How Employees Can Help Prevent HIPAA Violations

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur.

In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training.

Employees Can Help to Prevent HIPAA Violations

Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be provided regularly to ensure HIPAA Rules are not forgotten.

Employees must also take responsibility for HIPAA compliance and help to prevent HIPAA violations. Even relatively minor violations of HIPAA Rules can have severe consequences. Organizations can be liable for substantial fines, HIPAA violations can cause damage to organizations’ reputations, as well as harm to patients. Employees discovered to have violated HIPAA Rules, even accidentally, face termination and in severe cases, may face criminal charges.

As an employee, if you want to prevent HIPAA violations, take a look at the HIPAA violations below and make sure you do not make these common errors.

How Employees Can Prevent HIPAA Violations

Listed below are some of the common ways HIPAA Rules are violated by employees.

Never Disclose Passwords or Share Login Credentials

Every employee is provided with a unique login, through which they will be granted access to sensitive information. It is therefore essential that those login details remain private. Login credentials should never be shared or written down. Login information is used to track the actions of users, including activities involving ePHI. If another employee has your login credentials, and improperly accesses ePHI using those credentials, it will be your job that is on the line.

Never Leave Portable Devices or Documents Unattended

The Office for Civil Rights breach portal is littered with reports of data breaches involving lost and stolen devices and mishandled PHI. A lost or stolen device containing ePHI is reportable under HIPAA Rules if the device is not encrypted. The Office for Civil Rights investigates reports of lost and stolen devices to determine if HIPAA Rules have been violated. If those devices are discovered to have been left unattended, financial penalties may be issued. Portable devices must never be left unattended and when in use.

The same applies to paper records. Even when busy, healthcare employees must never leave documents containing PHI in areas where they can be viewed by unauthorized individuals, picked up by other healthcare workers, or seen by other patients.

You can prevent HIPAA violations by reminding employees who are not taking sufficient care with patient files about the risk of accidental disclosures of PHI.

Do Not Text Patient Information

Text messages are a quick and easy way to communicate, whether via the SMS network, WhatsApp, or Facebook Messenger. Unfortunately, none of the common messaging services have the necessary controls to prevent accidental disclosures of ePHI to unauthorized individuals.

For example, SMS messages are not encrypted and can easily be intercepted. WhatsApp is encrypted, but lacks appropriate authentication controls. In order for a text messaging service to be used, your employer must have signed a HIPAA-compliant business associate agreement with the service provider. If you need to send ePHI, only do so through approved channels such as a secure, healthcare text messaging platform.

Don’t Dispose of PHI with Regular Trash

While most healthcare organizations have now transitioned to electronic health records, documents are still widely used. Any document containing the PHI of a patient must be kept secure at all times and disposed of securely when no longer required. HIPAA requires all PHI to be rendered unreadable, indecipherable, and unable to be reconstructed when it is no longer needed. Your employer should have strict rules covering the disposal of PHI which prohibits the disposal of documents with regular trash. You must be extremely careful to ensure that any paper copies of PHI are disposed of securely.

Never Access Patient Records Out of Curiosity

The accessing of patient health records by employees, without any legitimate reason for doing so, is a serious violation of HIPAA Rules and patient privacy. While the majority of healthcare employees respect the privacy of patients, there have been numerous cases over the years of patients snooping on the records of patients.

Healthcare employees are only permitted to view patient records if they are required to do so for treatment, payment and healthcare operations. For treatment purposes, employees are only permitted to view the records of their own patients.

The HIPAA Security Rule requires covered entities to maintain access logs to ensure inappropriate ePHI access can be identified. Those logs must be regularly reviewed. Depending on the system in place, a flag could be immediately raised or it may take until the next audit for the privacy violation to be discovered, but Improper accessing of PHI will be identified.

If medical records are accessed without authorization it is likely to result in termination, and potentially criminal penalties against the individual concerned. Such actions are also likely to make it difficult to obtain future employment at other healthcare organizations. Your employer can also face heavy fines and considerable reputation damage.

Don’t Take Medical Records with You When You Change Job

When employees leave a practice, they can be tempted to take PHI with them. Some new employers may even encourage this – the information could be used to recruit patients or sell them medical services or equipment. However, taking medical records, even if there has been a longstanding relationship with the patient, is data theft and could result in criminal charges.

Don’t Access Your Own Medical Records Using Your Login Credentials

The HIPAA Privacy Rule allows patients to obtain copies of their health records on request, but healthcare employees do not have the right to access their medical records using their login credentials. Typically, healthcare providers require staff to go through the same process as patients. In order to gain access to their health data, they must submit a request for a copy of their health information via their HIM department.

Do Not Share ePHI on Social Media (Including Photos)

Many healthcare organizations have developed policies covering the use of social media by their employees and clearly state that details of work activities should not be shared via social media accounts. The sending of a tweet containing personally identifiable information of a patient is a serious HIPAA violation. The same applies to posting on Facebook, even in a closed Facebook group. That includes ePHI and gossip about a patient.

PHI includes health information, but also photographs and videos. In such cases, it doesn’t matter if the photograph does not include the patients name. Patients could easily be identified from the photograph.

Selfies taken at work and posted to social media accounts would violate HIPAA Rules if patients are included in the photograph if prior consent has not been obtained in writing. It would also be a HIPAA violation if PHI can be seen in the photographs – documents and charts etc. If in any doubt about HIPAA Rules, don’t post on social media without speaking to your compliance officer. The National Council of State Boards of Nursing (NCSBN) has published a useful guide for nurses on the use of social media.

There have been several high-profile cases of nurses and other healthcare employees taking photographs or videos of patients and uploading them to social media accounts. Inappropriate sharing of PHI can attract significant financial penalties for the covered entity, termination of employment contracts, loss of licenses, and lawsuits.

Report Potential HIPAA Violations

If you believe a colleague has violated HIPAA Rules it is important to take action to prevent similar incidents from occurring in the future. Report potential HIPAA violations internally to your compliance officer so that action can be taken promptly to address the problem.

If you believe your organization is not doing enough to prevent HIPAA violations, consult your compliance officer. If HIPAA Rules are being regularly violated, you can file a complaint with the HHS’ Office for Civil Rights.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.