Is your practice violating HIPAA without realizing?

HIPAA is probably not your favorite topic to chat about in the lunchroom. Since it was enacted in 1996, HIPAA has propelled healthcare providers to invest valuable time and money in order to comply with its wide-ranging demands. From redefining work practices, training staff, upgrading core infrastructure, implementing tighter security protocols – the list never ends…

…But neglecting to do this, neglecting to comply, has serious consequences.

HIPAA Violations in the Workplace

It has now been 20 years since HIPAA was legislated, and there is plenty of evidence suggesting that healthcare providers have grown careless.

HIPAA violations are at an all time high, amounting to millions of dollars, and sometimes even incarceration for healthcare providers.

These security breaches are often the result of improper or careless use of new technologies. Keeping up with the ever changing world of technology is already a difficult task – and doing so while also remaining vigilant on ePHI is arguably the greatest challenge facing healthcare providers today.

Is it possible that your practice is violating HIPAA without even realizing it? Consider the following situation:

A patient is being scheduled for surgery and the scheduler’s paper calendar slips off the table and falls next to the patient. The patient bends down to pick up the calendar book to return to the scheduler, but as he is handing back the book, he inadvertently sees his friend Jack listed on the calendar – even though Jack did not want other people to know about his upcoming surgery.

There are also less dramatic breach scenarios to consider:

• Perhaps you use a large whiteboard in your back office, as many practices do, to show the weekly surgery schedule, with patients’ names on display for anyone to see.
• You drive home at the end of the workday with patient-related paperwork in your car, which you intend to work on later that evening – but in doing so, you’re exposing yourself to the risk of leaking sensitive information in the event of a road accident or break-in.
• One of your doctors urgently needs information about a patient’s procedure and asks the scheduler to text him the info. Responding to what is a totally reasonable request, text messages containing PHI are being sent back and forth between the office and the surgeons via insecure applications.

HIPAA Compliant Text Messaging and Apps

While advancements in technology offer huge benefits for surgeons and patients alike, they are also your biggest potential liability. Technology allows us to send and receive information quickly and easily, yet healthcare professionals working with PHI need to be more cognizant and ask themselves: Are these messages being sent securely? Are they being viewed on an encrypted device?

With the majority of HIPAA violations today involving technology in general, and mobile technology in particular, here are some simple steps you can take to protect yourself and your practice:

• Require a secure pin or password on all devices containing PHI.
• If your device is not already encrypted, make sure that you change your settings so that it is.

• • All iOS devices are already encrypted, as long as you have a secure pin.
  • Some Android devices are also already encrypted. If your Android is not encrypted, learn how to encrypt it here.

• A HIPAA compliant surgery calendar app can securely provide surgeons access to their schedules and relevant patient information, 24*7.
• A HIPAA compliant messaging app (such as IM Your Doc or Doximity) can also eliminate the risk of texting or emailing PHI. It is important to ensure that all apps that may be used to send and receive PHI are HIPAA compliant.
• To store ePHI in the office, use only firewall and password-protected servers.
• Replace paper calendars with a shared electronic calendar, viewable only by authorized staff.

Avoid HIPAA Fines

Taking steps to ensure that your practice is HIPAA compliant in all ways may seem like an inconvenience. However, in light of the alternative (heavy fines, incarceration), it is certainly worth the hassle. Consider educating yourself and your staff on HIPAA compliancy, its importance, and the steps you can all take to ensure PHI is not spread outside of your practice. In addition to avoiding penalties, minimizing your practice’s risk of violating HIPAA will also ensure that you preserve your patients’ trust and provide them with the best possible care.