8 Common HIPAA Compliance Pitfalls and How to Avoid Them

The U.S. Department of Health & Human Services received 21,381 HIPAA complaints in 2016.

How can you make sure your organization isn’t included in that statistic? It can be hard to know if you’re covering all your bases.

That’s why we created this post with 8 HIPAA compliance pitfalls and how you can avoid them.

Check them out!

1. Be Careful with Texting

Although informal, texting is one of the primary ways doctors and nurses communicate. And the bad news is that SMS technology is not very secure.

On top of that, most hospitals and clinics don’t have the technology or security in place to prevent these messages from getting into the hands of cybercriminals. In fact, there are a wide range of hijacking tools that are commonly used to steal information from text messages.

Instead of using texting, consider utilizing a safer business messaging service. This will ensure that your doctors and nurses aren’t inadvertently leaking patient data and violating HIPPA regulations.

2. Unprotected Workstations and Devices

Fifteen years ago, the only electronic devices in hospitals and clinics were desktop computers.

Nowadays, there are all types of devices being used by your employees, including smartphones, tablets, and laptops in addition to traditional desktop workstations. In fact, a recent study found that 79% of physicians use smartphones for professional purposes.

That’s why all medical offices should have policies in place to ensure patient data is safe on all electronic devices. Make sure doctors and nurses don’t leave their phones or tablets in patient rooms unattended.

However, it’s not just phones and tablets you need to worry about. You still need to secure your desktop computers as well. After a certain length of time do your computers automatically lock? Do you have your employees sign out or enter a password every time they leave the computer?

These are crucial questions to consider.

3. Insurance Gaps

Most medical institutions are equipped with insurance that protects them against HIPAA violations and other malpractice issues. But what about patient data leaks? Cyber attacks?

Now’s the time to work with a cybersecurity professional to understand your main risk areas when it comes to data protection and HIPAA laws. This way you can understand if your insurance coverage is detailed enough.

And even go one step further and check your plan details today or get in touch with your insurance company to ensure you have an up to date plan to deal with technological HIPPA compliance issues.

4. Another HIPAA Compliance Issue: Social Media

Now more than ever, social media is part of daily life for most people. However, in terms of HIPAA compliance, it’s way too easy to accidentally violate regulations using social media.

That’s why the safest thing your organization can do is not allow the posting of any text or pictures about what’s happening at work. Patient information is just too important and sensitive and social media can easily divulge that information, even if it’s a simple picture that doesn’t include any names or personal details.

Also be careful your nurses and doctors don’t share patient information over messaging services like Facebook Messenger or What’s App. Instead, as previously discussed, utilize a secure corporate messaging service.

Organizations who aren’t compliant could be heavily fined if an employee posts something sensitive. The rule of law with HIPAA and social media is to be better safe than sorry.

5. Untrustworthy Business Associates

Keep in mind that HIPAA also applies to all of the companies you do business with. Every vendor you associate with should thoroughly read their BAA (business associate agreement) and agree before signing.

Some medical vendors like to tout the fact that they’re “HIPAA compliant” or “HIPAA certified.” The bottom line is that these designations don’t exist. Any business can go through a HIPAA audit and can be following correct practices, but there is no official way to be 100% certified all the time.

Instead, it’s a daily attitude of dealing with patient data that makes you HIPAA certified. So don’t be fooled by companies who are trying to stretch the truth.

The biggest way you can know that a vendor is going to take compliance seriously is if they will sign your thorough BAA.

6. Carefully Dispose of Paper Files

Far too many HIPAA compliance violations have happened because of this simple human error. Anytime you are disposing of patient files, shred them. Every time.

It doesn’t matter if an employee is super busy, having a rough day, or gets easily distracted. For your organization to be fully HIPAA compliant, you must ensure that all paper files which contain PHI (protected health information) are shredded before being thrown away.

In all honesty, many companies have opted to switch to an electronic filing system for this reason. However, if your office still uses paper files, make it protocol to double check that all information has been properly shredded.

7. Store Files Correctly

No matter what industry you’re in, correctly filing information is tough to do. However, in a medical office, it’s imperative that you do it right. If not, it could result in a large HIPAA compliance fine.

This applies to both paper and electronic files. If you deal with paper files, make sure you don’t put someone’s confidential information in the wrong folder.

On the computer, the same prinicples apply. Always double check you are in the correct file before entering private information.

It can be easy to get distracted with so many things going on in your office, but correctly storing patient information should always be a priority.

8. In-Person Conversations

We’ve covered patient data in paper and electronic formats. But it’s just as important to remember that your in-person conversations are subject to the same HIPAA regulations.

How widespread is this? Anytime your employees are discussing care with a patient and an unauthorized person is within earshot, that’s a violation. That’s why it’s so important to ensure privacy when dealing with patients and their confidential information.

Every member of your staff plays a part in being HIPAA compliant. Make sure they understand their role.

Next Steps

What should you do now?

Start with seeing how you’re doing. Check out our wide variety of HIPAA compliance assessment solutions. And then see what you can do to improve.

As always, contact us with any other questions. We’re here to help!

HIPAA Security Reminders

 

HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Subscribe!