With the next round of HIPAA audits right around the corner, there's no better time than now for covered entities to perform an internal analysis of their operations and procedures. Simply turning a blind eye to the Health Insurance Portability and Accountability Act (HIPAA) places your business at risk for fines and other penalties. This week we're going to take a closer look at some of the most common HIPAA violations.
Not Using Business Associates Agreements
If you conduct business with a third-party agency or organization who has access to Protected Health Information (PHI), you must create a Business Associates Agreement (BAA). This otherwise simple document outlines the appropriate safeguards and measures for ensuring the privacy of PHI. Under the HIPAA Privacy Rule, all third-party organizations that handle PHI must have a BAA created by the covered entity. Failure to do so could result in a violation when Health and Human Services (HHS) conducts an audit.
Not Destroying Patient Information
Some doctors offices and other covered entities keep their patients' information simply because it's easier than going through the steps of destroying it. While this practice may seem harmless enough, it could place the entity at risk for a violation. HIPAA states that outdated or incorrect patient information must be properly destroyed or otherwise disposed of to prevent unauthorized use.
Tossing Paper Files In The Trash
Let me rephrase that: it's okay to throw away paper files containing PHI, but only if it's first modified to the point where no personally identifiable information can be obtained from it. In other words, covered entities should either shred or incinerate paper files containing PHI before tossing them in the trash. As long as no personally identifiable information can be obtained from the paper or document, it's safe to throw in the trash.
Releasing Patient Information Without Consent
Covered entities are allowed to release patient information, but only if the patient or their legal caregiver/guardian gives written consent. These disclosure forms are critical in ensuring the covered entity is compliant and acting in accordance to the HIPAA Privacy Rule.
Lack of Cybersecurity
If your practice uses computers or other electronic devices to store, maintain and/or manage Protected Health Information, you must take the appropriate measures to protect this information from unauthorized use or disclosure. This may include both physical and technical safeguards, both of which are used to protect patient information.