Leaking information has caused plenty of public relations disasters and penalties since the Health Insurance Portability and Accountability Act (HIPAA) went into effect in 2003. The right steps can minimize these errors and easily save providers, companies, and other entities thousands or millions of dollars in damages. Here are some blunders that companies can learn from to eliminate these huge mistakes.
Overlooking State Privacy Laws
In California, clinical laboratories are not subject to state disclosure laws when the laboratory is not directly affiliated with a HIPAA covered entity. A patient under HIPAA however has the right to have the results in plain language when a test is ordered by the patient’s physician, in this example.
HIPAA privacy protection laws do not override more restrictive state privacy laws. In order to ensure adequate privacy protection, covered entities must be aware of applicable state laws. In California and across the country, there will be different laws that apply.
Unlocked Screen Savers and Unencrypted Files
Image via Flickr by jrcherry
A screen saver is an opportunity for a HIPPA blunder because patients have access to any records on the system on many machine, once the nurse or counselor leaves the area. Manually locking the system, and using a password solves this common problem.
Further issues exist with digital data. Law360 points to mobile devices and remote access as problems. However, in the words of William Maruca, encrypted data is the answer, “if all information is encrypted, then that’s the end of it – it’s not reportable.” Encryption and data wiping programs are strong defense mechanisms.
Failing to Assign a Privacy Officer
Any medical office, regardless of how small or large, is required to name a Privacy Officer by law. It also doesn’t matter whether the position is a full-time job, as it can merely be an office manager. This is actually quite common in smaller organizations.
Responsibilities include creating and revising the company’s Privacy Policy, which must be circulated to each patient. The officer will also be in charge of developing non-disclosure agreements, handling complaints, and having up-to-date knowledge of the requirements of the HIPAA and the Privacy Rule.
Neglecting Contingency Plans
Image via Flickr by Elliott Brown
What will happen in emergencies and events of data loss or system errors? After all, the 2013 Texas HIPAA blunder that affected 227,000 patients is a stark reminder that data breaches can happen.
All HIPAA covered entities must have a contingency plan that encompasses a range of scenarios. It must also have an annual testing and revision process.
Not Training/Retraining Workers
There is an initial training period where new hires will have limited access to protected health information. When material changes to the privacy policy, the workers must be retrained to stay up-to-date with the policy.
Some blunders in this topic came after HIPAA violations. Retraining is mandatory, in this case. HIPAA covered entities should also periodically conduct retraining sessions as well.
Penalties can be stark under the HIPAA – even for small healthcare providers. Learn from other’s mistakes to ensure secure data, and follow all privacy laws. Be proactive to avoid those disasters and penalties that come more often than necessary.