Breaches of HIPAA often occur due to a lack of comprehension of HIPAA requirements, particularly in relation to healthcare workers breaching the data privacy legislation.
No matter how serious the nature of the HIPAA breach is perceived, they can still result in a major amount of damage to the patient(s) and employers – even ended in disciplinary action being taken against the employee responsible including termination from their position.
We have put together a list of the most common HIPAA violations committed by healthcare employees. This should all be made known to healthcare workers so that they do by mistakenly breach HIPAA.
Sending ePHI to a Personal Email Account or Removing PHI
This can happen when healthcare workers wish to catch up on some work in their own time. However, removing protected health information from a healthcare facility puts that information in danger of exposure. This is a common employee HIPAA violation to the extent that it may have even been seen as acceptable practice at a healthcare facility that is understaffed. However this is not the case as ePHI may never be removed from a healthcare facility.
Unattended Portable Electronic Devices & Paperwork
The HIPAA Security Rule states that PHI and ePHI to be kept safe at all times. If paperwork is left unattended it could be seen by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare center. Were that to happen it would be thought of as an impermissible disclosure of PHI.
Electronic devices that hold ePHI must similarly be safeguarded at all times. Electronic devices are portable and valuable. Thieves could easily steal an unattended device and obtain access to ePHI. There have been many instances of healthcare employees taking unencrypted devices away from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily take place within a healthcare facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are respected, and HIPAA Rules are not violated by leaving devices and paperwork unattended.
Sharing Patient Information to an Unauthorized Individual
An authorization form must be completed by a patient before any of their PHI can be disclosed to a third party for a purpose other than one expressly allowed by the HIPAA Privacy Rule. Sharing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and restricted other cases) is a HIPAA violation if permission has not been received from the patient in advance.
Healthcare workers must ensure that prior to sharing PHI to a third party that authorization has been obtained from the patient and information is not shared to any person or company that is not included on the authorization form. Authorization forms are only valid if they have been completed by the patient or their nominated representative.
Sharing Patient Information Without Authorization
Similar to the last point, healthcare workers must also use an abundance of caution about the types of information that are released to third parties, even if an authorization form has been received allowing a specific individual, company, or group to receive PHI.
The authorization form should list what types of information have been authorized to be released. Any information that is not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would breach the HIPAA Privacy Rule.
Sharing PHI to Third Parties After the Expiry of an Authorization
All HIPAA authorization forms must list include the names or classes of individuals who are being authorized to receive PHI, the range of PHI that will be shared, and the reasons for the disclosures. They must also include an expiry date for the authorization.
PHI must not be shared to any individual listed on the authorization form after the expiry date has passed, even if authorization has earlier been given to that entity to receive PHI. A new authorization form is required before any further disclosure occurs. It should also be remembered that an authorization form without an expiry date is not HIPAA compliant.
Impermissible Sharing of Patient Health Records
The HIPAA Privacy Rule allows patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other person. If not collected in person by the patient, the third party must have been allocated authorization by the patient – on a HIPAA authorization form – to receive the records before they can be shared.
Prior to supplying copies of patient health records, healthcare employees must confirm the identity of the patient or the person collecting the records and must ensure records are only shared to an individual authorized to receive them. Care must also be taken to ensure that the correct patient’s records are shared.
Placing PHI onto Unauthorized Devices
It can be a painstaking process for healthcare IT departments to record all devices that connect to the network, given how many different devices have network access. Ensuring those devices are safeguarded can be an even bigger problem, yet this is a requirement for HIPAA compliance.
Healthcare workers need to be aware that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not only does this heighten the risk of an accidental disclosure of ePHI – in the event that the device is lost or stolen – it could also be seen as theft and a HIPAA breach
Allowing Unauthorized Access to Medical Records
It is the charge of the covered entity to see to it that access to patient health information and medical records is only given to authorized people. This is achieved by using access controls via unique logins.
Employees have a responsibility to see to it that they do not give access to health information to co-workers who many not have the same access rights. The sharing of login details could not only result in an impermissible sharing of ePHI, any actions taken by that employee would be attributed to the individual whose login details were used to obtain access.