This is our 36th installment of HIPAA Horror Stories. As of this moment, we seem to be living in a real Horror Story called “COVID-19.” That’s enough to frighten us all. So, this week, we thought it would be a good time to inject a little actionable information into our regular Horror Story post. After all, this week has been scary enough.
If you want to keep up with late breaking HIPAA changes under COVID-19 check out our HIPAA News page.
The BIG EIGHT are the most basic, and easy-to-avoid Health Insurance Portability and Accountability Act (HIPAA) violations.
We present The HIPAA E-Tool®‘s EIGHT MOST COMMON HIPAA VIOLATIONS, compiled from news reports and Health and Human Services penalties and settlements.
1. Disclosing patient information to an authorized party AFTER patient permission expires. Yes, a patient can put a time limit on the sharing of Private Health Information (PHI). Disclosing such information after the authorization expires is a violation of the Privacy Rule.
2. Allowing reporters and members of the media to interview patients in a clinical environment.
3. Granting access to multiple patients’ PHI when only one patient’s data is needed. Access to patient data is to be as narrow as possible. Blanket access is prohibited when only a specific record is needed.
4. Discussing patient health in an insecure environment. Beware of eavesdroppers – either inadvertent or malicious – who may learn the identity and medical details in an otherwise private conversation. This goes for phone calls, too.
5. Sharing information about people 17 years old and younger without a parent or guardian’s permission. HIPAA rules are very clear about the handling of minor children’s PHI.
The Most Common HIPAA Violations Involve Digital Data or Electronic Protected Health Information (ePHI).
6. Distributing patient health details by insecure email. The people at HHS are serious about encrypted email. You must also have a Business Associate Agreement with your email provider.
7. Failing to log out of your computer programs when you leave your workstation. There are plenty of examples of clinicians who have been sloppy with PHI. Remember that unattended computers, copiers, cell phones, and any other digital device can be an invitation to snoopers.
Avoid HIPAA Violations by limiting Access To Only The Most Necessary Data
8. Providing too much information to authorized parties. An orderly, for instance, must know where to take a patient for a procedure. She doesn’t need to know the results of the procedure. Sharing that information is an illegal, unauthorized disclosure.
If any of these common HIPAA violations seem a little too close to home, give us a call.