Health care providers who believe they have HIPAA compliance under control may be seeing through rose colored glasses, because we see the same mistakes over and over, even among organizations who are trying to follow HIPAA. The risk of making HIPAA mistakes can be devastating, but it doesn’t have to be so risky. You can learn from others’ mistakes and get your house in order.
It’s understandable – HIPAA is a huge collection of laws and regulations and it changes periodically. The explosion of electronic communication and the growth of cyber crime has added to the complexity. And busy compliance staff wearing multiple hats have a difficult time keeping up with all the HIPAA rules.
Take the time to focus on three of the most common and easily fixable mistakes – they’re easy to solve when you know the rules.
HIPAA and Websites, Including Facebook
While almost all health care providers have websites today, we rarely see one that complies with HIPAA. This is a big problem because websites are highly visible to the Office for Civil Rights (OCR) and the first thing they look at when they receive a HIPAA complaint.
One reason websites fail the HIPAA test is they are often created by vendors who are good at marketing and design, but are not HIPAA experts. They say they know HIPAA, but in fact they miss the key issues – we see it all the time. It is not hard to make the website HIPAA compliant, but you need to know what to do.
Most common website mistakes:
- The Notice of Privacy Practices (NPP) is not on the home page. It should not be on a separate page requiring one or more clicks to find it from a menu or dropdown tabs. OCR considers the NPP to be a high priority – it should be prominent, easy to find, and obvious on the homepage – and it should be downloadable so patients can print or save it to their own files.
- Identifying patients without their express written prior permission. Testimonials and photographs (even if they’re not named) are two common mistakes. A patient’s permission must comply with HIPAA and be in writing before their picture, name, or any other identifying information is disclosed publicly.
- Providing patient forms on the website that violate HIPAA. One of the most common non-compliant forms is the patient right of access. Another mistake is a form that asks patients to provide information (into a portal, or for return by email) without obtaining their express permission to communicate by unencrypted email (more on that below).
Facebook is a website. The Facebook “terms and conditions” make it clear that a Facebook page owner is legally responsible for all of the page’s content. Just because it’s a social media page accessible to the public, including patients who voluntarily post information (or recommendations) does not let the provider off the hook under HIPAA. Health care providers are responsible for complying with HIPAA within their business, including their websites and social media pages like Facebook.
Text and Email Might be HIPAA Violations
Appointment reminders by text message and email are commonplace today but often don’t comply with HIPAA. Electronic communication is fast and most patients prefer it over telephone or regular mail for all kinds of information with their providers. Problem is, HIPAA requires specific simple steps for providers before sending unencrypted text messages or email to patients. These steps provide a safe harbor to protect providers from committing a violation, but most don’t know about it, or if they know, they aren’t using it correctly.
It is NOT true that if a patient contacts you first through unencrypted email, that they have consented to receiving communication from you that way. HIPAA requires that patients be informed of the risks of unencrypted electronic communication beforehand, and be given an option to choose. The three simple steps to be in the safe harbor: warn the patient; let them decide; and document it.
HIPAA Risk Analysis is Missing or Incomplete
OCR is clear. Risk Analysis – Risk Management is the basis of every HIPAA compliance program, yet is not being completed by most organizations. It is easy to do when you know the steps but it tends to be put on the back burner or ignored completely, leaving a gaping hole in HIPAA compliance.
When OCR conducted HIPAA audits recently they found that 94% of covered entities and 88% of business associates failed the HIPAA Risk Analysis requirement. In many cases a Risk Analysis was begun, but never completed. In other cases nothing was started. At The HIPAA E-Tool® we know what the requirements are and have created an easy-to-follow interactive online tool to ace it, without expensive outside help.
Three key takeaways of what often goes wrong are:
- Every location needs its own site specific Risk Analysis – it is not enough to do one centrally at the main office.
- Out of date software is not patched, updated and replaced – this allows cybercriminals a much easier path to break in.
- Business associate agreements are missing – every vendor that creates, receives, maintains, or transmits protected health information must enter a business associate agreement with the covered entity and commit to follow HIPAA.
Read our blog on how to do a Risk Analysis to learn more.
Learn Simple Rules to Avoid HIPAA Disaster
The HIPAA E-Tool® lays out the HIPAA rules in plain language so you don’t have to wonder and worry about what to do. Every element of HIPAA is presented in logical order with step-by-step interactive guidance to complete the work online, with policies and a search box to make it easy to find any topic. Maintained and monitored 24/7 by a team of lawyers, it’s never out of date. Customer service ensures you have answers to questions.
Email or call us to find out more.