Common HIPAA Violations by Employees

Disclosures of PHI to Third Parties After the Expiry of an Authorization

All HIPAA authorization forms must include the names or classes of individuals who are being authorized to receive PHI, the types of PHI that will be disclosed, and the reasons for the disclosures. They must also include an expiry date for the authorization.PHI must not be disclosed to any individual listed on the authorization form after the expiry date has passed, even if authorization has previously been given to that entity to receive PHI. A new authorization form is required before any further disclosure takes place. It should also be noted that an authorization form without an expiry date is not HIPAA compliant.

Impermissible Disclosures of Patient Health Records.

The HIPAA Privacy Rule permits patients to obtain a copy of their health records on request or have their records provided to a nominated third party such as a personal representative or other individual. If not collected in person by the patient, the third party must have been given authorization by the patient – on a HIPAA authorization form – to receive the records before they can be released.Prior to providing copies of patient health records, healthcare employees must verify the identity of the patient or the person collecting the records and must ensure records are only released to an individual authorized to receive them. Care must also be taken to ensure that the correct patient’s records are released.

Downloading PHI onto Unauthorized Devices

It can be difficult for healthcare IT departments to keep track of all devices that connect to the network, given how many different devices have network access. Ensuring those devices are secured can be an even bigger problem, yet this is a requirement for HIPAA compliance. Employees need to be aware that there are privacy and security risks associated with downloading ePHI to unauthorized portable electronic devices. Not only does this increase the risk of an accidental disclosure of ePHI – in the event that the device is lost or stolen – it could also be viewed as theft and a HIPAA violation.

Providing Unauthorized Access to Medical Records.

It is the responsibility of the covered entity to ensure that access to patient health information and medical records is only given to authorized individuals. This is achieved by implementing access controls via unique logins.Employees have a responsibility to ensure that they do not give access to health information to co-workers who many not have the same access rights. The sharing of login credentials could not only result in an impermissible disclosure of ePHI, any actions taken by that employee would be attributed to the individual whose login credentials were used to gain access.

Bringing personal Devices to Work 1:30