The following is a guest blog post by Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One.
For the most part, HIPAA is pretty straightforward – if a little extensive. It lays out some fairly clear-cut rules for protecting patient data, and an incredibly specific framework on what constitutes said data. But as with any set of regulatory guidelines, there are some gray areas.
And there are also some lesser-known aspects that a lot of organizations – both healthcare agencies and covered entities – tend to miss. The problem, obviously, is that ignorance in this case is no excuse. A HIPAA violation is a HIPAA violation, no matter how well-meaning the person responsible.
With that in mind, today we’re going to discuss a few of the most common ways both you and your staff might inadvertently run afoul if HIPAA (and more importantly, how to avoid doing so).
Through Employee Posts on Social Media
It’s a pretty common story these days. An employee says something they shouldn’t on social media. Their employer finds out, and next thing you know, they’re being let go.
That’s exactly what happened to Olivia O’Leary in 2017. An X-Ray technician at the Onslow Memorial Hospital in Jacksonville, North Carolina, O’Leary commented on a Facebook post that the victim of a car accident should have been wearing a seatbelt. Here’s the problem – the victim of the accident was brought to the hospital.
There’s some contention over whether or not O’Leary actually violated HIPAA (the news that the victim was not wearing a seatbelt had been made public by the time she commented). Even so, this story should still serve as a warning. It’s your responsibility to make your staff aware that even a seemingly harmless comment could be construed as a HIPAA violation.
By Not Keeping Proper Track of Employee Devices
Personally-owned smartphones and home computers are a huge no-no for HIPAA. Yet all too frequently, clinicians and other healthcare staff bring personal devices into the workplace, or else use them to work on patient data from the comfort of their own home. The problem isn’t that they’re using these devices, per-se.
It’s that they’re doing so without any sort of oversight.
Let’s say, for example, a physician looks at some patient data in her home office. She forgets to turn off her PC, and her husband wanders in to do a quick Google search. He sees the patient data – and suddenly a HIPAA violation falls right into their laps.
Or let’s say two doctors are communicating with one another via SMS, discussing a patient’s records. Instead of being careful about what they’re saying, they openly disseminate PHI between one another.
Again, no one here is necessarily acting maliciously. Even so, they’re still putting patient data at risk. Here’s what you need to do:
- Incorporate some form of document management system that ensures PHI can only be accessed by authorized personnel – no matter if they’re at home or elsewhere. It should also include a timed expiration function so that if a file is left open for a certain amount of time without any activity, it becomes inaccessible.
- Utilize endpoint management software that allows you to manage, monitor, and control the devices within your workplace.
- Train and educate your staff on the importance of keeping PHI to approved, secure channels – and if need be, implement a secure messaging solution so they can still keep in touch.
Via Friends and Family
It seems harmless enough. Someone goes to a hospital for an MRI to check if they have a severe spinal cord injury. A few days later, someone else – a friend or family member – asks about the results.
And the physician tells them. No harm done, right? They’re just concerned about someone they care for.
Here’s the thing – that’s still a HIPAA violation, harmless though it may seem. Sure, it was an innocent inquiry. But unless the patient specifically consented for their information to be shared, it doesn’t matter who asks.
You’re still violating their privacy if you share it.
Caution is Key
There are a lot of little stumbling points in HIPAA that tend to catch many healthcare providers unaware. Things that may seem innocent or harmless can actually land you in a world of trouble with regulatory agencies, costing valuable staff their jobs and even bringing about a lawsuit. The best way to avoid such issues is to just be cautious – to treat PHI with the utmost care.
Do that, and you should be just fine.
About Tim Mullahy
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.