5 Ways You Are Violating HIPAA Without Knowing It

Keeping patient records private and secure is a full-time job for any medical organization. More importantly, it’s a job that every member of the team is responsible for maintaining.

Unfortunately, staff members and medical professionals are human and sometimes they make mistakes. While those mistakes don’t always result in negative consequences for the patients, they are still violations of the Health Insurance Portability and Accountability Act (HIPAA).

However, there is the potential for serious consequences for patients including but not limited to identity theft, medical insurance fraud, and other personal repercussions that might cause the patient pain and distress.

The bottom line: Maintaining patient confidentiality and privacy in accordance with HIPAA law is critical. Every practice should be aware of the potential slip-ups and pitfalls that could occur in everyday life and make an effort to educate staff and physicians on how to avoid them.

Below are 5 common ways that medical professionals accidentally violate HIPAA laws, often with the best of intentions at heart. Accident or not, the results are just as real, and these types of occurrences can be avoided by keeping staff members aware of the dangers of letting private details slip.

Unguarded conversations

Unfortunately, it’s so easy to accidentally mention a patient visit in casual conversation or to discuss a particularly challenging issue with personal details; staff members and physicians must always remain vigilant where patient information is concerned. Even asking about a mutual acquaintance in passing with any mention of a recent visit is violating HIPAA privacy law, and while most people don’t think twice about it, there’s always the chance that private information will be communicated to the wrong person or in a way that negatively impacts the patient.

Social media

The various forms of social media have become a huge part of most people’s lives. Whether it’s Twitter, Facebook, LinkedIn, or Instagram, there’s an inherent risk for medical professionals who discuss any aspect of their work lives openly on the internet. According to one source, a common violation is posting patient pictures, even when names aren’t attached. The best rule of thumb for social media is to keep anything related to patient records far away from social media sites. It’s just too risky for a costly HIPAA violation to occur.

Mishandling medical records

One of the most obvious HIPAA violations is allowing medical records to fall into the wrong hands. This can happen due to lax handling practices with regard to printed records or as result of insufficient digital security for electronic health records (EHR). Maybe a sheet of paper with a patient’s contact information or insurance details was unintentionally left in view of another patient. It’s accidental, but it’s also exposure of HIPAA-protected information and a violation of HIPAA law.

Texting private records

Practices and physicians should expect texting to always be a risk. For real protection of texted information, both phones have to be equipped with a program that encrypts and de-encrypts information. Unfortunately, that’s not always a realistic option. In a world where hacking and cyber-theft is all too common, it never hurts to be careful. Practices should rarely, if ever, reach out by text to a patient with any confidential information. The patient record or medical details should be saved for more secure forms of communication.

Lost or stolen devices

No matter the industry, a lost or stolen device is a big risk. For the medical industry, it’s dangerous on so many levels, not the least of which is the threat of HIPAA fines due to privacy law violations. According to Becker’s Hospital Review, HIPAA violations can result in fines ranging from $100 to $1.5 million for practices. While lost or stolen devices don’t always result in fines, practices could be held accountable for not keeping better track of sensitive property. Fortunately, there are options, such as distance wipe capabilities that will allow practices to wipe out data on any device that has have been compromised. This type of precautionary measure, especially in this digital age, is vital for ensuring not only patient information security, but for ensuring the practice is safe from potential fines.

Most medical professionals would never intentionally violate HIPAA privacy laws. However, with so many obligations, priorities, and risks to consider, it’s easy to slip up on the little details.

To protect themselves and their patients, practices need to make every effort to take precautionary measures like those described above when it comes to HIPAA laws, since ultimately, the consequences for failing to protect patients can be expensive for practices and patients alike.

Close up of doctor's hand at computer typing