Common HIPAA Violations by Employees

Snooping on healthcare records is a fairly obvious HIPAA violation and one that all healthcare employees who have received HIPAA training should know is a violation of their employer’s policies and HIPAA Rules.Other common HIPAA violations often come about as a result of misunderstandings about HIPAA requirements. While each of these common HIPAA violations affect far fewer numbers of patients than the above violations, they can still cause a significant amount of harm: To the patient(s) involved and their employer. They can also result in disciplinary action against the employee responsible including termination.Listed below are some of the common HIPAA violations committed by employees. These common HIPAA violations should be covered as part of the HIPAA training given to employees to raise awareness to these frequent areas of noncompliance.

Emailing ePHI to Personal Email Accounts and Removing PHI from a Healthcare Facility

It can be difficult to find the time to complete all the necessary tasks within working hours and it can be tempting to take work home to complete. Removing protected health information from a healthcare facility places that information at risk of exposure. This is a common employee HIPAA violation and may even be routine practice at a healthcare facility that is understaffed. That does not mean it is an acceptable practice.The same applies to emailing ePHI to personal email accounts. Regardless of the intentions, whether it is to get help with spreadsheets, complete work at home to get ahead for the next day, or to catch up on a backlog, it is a violation of HIPAA Rules. Further, any emailing of ePHI to a personal email account could be considered theft,the repercussions of which could be far more severe than termination of an employment contract.

Leaving Portable Electronic Devices and Paperwork Unattended

The HIPAA Security Rule requires PHI and ePHI to be secured at all times. If paperwork is left unattended it could be viewed by an unauthorized individual, be that a member of staff, patient, or visitor to the healthcare facility. Were that to happen it would be considered an impermissible disclosure of PHI. Electronic devices that contain ePHI must similarly be secured at all times. Electronic devices are portable and valuable. Opportunistic thieves could easily steal an unattended device and gain access to ePHI. There have been many cases of employees removing unencrypted devices from healthcare facilities, only for them to be stolen from vehicles or homes. Theft can also easily occur within a facility if devices are not secured. Healthcare employees must ensure that their employer’s policies are followed, and HIPAA Rules are not violated by leaving devices and paperwork unattended.