Oops, Was That A HIPAA Violation?!

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Working in healthcare means that you are certainly aware of HIPAA’s existence, but it doesn’t necessarily mean you are the resident expert on what constitutes compliance. You know what you can or can’t do – generally speaking. Most likely, you follow the rules as they are explained to you, and don’t deviate much from that.

However, there are a few errors that can be unintentionally made when it comes to HIPAA and violating its policies. Let’s look at a few of those and make note of them so that you don’t repeat anyone else’s mistakes.

Right to Access

If a patient asks for their medical records, they have the right to obtain that health information upon request. There is an exception to this, and it pertains to psychotherapy notes which do not have to be disclosed along with those medical records. If this is the case, the patient has a right to their records minus the notes. If a request cannot be met, the patient must be provided with a written explanation as to why the records will not be provided.

Termination Rights

If an employee leaves a healthcare organization, their right to access the building, records, and sensitive data need to leave with them. Forgetting to turn off access to logins or keycards is one way that companies often fail. Have a checklist for hiring and termination – regardless of who made the choice to end the employment relationship. Just because “they chose to leave” doesn’t mean that their access is any less critical to shut off. Many organizations have suffered breaches at the hands of terminated employees.

Social Media

One healthcare office received – and responded to – a patient’s negative review on an online social media platform. By acknowledging that patient and specific ePHI in their response, they were in violation of HIPAA. If your organization receives a review that you feel needs to be discussed, it is best to reach out to the patient directly and avoid responding by commenting on their post.

Another case caused an employee to be dismissed after they commented on a post about a vehicular accident. While she didn’t identify the victim/patient by name, her comment “should’ve worn a seatbelt” was viewed by the employer as a HIPAA violation that cost the employee her job.

Let’s Shake on It

Doing business together when it comes to HIPAA has to be more than a handshake. You need to ensure that any third parties you work with have a Business Associate Agreement if they handle your patient’s PHI.

Businesses can’t be too careful when it comes to ensuring that they remain compliant to HIPAA’s policies and procedures. Not only to protect the patient but also to protect their business. The connection between PHI and cybersecurity is closely connected. An unintentional error might seem small at first, but if not contained, can lead to a much bigger breach or disaster.

This article was originally published on HIPAA Secure Now! and is republished here with permission.