Your network is behind a firewall. Your email is encrypted. You change your EHR passwords every three months. Think you’re safe from preventing HIPAA violations? Think again — and then take a good look in the mirror. Human factors are by far the biggest source of risk, experts say. In fact, more than half (59 percent) of all HIPAA data breaches are directly caused by human error.
Reminder: According to CMS, a HIPAA data breach is an impermissible use or disclosure of patient PHI (protected health information) under the HIPAA Privacy Rule that compromises the security or privacy of PHI. A HIPAA breach can be either intentional or unintentional – and the associated HIPAA violations fine of $100 to $50,00 per record can break your practice.
HIPAA breaches are expensive, time consuming, and can harm your practice’s reputation — and your revenue. Luckily, there are many simple steps you can to reduce your chances of becoming the next HIPAA horror story. Below, five reasons you’re a HIPAA risk to your practice, and what you can do to prevent HIPAA violations.
1. You’re Vulnerable to Email Scams
Do you love cute kittens, free games, and Nigerian princes? All jokes aside, approximately 41 percent of HIPAA breaches are caused by hacking — and a major way systems get hacked are through email scams. Why? Getting someone to open an email and download a malicious link or an app is a lot easier than trying to exploit a weakness in IT security/infrastructure. The fact that many of these malicious emails look totally legit only compounds the problem.
All the high-tech security in the world can’t protect your practice if unwitting employees open the door for bad actors. To prevent hackers from gaining access to your practice’s ePHI and causing HIPAA violations, focus on employee education. Make sure employees know about current email scams (aka phishing) going around, and how to recognize and report phishing attempts (like fake password-reset requests). The bottom line — if it looks suspicious, don’t open it.
2. You’re Lackadaisical about Mobile Device Security
Most of us take work home at least some of the time. But when that work involves patient PHI you’d better think twice or you could be facing HIPAA violations. While productivity is never a bad thing, using unsecured public mobile networks is bad. This is especially true in places like airports and coffee shops, which are prime places where hackers gain access to networks they shouldn’t have access to.
If you have employees that need to access patient records remotely, best practice is to have them connect through a VPN (virtual private network). A VPN is an extension of your practice’s private network that employees can access through public internet connections.
Text messaging is another potential HIPAA hot spot. Many folks think that SMS stands for “secure messaging system,” but that’s a misnomer. While Apple’s iMessage is encrypted by default, regular SMS text messaging is not secure enough to transmit PHI. So seek out an encrypted text messaging application — there are plenty to choose from.
3. You Engage with Your Patients Online
Whether it’s posting fun, behind-the-scenes pictures on your practice’s social media accounts or responding to patient reviews on sites like Yelp, engaging with your patients online is an essential part of marketing your practice. But you have to be extra careful, or you could find yourself with unintentional HIPAA violations on your hands. To protect your practice, try these tips:
- When posting images, check the background for visible PHI (a white board with a patient’s name, for example). The facial recognition capabilities of platforms like Facebook mean that a patient could unwittingly be identified so if a patient appears in a photo, you must have a signed HIPAA authorization on file permitting you to use the photo.
- Testimonials are a great way to build trust with prospective patients, but before you disclose any PHI — Including patient names or photos — be sure you get a signed patient authorization. If you do not have a signed authorization, a patient must not be able to be identified in any way. HIPAA identifies 18 categories of PHI that can lead to patient identification. Check them out here.
- Negative patient reviews have the power to wreck your practice, so it’s understandable that you’d want to respond and clear up the situation as soon as possible. Responding to both good and bad online reviews is well-advised, but just be certain that you’re not exposing a patient’s PHI in the process. Best practice is to take the incident offline by encouraging the patient to contact your practice via phone.
4. You Work at the Front Desk — and It’s Messy
Not only does an unkempt front desk send the wrong message to patients, it can also be a HIPAA minefield. Common HIPAA violations at the front desk include:
- Computer, EHR, and Wi-Fi passwords written on sticky notes stuck to computer monitor
- Patient messages for doctor on notepad next to the phone in view
- Recently printed prescriptions in plain view
- Unopened charts that still identify the names and address of patients
- Receptionist’s computer screen visible to patients
- Un-shredded paper with PHI left in trash can
Your front desk and reception area can become the picture of HIPAA privacy preventing costly HIPAA violations with the following tips:
- Sort out what is necessary to have out on the desk and what’s not. Eliminate what’s not.
- When calling a patient in for her appointment, use only a first name.
- When talking with patients individually, whether in person or on the phone, do so from a quiet, private area.
- Don’t leave patient files unattended or unsecured. If you must leave your desk for a moment but still need the files, store them in a drawer temporarily.
- When not at your desk, close your computer or use a privacy screen.
5. You Make Patient Reminder Calls
Anytime you’re communicating with patients, think privacy to guard against HIPAA violations. The only person who should be hearing about a patient is the patient (or his designated guardian, if applicable.) Make every effort to make patient reminder calls from a private area — not from the front desk. When calling, use the patient’s first name only. Simply remind her of the date, time, and location of the appointment and the name of her clinician. Don’t mention the reason for the visit.
There’s Been a HIPAA Breach — Now What?
If you recognize yourself or your staff members in any of the examples above, act quickly to avert disaster and secure patient PHI. But if you have fallen victim to HIPAA violations, don’t panic. Accidents happen, and even the most compliant practices could suffer a breach.
Providers are subject to the HIPAA Breach Notification Rule, which requires you to provide notification following a breach of unprotected PHI. Notification must be made to the affected patients, the HHS Office of Civil Rights, and (for breaches affecting more than 500 individuals) the media. To comply with the HIPAA Breach Notification Rule, follow these steps:
- If you suspect a breach, inform your practice management, including your HIPAA compliance officer. You’ll want to contact your practice’s legal counsel as well.
- Conduct a risk assessment following the Breach Notification Rule guidelines. The risk assessment must include these four factors: The nature and type of PHI involved, the identity of the recipient of the disclosed PHI, the likelihood that the PHI was viewed or accessed, and any risk-mitigations strategies. If your risk assessment indicates a low probability that PHI was compromised, congratulations — you’re off the hook. If not, you must proceed with notification.
- Report the breach to affected patients within 60 calendar days following the date of discovery of the breach. In general, the notice should be sent via first class mail. Be sure you include the following in your notice:
- A description of the breach
- The dates of the breach and its discovery
- The types of PHI involved in the breach
- What patients can do to protect themselves
- What you’ve done to investigate the breach, mitigate the results of the breach, and protect against future breaches.
- Who the patient may contact for further information about the breach.
- Report the breach to HHS. If the breach affected more than 500 individuals, you must follow the same 60-day notification rule that applies to patient notification. If the breach affected fewer than 500 individuals, you have until 60 days after the end of the calendar year during which the breach occurred to report. For example, if the breach occurred on July 15th, 2019, you’d have until January 29, 2020 to report.
- If the breach affected more than 500 individuals, CMS requires that you also report it to “a prominent media outlet serving the state or jurisdiction in which the breach occurred.”
Commonly Purchased HIPAA Violations Prevention Online Trainings and Resources