HIPAA is probably not your favorite topic to chat about in the lunchroom. Since it was enacted in 1996, HIPAA has propelled healthcare providers to invest valuable time and money in order to comply with its wide-ranging demands.

From redefining work practices, training staff, upgrading core infrastructure, and implementing tighter security protocols – the list never ends. Neglecting to comply has serious consequences. 

HIPAA Violations in the Workplace

It has now been 20 years since HIPAA was legislated, and there is plenty of evidence suggesting that healthcare providers have grown careless.

HIPAA violations are at an all-time high, amounting to millions of dollars, and sometimes even incarceration for healthcare providers.

These security breaches are often the result of improper or careless use of new technologies. Keeping up with the ever-changing world of technology is already a difficult task — and doing so while also remaining vigilant on ePHI is arguably the greatest challenge facing healthcare providers today.

Is it possible that your surgical practice is violating HIPAA without even realizing it? Consider the following situation:

A patient is being scheduled for surgery and the scheduler’s paper calendar slips off the table and falls next to the patient. The patient bends down to pick up the calendar book to return to the scheduler, but as he is handing back the book, he inadvertently sees his friend Jack listed on the calendar — even though Jack does not want other people to know about his upcoming surgery.

There are also less dramatic breach scenarios to consider:

• Perhaps you use a large whiteboard in your back office, as many practices do, to show the weekly surgery schedule, with patients’ names on display for anyone to see.
• You drive home at the end of the workday with patient-related paperwork in your car, which you intend to work on later that evening — but in doing so, you’re exposing yourself to the risk of leaking sensitive information in the event of a road accident or break-in.
• One of your doctors urgently needs information about a patient’s procedure and asks the scheduler to text him the info. Responding to what is a totally reasonable request, text messages containing PHI are being sent back and forth between the office and the surgeons via insecure applications.

Best Practices for HIPAA Compliance with Technology

While advancements in technology offer huge benefits for surgeons and patients alike, they are also your biggest potential liability. Technology allows us to send and receive information quickly and easily, yet healthcare professionals working with PHI need to be more cognizant and ask themselves, “Are these messages being sent securely? Are they being viewed on an encrypted device?”

With the majority of HIPAA surgery violations today involving technology in general, and mobile technology in particular, here are some simple steps you can take to protect yourself and your practice.

1. Require a secure PIN or password on all devices containing PHI.

While it is an obvious tip, it’s still crucial to mention. Experts strongly encourage not to store passwords in plaintext and to use two-factor authentication to decrease the chances of a security breach.

2. Make sure your device is encrypted.

All iOS devices are already encrypted, as long as you have a secure PIN, and some Android devices are also already encrypted. If your Android is not encrypted, learn how to encrypt it.

3. Use a HIPAA-compliant calendar app.

Patient details, surgery times, and post-op communications are just some examples of sensitive information that is being exchanged between medical staff. Surgimate’s calendar app is a HIPAA-compliant patient scheduling platform that gives surgeons and staff members 24/7 access to data in a completely secure format.

4. Utilize a HIPAA-compliant messaging app.

Secure messaging platforms such as Doximity, can eliminate the risk of texting or emailing PHI without proper security. It is important to ensure that all apps that may be used to send and receive PHI are HIPAA compliant.

5. Be sure to use only firewall and password-protected servers.

Firewalls are extremely important for helping prevent unauthorized access to ePHI in the office. In a nutshell, a firewall acts as a security guard for your patients’ information by only granting access to the data under specific programmed requirements. 

6. Replace paper calendars with a shared electronic calendar

A surgery date posted outside the waiting room is a HIPAA violation, as well as many other examples of unintentional HIPAA violations. Surgimate’s HIPAA-compliant calendar is hidden from view, only accessible by authorized staff, and is streamlined — eliminating the possibility of schedule changes being discussed and overheard by patients.

Avoid HIPAA Violations

Taking steps to ensure that your practice is HIPAA compliant in all ways may seem like an inconvenience. However, in light of the alternatives of heavy fines or incarceration, it is certainly worth the hassle.

Consider educating yourself and your staff on HIPAA compliance, its importance, and the steps you can all take to ensure PHI is not spread outside of your practice. In addition to avoiding penalties, minimizing your practice’s risk of violating HIPAA will also ensure that you preserve your patients’ trust and provide them with the best possible care.

Find out more about HIPAA-compliant patient scheduling and communication tools at Surgimate.