If your practice uses electronic health records (EHRs), chances are you already have policies and procedures in place to protect those files, and keep your practice compliant with HIPAA regulations. And it’s just as likely that there are small, seemingly innocuous things your staff is doing every day that is putting your practice at risk of an HIPAA violation.
Five standard “low tech” breaches happen daily in small practices and clinics across the country, and each one has the potential to cause serious consequences.
The Breach – Casual Disclosure Of Confidential Information
Receptionist, administrative assistant, technician, or nurse making small talk with a patient can often violate HIPAA’s Privacy Rule without even realizing it. An offhand comment about a relative or neighbor having been by the office recently is considered a privacy breach, even if the employee doesn’t give out any specific information. By “outing” they as a patient at your practice, your employee has created a privacy breach.
The Solution – Instruct your staff to never under any circumstances discuss patients or patient information with anyone other than coworkers, unless required by law to disclose accurate information to a third party.
The Breach – Failing To Shred “Flawed” Copies Of PHI
Anyone who has ever spent time in an office setting is guilty of this bit of bad behavior. Whether you fail to realize the printer is almost out of toner, there’s a paper jam, or an incoming fax fails to transmit properly, the result is the same – you end up with a page that is blurry and all but illegible. And instead of walking over to the shredder and destroying it, you instead toss it in the trash. But if there is even one piece of identifying personal information on that page, you’ve just given a dumpster diver the ability to steal that patient’s identity.
The Solution – Make it the policy to shred every single piece of paper that is ever disposed of in your office, PHI or no PHI. Junk mail? Shred it. Fax cover page? Shred it. Blank intake form printed by mistake? Shred it. If running EVERYTHING through the shredder is second nature to your staff, the odds of PHI making it out of your office by mistake are much, much lower.
The Breach – Failing To Double Check Documents Given To Patients
When a patient is on their way out the door after an appointment, they generally aren’t leaving empty handed. Whether it’s a prescription, discharge instructions, or a referral to a specialist, chances are something is coming out of the printer and leaving with a patient at any given moment. And when printing off documents overlaps with an incoming fax, you end up with an extra page or two. When someone’s lab results or medication list goes home with another patient, you have a serious HIPAA violation on your hands.
The Solution – Instruct your staff to always flip through printed pages before handing them off to a patient. It only takes a few seconds to confirm that everything is in order, and those few seconds can potentially save your practice from a giant headache.
The Breach – Sending A Mass Email With The Recipient Addresses Visible
Mass emails are a great way to let patients know about office closures, holiday hours, or new policies. Unless you forget to activate and test the blind copy function before hitting ‘send.’ Then you’re faced with patients suddenly realizing they have the email addresses of hundreds of other patients – and hundreds of other patients have theirs. The resulting notification and reporting process, as well as having to provide identity theft protection services to each affected patient is going to have a hefty price tag attached. And that’s just the compliance cost. There is a potential for fines and privacy lawsuits after the initial damage has been addressed.
The Solution – Make sure your entire staff is well-trained on all of your communication tools and doesn’t rush through tasks. Double check that all necessary steps have been completed before sending out emails.
The Breach – Improper Third Party Disclosure
A problem that’s especially prevalent in small practices and small communities is staff handing over or disclosing confidential information to the family, friends, or neighbors of a patient in an attempt to be helpful. Using a friend to pass along information about a recent appointment instead of contacting the patient directly, or giving copies of test results to a sibling or spouse without express consent are both HIPAA violations. Another common problem is staff not knowing how to respond to subpoenas or requests from a coroner’s office or parole officer. Just because it seems like there is a legal obligation to be forthcoming with confidential information, doesn’t mean there is one.
The Solution – Educate your staff on the HIPAA Privacy Rule and any state laws or regulations that are relevant to your practice. They should be trained well enough to know how to respond to any given situation, and more importantly, know that they need to come to you if they’re feeling unsure.
Thorough employee training is a critical element of HIPAA compliance. Taking the time to educate your staff can go a long way towards reducing your risk of a breach, and save you a lot of time and money down the road.