Whether you are a doctor, dentist, surgeon, or any other healthcare practitioner, you must abide by the Rules set forth in the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into effect back in 1996, it's designed to protect the privacy of patients by requiring covered entities to implement procedures, policies and safeguards. Today we're going to take a look at some of the most common HIPAA violations.
While HIPAA doesn't prohibit the use of remote access, covered entities who use this technology may place themselves at risk for violations due to its inherit risk of data breach. It's not uncommon for doctors to access patient files from home via remote access. Unless meaningful and appropriate safeguards are implemented to keep this data safe, however, the Department of Health and Human Services (HHS) may view this as a HIPAA violation.
Another all-too-common HIPAA violation is testing of Protected Health Information (PHI). A nurse, for instance, may text the status of a patient to a doctor, not thinking about the implications it creates in regards to the patient's privacy. The text will be stored on both the nurse's and doctor's phone, at which point it could ends up in the hands of a person with nefarious intent.
It's bound to happen sooner or later. You go about your normal daily activities, but when you reach down to use your smartphone, you realize it's not there. Lost devices that contain Protected Health Information may be considered a HIPAA violation if the covered entity fails to secure the data. Devices should have automatic encryption to prevent snooping eyes from accessing the data, and they should contain a remote wipe feature so data can be erased in the event the device is lost or stolen.
Not Destroying PHI
Are you destroying old and/or incorrect patient information? If not, you could be at risk for a HIPAA violation the next time the HHS conducts its audits. HIPAA requires covered entities to properly destroy all outdated and incorrect patient information in a timely manner.
Failing to Fully Destroy PHI
Keep in mind that throwing away PHI in the trash isn't sufficient for HIPAA. All PHI must be destroyed to the point where no personally identifiable information can be obtained through it. This means shredding or burning paper files, or completely erasing digital files.