HIPAA standards seem to be ever-changing and can often be confusing for the average business owner or manager in the medical field.  Sometimes, the best way to learn about what you should be doing when it comes to HIPAA compliance is to hear examples of what you should not be doing.

Here are ten real-life examples of HIPAA violations and should give you a good roadmap of areas you and your staff should be wary of:

  • Failure to promptly release information to patients.  ‘Prompt’ can be a very relative term, but what you need to keep in mind is that you should have a protocol of when you release information and keep to that protocol with all patients. You are required to respond to patient requests as soon as possible with a limit of 30 calendar days from the date of the request.
  • Improper disposal of patient records.  Shredding is mandatory before disposing of patient records.  You can’t just throw them in the dumpster and think you’re in the clear.  ALWAYS shred patient records when you no longer need them.  If you use a shredding service, make sure you obtain a receipt.
  • Missing patient signatures.  HIPAA forms without the patient’s signature is invalid.  Make sure your staff is trained to always check every document twice for signatures before the patient leaves.
  • Releasing the wrong patient’s information.  Again, this goes back to training and making sure your employees are conscientious.  Have a process in place that all employees know and use.
  • Discussing information with friends or relatives about patients.  It might seem innocent to tell your spouse about the interesting case you saw in your examining room that morning.  After all, who is she going to tell?  Don’t make this mistake.  Discussing patients with ANYONE not involved in their care is a violation.
  • Discussing private health information in public areas.  Even if you ARE discussing information with someone else involved in their care, if you’re doing so in a place where others NOT involved can hear, you are in violation.
  • Discussing private health information on social media.  There are a lot of rules here when it comes to what qualifies as private health information.  A violation could be as simple as referencing the age and condition of a patient in a post.  Make sure you know what is and is not acceptable on social media.
  • Not logging off a computer system that contains private health information.  Even if you think no one can get to your computer, you need to log off when you are away from it.  Yes, even when you go to the restroom!
  • Including private health information in an email that is not secured.  Everything that goes through the Internet needs to be encrypted.  Make sure you are working with a technology company that can help you encrypt everything that includes PHI properly.
  • Releasing information about minors without the consent of a parent or guardian.  Always make sure you get SIGNED consent.  Always.  If the parents are divorced, you must get written permission from the custodial parent or guardian.

HIPAA does not need to be frightening.  The best thing you can do is to educate yourself and your team about potential violations and how to stay in compliance.  If you have more questions about HIPAA or HIPAA training, please feel free to reach out to our knowledgeable team!