HIPAA privacy, security, and breach notification rules require healthcare organizations and their business associates to implement various controls to avoid HIPAA violations. Yet breaches still occur despite controls designed to minimize the risk of HIPAA violations.
Hackers and cybercriminals in many industries cause most security breaches. Healthcare is particularly vulnerable to insider attacks. There are some ways healthcare institutions can enhance their defenses and use technologies to detect breaches as soon as they occur. Healthcare employees can also prevent HIPAA violations. Let’s see what is a HIPAA violation in the workplace?
1. Don’t share passwords or login information
A unique login is provided to each employee, through which they can access sensitive information. Keeping that information private is therefore crucial. Never write down your login credentials. Users’ login information allows us to track their activities, including those that involve ePHI. If another employee improperly accesses ePHI with your login credentials, your job is at risk.
2. Possess a mobile device
Today, HIPAA violations are most commonly caused by lost or stolen mobile devices containing patient health information. If your employees fail to secure their laptops or tablets or leave the devices unattended, your business will be responsible. It would be better if you reminded your employees always to be aware of their mobile devices and turn them off when they’re not in use.
3. Patient information should not be texted
Whether you use WhatsApp, Facebook Messenger, or SMS, text messages are quick and easy to communicate. ePHI cannot be accidentally disclosed to unauthorized individuals with common messaging services.
SMS messages, for instance, are not encrypted and can be easily intercepted. However, WhatsApp lacks adequate authentication controls. An agreement of HIPAA-compliant business associates must be signed between your employer and the text messaging service provider for you to use text message services. Use only secure healthcare text messaging platforms to send ePHI if necessary.
4. Never dispose of PHI with the regular trash
Documents are still widely used in most healthcare organizations, even though most are switching to electronic health records. It is important to keep patient PHI secure and discard it securely once it is no longer needed.
According to HIPAA, all PHI must be rendered unreadable, unintelligible, and impossible to reconstruct when it is no longer needed. Disposing of PHI should be strictly regulated by your employer. Documents should not be thrown out with regular trash. If you dispose of paper copies of PHI, you must be extremely careful to ensure their security.
5. Don’t look at patient records out of curiosity
It is a serious violation of HIPAA rules and patient privacy when employees access patient health records without a legitimate reason. Patients sometimes snoop on the records of healthcare employees, even though the majority of employees respect patient privacy.
Healthcare workers can only view records of patients if they are required to do so for treatment, payment, or healthcare operations. Employees may only view their patient records for treatment purposes.
6. Using social media wisely
Most healthcare organizations have established social media policies that restrict employees’ use of social media and state very clearly that work-related details shouldn’t be shared. HIPAA prohibits sending tweets containing patient information. Facebook posts, even those in closed groups, follow the same rule. The same applies to ePHI and gossip.
Photographs and videos are included in PHI. The name of the patient is not necessary in such cases. A photograph can easily identify the patient.
