Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer’s policies and HIPAA Rules.Other common HIPAA violations often come about as a result of misunderstandings about HIPAA requirements. While each of these common HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a significant amount of harm: To the patient(s) involved and their employer. They can also result in disciplinary action against the employee responsible including termination.Listed below are some of the common HIPAA violations committed by employees. These common HIPAA violations should be covered as part of the HIPAA training given to employees to raise awareness to these frequent areas of noncompliance.
Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility
It can be difficult to find the time to complete all the necessary tasks within working hours and it can be tempting to take work home to complete. Removing protected health information from a healthcare facility places that information at risk of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does not mean it is an acceptable practice.The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get help with spreadsheets, complete work at home to get ahead for the next day, or to catch up on a backlog, it is a violation of HIPAA Rules. Further, any emailing of ePHI to a personal email account could be considered theft,the repercussions of which could be far more severe than termination of an employment contract.
Leaving Portable Electronic Devices and Paperwork Unattended
The HIPAA Security Rule requires PHI and ePHI to be secured at all times. If paperwork is left unattended it could be viewed by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen it would be considered an impermissible disclosure of PHI. Electronic devices that contain ePHI must similarly be secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and gain access to ePHI. There have been many cases of employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily occur within a facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.
Releasing Patient Information to an Unauthorized Individual
An authorization form must be obtained from a patient before any of their PHI can be disclosed to a third party for a purpose other than one expressly permitted by the HIPAA Privacy Rule. Disclosing PHI for purposes other than treatment, payment for healthcare, or healthcare operations (and limited other cases) is a HIPAA violation if authorization has not been received from the patient in advance.Healthcare employees must ensure that prior to disclosing PHI to a third party that authorization has been obtained from the patient and information is not disclosed to any individual or company that is not included on the authorization form. Authorization forms are only valid if they have been signed by the patient or their nominated representative.
Releasing Patient Information Without Authorization
In a similar vein to the previous point, healthcare employees must also exercise caution about the types of information that are released to third parties, even if an authorization form has been received allowing a specific individual, company, or organization to receive PHI.The authorization form should include what types of information have been authorized to be released. Any information that is not detailed on the authorization form must remain private and confidential and should not be shared. The disclosure of additional information would violate the HIPAA Privacy Rule.