Over the past 10 years of visiting clinics and hospitals, for business or personal reasons, it’s hard for our consultants not to observe HIPAA compliance; and most of the time they’re surprised at what they see. The question on their mind is, “who will be the next data breach victim?” Below are some common HIPAA violations scenarios from our experience and from a recent Physicians Practice article.
Lack of new hire and refresher staff education
The first violation noted is usually lack of staff education. Current HIPAA Privacy and Security regulations require this:
• Everyone in your organization be trained on HIPAA
• Annual, refresher training be provided
• Training is documented
• Your Business Associates are trained
We see everything from “no training” to “word of mouth training.” Education is the first thing auditors will look for when conducting compliance audits.
Bulletin boards identifying patient information
Upon walking into a clinic, Judy Norman was greeted by a beautiful bulletin board that welcomed new patients to the practice, identifying the patient by their full name and town. Patient names and addresses are protected health information under HIPAA and may not be shared in this manner without authorization from the patient.
Announcing patient names
In most practices, patients are called up in the waiting room by their full names in front of everyone. Using first only is recommended. Also, refrain from conversations in the lobby such as, “How is your knee feeling?”
The check-in process
The check-in process for patients often leaves much to be desired in terms of privacy. Consider this common interaction at a doctor’s office:
Staff: What’s your birth date?
Me: March 5, 1990
Staff: Is your name Ericka Adler?
Staff: Is your address still ___________?
Staff: Are you still with Blue Cross Blue Shield?
In this one conversation, overheard by everyone, information is revealed that is protected health information under HIPAA and which could be used for identity theft. This is an interaction that is unnecessary and inappropriate. Patients should be spaced out so they cannot be overheard with the reception staff. In addition, the amount of information reviewed verbally should be minimized. Consider asking if anything has changed or request the patient review private information on a computer screen to confirm its accuracy.
Patient charts in plain view
Pete Johnson is sitting in a room waiting for his physician. He sees another patient’s chart sitting on the desk in plain view. Then, as he is paying his bill at the receptionist’s desk after his visit, he sees additional charts in plain view that identify a patient’s name, address and other information without the need to even open the chart.
Jennifer Cortez brings her daughter to a practice for a procedure and in the procedure room a large mounted screen identifies the scheduled procedures for the day: every patient’s full name and birthday, the time of the procedure, the assigned physician, and the service being provided. This is a blatant disclosure of protected health information.
Patient names and addresses are protected health information under HIPAA and should not be readily accessible or in plain view of other patients.
Protected health information and social media
An OB/GYN practice client ran into trouble when its receptionist recognized a woman from her neighborhood who came in for STD testing. The receptionist promptly posted a gleeful message on Facebook regarding the patient’s medical issue after tracking down the test results, and common acquaintances on Facebook became privy to this confidential information.
Improper access to patient information by office staff and dissemination of these details using social media are significant challenges that must be addressed.
Use these scenarios as part of your next group discussion
Since you’re reading this, you probably understand the importance of patient privacy and security and the consequences when violations occur. However, does your organization share your expertise? Consider sharing these scenarios in your next staff meeting or group discussion. This activity and annual training will enable them to gain expertise and competency on HIPAA privacy and security, keeping your organization safe from violations and penalties.