Praying that the federal government doesn’t knock on your door for an audit isn’t a good plan, nor is hoping you never have a breach. If that is the extent of your processes and procedures, it is only a matter of time before both things happen and the fines will rack up quickly.
In 2015, the Office of Civil Rights that enforces HIPAA investigated 17,694 complaints and only 359 had no initial violations – that’s only 2%!
12 Common HIPAA Mistakes We See at Medical Practices
- Ignorant About HIPAA Regulations – The law specifically states that ignorance is no excuse. You need to educate yourself about HIPAA regulations by reading blogs like this one and accessing the knowledge of experts with healthcare expertise in technology, law, accounting, etc. (If you need a reference, we are happy to introduce you to our alliance of healthcare experts.)
- Not Having a HIPAA Assessment (Especially if Using Meaningful Use) – If your medical practice used the Meaningful Use tax credit to digitize your medical records [most practices did], a stipulation of that tax credit is having a regular assessment. HIPAA also requires a baseline assessment and periodic audits to evaluate your improvements to securing your PHI (Protected Health Information).
- No Plans to Increase Data Security - Part of a HIPAA audit is to review your progress in increasing your security for PHI, both physically and electronically. Regardless of your current security state, HIPAA wants to see a that baseline assessment [mentioned previously], your plans to improve, and the audits proving that you’ve improved. Remember to document everything you’ve done and what you implement. Intent will get you further than ignorance here.
- No Breach Notification Plan – Another aspect of HIPAA is having a plan to notify any patients potentially affected by a breach, even if you plan to outsource it. If you have a breach that affects more than 500 individuals, you must contact them within 60 days. In January, a Chicago-based healthcare facility was fined $475,000 for missing that 60-day deadline by 3 days!
- BAA with All Vendors – You must have a signed Business Associate Agreement (BAA) with every vendor that has access to physical and electronic medical records. These vendors are known as “business associates”, hence the acronym BAA. [Learn more about Business Associate Agreements (BAA)]
- Sending Unsecured Emails – You cannot send ePHI (Electronic Protected Health Information) via email unless it is secured. A good IT firm can set you up to send secure emails from Outlook starting at $2/month per user.
- Sending Unsecured Texts – Much like email, you cannot text a patient their own health information. Subscribe to a secure text messaging application, use secure emails, or utilize a patient portal. [Learn more about texting patients.]
- Unprotected Devices – Every mobile device and workstation with access to ePHI needs to have a login. The good news, this protection is built in, so it is free!
- Universal Logins & Passwords – Many small doctor offices use the same username and password for every user on every device. This minimal protection only protects your data from people outside your practice (and usually the password is yelled across the office and written down somewhere, so it isn’t protecting anything). Every user should have a unique login to protect yourself from former employees and to identify who is logged in to what device. Also, website login passwords should be different for each website. (We suggest using a password management application that stores passwords and can generate unique passwords.)
- Passwords Never Change – Every password should be changed at least every 90 days -- that is only 4x a year. In case one of you or a vendor has a breach, you minimize the impact on your patients by changing your password automatically.
- BYOD – A Bring Your Own Device (BYOD) policy sounds cheaper because you put the cost burden on employees to supply their own equipment, but in the end it costs medical practices more because of a lack of standardization, security, and monitoring as well as potentially bringing viruses into your network and losing data when an employee leaves. [Learn about the pros & cons of BYOD.]
- Focusing on ePHI & Ignoring PHI Security – Many medical practices focus all of their attention on securing their network, locking down devices, and creating mechanisms to send secure emails and texts, but they leave folders with patient records left unattended and out in the open. You cannot wear blinders and only focus on the digital aspects of your data. You need to protect your physical files too. (Don’t forget to lock up your server. Someone can get to your electronic files by stealing the physical device that stores them, hence the need for a login.)
All of these common HIPAA mistakes are preventable. The most important aspect is to take ownership of protecting your patient data, have an assessment, and make a plan to continually improve. A good IT firm with healthcare experience can help you with the technology aspects of the HIPAA regulations and protect your practice from fines.