All healthcare providers and team members are required under the HIPAA Privacy Rule to protect their patients’ personal health information. Unfortunately, HIPAA breaches take place too often, which is why it is essential to mitigate risk and train your team on proper safeguards and handling of protected health information (PHI). (HHS, 2020)
We want to be friendly and build rapport with the patients in our offices. It’s not uncommon for patients to ask about their friends, family members, or even a local celebrity. However, we have a responsibility to protect our patients’ information and must be mindful that we could potentially cause a HIPAA breach by participating in such conversations while working in a healthcare environment.
One of the most common forms of a HIPAA breach is gossip. (Clark, 2020) Talking about patients is a nono — inside or outside of the clinic. Employees must be aware of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family. In 2014, a Walgreens pharmacist violated HIPAA when she shared confidential medical information about a customer who once dated her husband. Walgreens had to pay a $1.4 million fine. (Ross, 2014)
"Do you talk to yourself? You wouldn’t think an offhand comment made in the back of a clinic could cause a HIPAA violation, but that’s what happened in 2015..."
Employees should also be careful about discussing patients with coworkers because it can lead to a HIPAA violation. If you must discuss a patient with a coworker, be sure that you have the conversation in private and away from common areas. For example, a CA might share patient information with an X-ray technician authorized to receive the information, which is fine. However, if the discussion occurs in a common area where unauthorized personnel could easily overhear it, that would be a HIPAA violation. (White, n.d.) Do you talk to yourself? You wouldn’t think an offhand comment made in the back of a clinic could cause a HIPAA violation, but that’s what happened in 2015. An employee at the University of Iowa’s Student Health Center expressed her surprise about the results of a high-profile student athlete’s pregnancy test. The employee made a seemingly innocent comment about hoping the young couple was happy and said she’d been talking to herself. The incident was overheard and reported by other employees, which resulted in the employee being fired. (Brenner, 2017)
Another common HIPAA violation is the mishandling of patient records. All printed medical records must be kept locked away in a safe place from the public’s view.
Practitioners and staff should be sure that charts aren’t left in the examination room after patients’ visits. Any electronic information should also be password-protected and out of view, including a signed business associate agreement (BAA) with a third party who has access to your clinic’s PHI. In 2016, an orthopedic clinic hired an outside vendor to convert all X-ray films from files to digital form so they could harvest the silver from the films, which is a common service. Since the clime didn’t first sign a BAA with the vendor, they violated HIPAA. The Department of Health and Human Services’ Office of Civil Rights (OCR) ordered the clinic to pay $750,000 and implement a corrective action plan. (HIPAA Journal, 2021)
Invading a patient’s privacy can be the ultimate act of betrayal. Compliance training is one of the easiest and most proactive ways to avoid a violation. HIPAA laws require all employees, volunteers, interns, and anyone with access to patient information to be trained. Make training your team a top priority. If you are unsure where to start, ask for help. Your state association will have resources to help and can point you in the right direction. There are also very reputable compliance companies that can guide you or assume the management of your clinic’s compliance entirely.
Kristi Hudson is a certified professional compliance officer (CPCO). She serves as the Director of Business Relationships for ChiroHealthUSA where she has helped to educate DCs and CAs on establishing simple and compliant financial policies. You can contact Kristi at 888-719-9990 or [email protected], or you can visit the ChiroHealthUSA website at www.chirohealthusa.com.
References
1. Brenner, B. (2017, June 2). 20 Catastrophic HIPAA Violation Cases to Open Your Eyes. Retrieved from MedPro Disposal: https ://www. medprodisposal.com/hipaa/20-catastrophic-hipaa-violation-cases-to-open-your-eyes/
2. Clark, M. (2020, September 20). Gossip HIPAA Violations: When, Where, How and Why. Retrieved from Etactics: https:// etactics.com/blog/gossip-hipaa-violations
3. HHS. (2020, December 10). The HIPAA Privacy Rule. Retrieved from HHS.gov: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html#:~: text=The%20HIPAA%20Privacy%20Rule%20establishes,certain%20health%20care%20 transactions%20electronically.
4. HIPAA Journal. (2021, January 6). How Should You Respond to an Accidental HIPAA Violation? Retrieved from HIPAA Journal: https: //www.hipaajournal.com/accidental-hipaa-violation/# :~:text=In%20April%202016%2C%20the%20Raleigh,the%20silver%20from%2Othe% 2Ofilms.
5. Ross, M. (2014, November 17). Pharmacist Costs Walgreens $1.4 Million for Violating HIPAA. Retrieved from Pharmacy Times: https ://www.pharmacytimes.com/view/pharmacist-costs-walgreens-14-million-for-violating-hipaa-
6. White, M. G. (n.d'.). Examples of HIPAA Violations and Common Scenarios. Retrieved from Your Dictionary.com: https:// examples.yourdictionary.com/examples-of-hipaa-violations.html
