5 HIPAA Violations You Might Be Overlooking

By Kayla Matthews, HealthIT writer and technology enthusiast, Tech Blog
Twitter: @ProductiBytes

The Health Insurance Portability and Accountability Act (HIPAA) governs the treatment of health care data and privacy regulations in the United States.

Most responsible providers and organizations understand some of the actions that constitute the most substantial HIPAA regulations. However, others are not so easy to recognize.

Here are five of them:

1. Selfies Published Without the Patient’s Consent
You’ve probably been in situations where patients feel grateful for how you’ve helped them and want to take a selfie with you to cement a momentous occasion, such as getting a cast removed or preparing to bring a newborn home from the hospital. That seems innocent enough, but if you post that selfie to social media without getting permission from the patient, that’s a HIPAA violation.

Something employers can do to prevent this pitfall is to frequently remind employees they cannot post any photos or videos featuring patients without the consent of those individuals. It’s a HIPAA violation even if the information accompanying the media doesn’t include a patient’s name.

2. Revealing/Identifying Responses to Patient Reviews on Public Sites
In today’s highly connected society, it’s common for people to weigh in about both their positive and negative experiences. The best practice for businesses in most industries is to provide prompt responses that make people feel heard. However, you must be especially careful when responding to patients. Otherwise, you may unknowingly commit a HIPAA violation.

Never give any details in a response that confirm a reviewer was a patient, that you provided a particular treatment or that the person had a certain ailment. All those tidbits of information compromise a person’s privacy. You cannot even discuss those things in a review response if the person provides such information — like by saying “I was unhappy with the care you gave me.”

The best thing to do here is to only respond to patient comments offline. Start by asking the person to contact you privately, then get permission to discuss the matter. Concerning online replies, it’s ideal to let a facility’s communications manager handle them. Otherwise, stick to broad, nonidentifying statements, such as “Patient care is one of our top priorities.”

3. Non-HIPAA-Compliant Technology Carts or Storage Areas
Today’s medication carts and other storage areas for pharmaceuticals are substantially more high-tech than what was available a few decades ago. For example, some medication carts have attached LCD screens that allow hospital workers to record which patients receive medications and when.

If the tech solutions you choose store patient information of any kind, they must be HIPAA-compliant. The Altus ClioMed M3 Powered Medication Delivery LCD Cart is one HIPAA-compliant example that also accommodates physical security needs by including a feature that automatically locks the storage drawers once they close.

Technology carts are among the devices people may not initially think of as being under the HIPAA umbrella. However, one way to avoid violations is to investigate all medical devices in use that collect patient data — or before buying new ones — to check for HIPAA compliance.

4. Computer Screens Displaying Personal Data to Unauthorized Parties
Computers make duties substantially more efficient for health care workers. However, it’s crucial to position the screens in ways that don’t allow unauthorized people to view the data.

For example, you should not have computer screens close enough to patient areas where they could see information about other individuals in the health care facility. It’s also important that people visiting a patient cannot see the information on a screen.

If your computers in external-facing areas don’t have privacy filters on the screens, you could be at an above-average risk of getting fined due to a HIPAA violation.

5. Too Much Information on Sign-in Sheets
It’s common for people arriving at a health care facility to sign in on sheets at the reception desk. However, asking for anything more than the person’s name and the time of appointment or arrival could result in a HIPAA violation.

HIPAA regulations say sign-in sheets must restrict the requested information to “appropriately limited” material. However, some people think sign-in sheets are not worth the risk. That’s because some practices, such as an obstetrician’s office, may give enough details about a person’s reason for visiting even if they don’t disclose it.

Staying Informed Helps You Avoid HIPAA Hassles
As this list shows, it’s easier than someone may think to receive a HIPAA fine. That’s because patient privacy encompasses several areas, and many of the things on this list probably seem harmless if you didn’t know better.

Remaining up-to-date about HIPAA specifics makes it easier for you, your colleagues and your organization to avoid fines or unfavorable audit results.