Common HIPAA Violations to AvoidGreg Garner
Making sure your organization stays HIPAA complaint is an essential part of your risk management strategy. Although you may have policies and procedures in place, have conducted employee training and attempt to stay abreast of any breach activity, many organizations unknowingly experience HIPAA violations on a consistent basis. There are extensive fines tied to HIPAA offenses, which could cost your organization a significant amount of money. Making sure your administrators are reviewing the policies on an ongoing basis can help in avoiding huge losses.
Common HIPAA Violations
These are some common HIPAA violations that may be occurring within your organization. Even when trained, these violations may fall through the cracks. Introducing these common violations as part of your training program will alert employees to potential areas that need improvement:
- Releasing protected health information (PHI) without out authorization due to incomplete forms.
Every patient authorization form must be fully completed before any information is released to an outside party. All forms should include the legal name of the patient, specific information that is authorized for disclosure, the date of the authorization, and the date of revocation. This includes cc’ing someone on an email with PHI by mistake.
- Disclosing patient information to an off-limits third party.
Employees may discuss information about a patient with friends, family and coworkers, which violates the federal law. Although the employees may feel secure in knowing the nature of the information will not be revealed any place else, these types of practices should be avoided at all costs.
- Failing to properly destroy old patient information.
HIPAA laws requires an organization to destroy any incorrect or outdated patient information to avoid the unauthorized release of PHI. When systems are not properly backed up, or there is a backlog, this opens the door for patient information to inadvertently fall into the wrong hands.
- Errors when storing patient files and other data.
Electronic Health Records (EHRs) have streamlined the process of keeping patient data private. While the use of EHRs has been helpful, many organizations still rely on a paper-based system for patient files. This can lead to patient files getting misplaced, data from another patient being misfiled and other errors. Most of these problems can be avoided by switching to an electronic database.
- Not releasing records on time.
When a patient requests their medical records, HIPAA law requires an immediate release. If the organization does not complete this in a timely manner, they could be fined and placed under investigation. Having a set timeline within your records department to complete any medical record requests should be a part of your policies and procedures.
- Inputting incorrect information
When working with patient files, employees may mistakenly enter an incorrect code, or select the wrong chart and enter information on the wrong patient. It is important to stress accuracy in every action.
- Not having proper security protocols.
Because so many organizations use mobile devices and other methods to backup information, PHI is at risk. Organizations should have adequate safeguards in place to protect PHI from breach, loss and theft. Having security measures like firewalls, wipe-down software, passcode-restricted access and cloud storage will assist in avoiding any hacks and Illegal retrieval of PHI.
- Waiting to inform management and compliance officials of PHI exposure.
Employees who have exposed PHI are reluctant to inform management for fear of repercussion. This leads to a lag in the reporting times between management and compliance officials, which is a violation of the law. Making sure your employees and business associates understand the ramifications of not reporting data breaches or release should be stressed in all employee compliance training.
Ongoing training is the key in making sure these common HIPAA violations are avoided, as one mistake can be detrimental to the organization.