Do you own a medical practice or run a medical office? If so, then you need to ensure that you’re doing everything possible to keep your patient information private.
Your patients come to you with their most sensitive and private questions and problems. It is your responsibility, under the law, to keep that information secure.
Don’t worry if you’re not sure what HIPAA is or what is considered a breach of HIPAA, we’ve got you covered. We will cover everything you need to know to avoid a breach, and what to do if you accidentally shared private patient information.
HIPAA security is a vital piece of giving quality healthcare to your patients. You don’t want to be the cause of further grief for your patients at a time when they are going through medical issues. You also don’t want to make the news due to a cybersecurity breach.
History of the HIPAA Laws
Long before the Affordable Care Act, healthcare reform in 1996 meant the passing of the congress bill known as HIPAA, or Healthcare Insurance Portability and Accountability Act. This act had multiple facets including the idea that your healthcare insurance should be portable and that individuals could keep their healthcare in between jobs.
However, it also included accountability for healthcare entities to keep every patients’ private information secure. As electronic databases became larger and more common, congress saw the need for hospitals, doctor’s offices, and insurance companies to keep these databases protected.
Now, healthcare providers and insurance providers must have encrypted and password safeguards in place to ensure their patients’ information is private.
This means safeguarding the computer programs you use to schedule your appointments. It also means protecting the database you keep all their patient information.
Additionally, it includes being careful about how you communicate with each other. From communicating with your patients to also what you talk about amongst staff members, you need to keep it all secure.
What Is Considered a Breach of HIPAA?
The law passed in 1996 stated that the HIPAA breach definition meant either purposefully or accidentally sharing or not safeguarding patient information. There are several ways considered to breach HIPAA. Here is a list of 10 of the most common breaches:
- Staff who are not authorized to access patient health information
- Impermissible disclosure of patient health information
- Failure to manage risks
- Failure to properly document training to ensure compliance
- Theft of patient information from the records
- Failure to provide patients with their own information and records
- Not monitoring who accesses medical information
- Not encrypting devices that leave the facility with staff
- Sharing personal health information online such as social media or to the press
- Not removing access credentials for employees no longer working for you
Some of these can happen accidentally. However, it is imperative that all your staff is properly trained not to breach these even if it wasn’t meant to be malicious.
Two examples of well-meaning staff breaching HIPAA might include if a nurse notices their neighbor in the hospital. If the nurse were to then look at their chart to see the purpose of their visit, this is considered a breach. Likewise, if the nurse mentions on Facebook to their neighbor’s wife that they hope for a full recovery this is also a breach.
Neither situation is okay by the law and the nurse as well as the hospital can face very serious penalties.
What Can You Do If You Breach the Law?
The law offers some grace if you can show that the employee didn’t purposefully or maliciously breach a patient’s private information. The penalties are very steep, so it is best to ensure that your employees are aware of their actions. And that they know what is considered a HIPAA violation.
Even seemingly innocuous texting from your staff, while you are away from your clinic, can be a breach of information. A simple text message from your MA saying that “Alice Brown’s CT scan came back showing breast cancer” is a perfect example of a breach of HIPAA. This gives patient information in an unencrypted manner and would be a violation.
If you must get information in this way about a specific patient there can’t be any specific information included, a better text would be “Patient A.B. CT scan returned positive.” If this text were intercepted or seen by someone other than yourself it doesn’t give any specific patient information.
In the unfortunate event of being sued for breach of conduct, you can show that you trained your employees well. You need to be able to show that your employees historically only send encrypted messages. And when you can show that your practice uses a secure app to communicate you will have better chances of not paying the steep fines.
An audit is a good way to see where your possible gaps are before you accidentally breach any patient information. Our risk assessment team can help show you where you can improve and where your team members need extra training.
Don’t risk a HIPAA breach of information leading to steep fines, not to mention letting your patients down if their private information gets out.
Keep It Safe and Keep It Legal
Now that you know what is considered a breach of HIPAA, it is your responsibility to keep your patient’s information secure. It’s not enough to try to be compliant. You need to be able to prove compliance and training for staff to be compliant.
If you have any more questions about how your company can stay compliant within the law, contact us today.