA Rules are violated by hospital staff.
1. Portable Devices or Documents Should never be left Unattended
A missing or stolen device that holds ePHI is reportable under HIPAA Rules if the device is not encrypted. The Office for Civil Rights reviews submitted reports of lost and stolen devices to ascertain if HIPAA Rules have been breached. If those devices are fond to have been left unattended, fines can be sanctioned. Portable devices must never be left unattended and when active.
Paper records must also be carefully managed. Those documents containing PHI left unattended in areas where they can be viewed by unauthorized individuals, healthcare workers, or other patients.
2. Passwords and Login Credentials Must not be Shared
Every hospital worker is given a unique login, through which they will be allowed access to sensitive information. It is therefore crucial that those login details are always kept private. Login details should never be shared or written down physically. Login data is used to track the actions of users, including activities involving ePHI. If another hospital worker has your login details , and improperly accesses ePHI using those details, you will be the one that faces possible punishment.
3. PHI is not to be Disposed of in Normal Garbage
While the majority of hospital have moved to electronic health records, documents are still widely used. Any document including the PHI of a patient must be kept safe at all times and disposed of securely when no longer needed. HIPAA requires all PHI to be made unreadable, indecipherable, and unable to be put back together when it is no longer needed. Your employer should have stringent rules covering the disposal of PHI which forbids the disposal of documents with regular trash. You must be very careful to ensure that any paper copies of PHI are disposed of safely.
4. Patient Information Should Never be Texted
Text messages are a simple way to message someone, whether via the SMS network, WhatsApp, or Facebook Messenger. Sadly, none of the common messaging services have the proper controls to stop accidental disclosures of ePHI to unauthorized persons.
For instance, SMS messages are not encrypted and can easily be captured. WhatsApp is encrypted, but lacks proper authentication controls. In order for a text messaging service to be employed, your employer must have completed a HIPAA-compliant business associate agreement with the service provider. If you need to share ePHI, only do so through approved channels such as a secure, healthcare text messaging service.
5. Patient Records Must Never be Viewed Out of Curiosity
Hospital staff accessing of patient health, without any legitimate reason for doing so, is a serious breach of HIPAA Rules and patient privacy. While most healthcare employees respect the privacy of patients, there have been many cases over the years of patients viewing the records of patients.
Healthcare employees are only allowed to access patient records if they are required to do so for treatment, payment and healthcare reasons. For treatment aims, employees are only permitted to view the records of their own patients.
The HIPAA Security Rule states that covered entities must manage access logs to ensure inappropriate ePHI access can be identified. Those logs must be regularly audited. Depending on the system in place, a flag could be immediately raised or it may take until the next audit for the privacy breach to be discovered, but Improper accessing of PHI will be discovered.
If medical records are viewed without authorization it is likely to lead to termination, and potentially criminal penalties against the individual(s) involved. Such actions are also likely to make it difficult to obtain future employment at other hospitals. Your employer can also face heavy fines and significant reputation damage.
6. Your Personal Medical Records Must Never be Accessed Using Your Login Credentials
The HIPAA Privacy Rule permits patients to obtain copies of their health records on request, but hospital workers do not have the right to access their medical records using their login details. Normally, healthcare providers require staff to go through the same process as patients. In order to obtain access to their health data, they must file a request for a copy of their health information through their HIM department.
7. Never Bring Medical Records with You When You Move Job
When workers leave a position they can be tempted to take PHI with them and may be encouraged to do so by new employers. However doing so is actually data theft and could result in criminal charges.
8. Potential HIPAA Violations Must be Reported
If you think that a colleague has breached HIPAA Rules you must do something to stop similar incidents from occurring in the future. Report possible HIPAA breaches internally to your compliance officer so that action can be taken promptly to address the issue.
8. ePHI must Never be Shared on Social Media Platforms (Including Photos)
PHI incorporates not just health information, but also photographs and videos. Patients could easily be identified from a photo and this must never be shared publicly, even if it does not include the patient’s name. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on the use of social media.
There have been many high-profile cases of hospital workers taking photographs or videos of patients and uploading them to social media accounts. Improper sharing of PHI can attract significant fines for the covered entity, termination of employment contracts, loss of licenses, and legal actions.
If you think your group is not doing enough to stop HIPAA breaches, speak to your compliance officer. If HIPAA Rules are being regularly breached, you can submit a complaint with the HHS’ Office for Civil Rights.