HIPAA guidelines are constantly changing in response to an increasingly complicated culture of information exchange. It can be hard to keep up and remain in compliance, but it is essential, for any clinic, private practice, or hospital dealing with sensitive patient health information. Organizations found to be in violation of any HIPAA guidelines may be fined exorbitantly: one case wherein a pharmacist shared the medical records of a customer resulted in a $1.4 million settlement.

It may seem like a daunting task, but remaining HIPAA compliant is truly simply if you know what you’re doing. The key is keeping an organization’s staff well-informed and aware of expectations, risks, and common HIPAA violations in order to mitigate any problems or slip-ups before they even happen, thus protecting your clinic, private practice, or hospital as a whole.

What is HIPAA?

The acronym ‘HIPAA’ stands for the “Health Insurance Portability and Accountability Act”. Passed by Congress in 1996, HIPAA:

  • Requires protected handling of sensitive health information.
  • Standardizes health care information which appears on billing and other documents.
  • Enables transference and continuance of health insurance for American workers and families.
  • Mitigates health care fraud and abuse.

All organizations are required to implement policy which helps to maintain compliance with HIPAA. Individual medical staff with access to patient information should familiarize themselves with HIPAA requirements and notice where problem spots may occur in their daily working life to avoid any accidental violations. You can read more about HIPAA’s five titles here.

Common HIPAA Violations

More often than not, an organization is unaware of the ways in which its HIPAA violations are occurring. Below, we’ve compiled some of the most common HIPAA violations, to help you avoid incidents and remain in compliance.

  • Keeping insecure records
    This is the top reason for HIPAA violations. In practical terms, this can be anything from storing patient information on a laptop with no password or other security measures in place, to leaving a tube label with a patient’s MRN in a publicly accessible waiting room, to storing physical patient files in an unlocked cabinet. Physical files should be secured in lockable files, and digitally-stored information must be secured with a passcode.
  • Unencrypted data
    Storing digital data without password protections or other forms of encryption is like leaving your front door unlocked. While encryption is not an explicit rule outlined by HIPAA, it is a necessary security measure which organizations must take, especially as medical and hospital records are increasingly maintained in digital formats. As discussed above, patient medical records must be secured with limited-access passwords, and information should be otherwise encrypted. This protects sensitive patient data from unauthorized insiders, as well as external hacking.
  • Snooping
    This form of violation can be unintentional or intentional, and may occur at the organization itself, or at the home of a physician or nurse. If an unauthorized staff member accesses a patient’s record, or reads over the shoulder of a colleague, this is an example of intentional snooping. Additionally, if a doctor chooses to access a patient’s record at home and a family member is able to read the file, this may be unintentional snooping. This can be avoided by authorized accessors being aware of who is around them when they access a file, closing or locking files when they are done reading them or if they step away from their desk, and protecting files with a secure password system.
  • Gossip
    Sometimes disclosing sensitive patient health care information may simply seem like harmless chit-chat. But disclosing patient details to anyone but the patient’s doctor, attending nurse, or authorized family member is always a violation, regardless of the context in which it is said. Patient information and interaction must be upheld as confidential, even in conversation with a colleague, if the conversation is in the open, and if they colleague is not in direct professional contact with the patient. Be sure that when discussing a patient, it is done in a private setting, and with only authorized persons present.
  • Releasing the wrong patient’s information
    This type of violation occurs when a hospital, clinic, or private practice releases patient information to another organization, or to the patient themself, which is incorrectly sourced. This may happen due to incorrect record keeping, carelessness, or failure to corroborate or double-check the information on the chart v the requisition. It’s an easy mistake to make, but the consequences remain the same. In order to avoid this particular violation, staff must remain attentive, check, and recheck acquisitions for names, MRNs and birth dates, and follow all steps necessary to corroborate patient information.

Final Thoughts: Common HIPAA Violations

Remaining in compliance with HIPAA is of the utmost importance when dealing with patient information. It’s easy to do, if an organization understands and prioritizes the security of patient information. Keeping staff well educated on HIPAA regulations, enforce follow-through of practical security measures, and care for patient records with the same attention you give to the patients themselves.

Medely works with nurses to get them into positions they love, when and where they want them. Sign up with Medely today, for free, and start nursing on your terms.