Tips to Avoid HIPAA Violations
HIPAA can be a scary subject for conversation-- and for good reason. Violations (as in, the sharing of Patient Health Information, or PHI) can carry stiff fines. Let's explore some simple things you can do to minimize your risk of running afoul of HIPAA and staying compliant.
Stolen Laptop, Tablet, Phone, USB Flash Drive, etc.
With devices getting smaller and smaller, it's easier every day to forget a phone or USB drive in a taxi, at a restaurant, or worse: have it stolen from your office or home. And if that device had any PHI on it (which is any data which can personally identify a patient), this constitutes a "breach" and is a violation of HIPAA.
The safest method to make sure this isn't you one day is to never download PHI data to any device or local storage. And if you absolutely have to, then make sure it is encrypted. Most devices, including laptops and cellphones (and some USB drives) have built-in encryption options for this very purpose. And of course, BHC Portal stores all PHI data in an encrypted format (and off your device).
Sharing Usernames & Passwords
It is a legal requirement of HIPAA that all staff members who access PHI must do so with a unique username and password. This is according to the HIPAA Security Rule. You should never re-use a username, or let multiple staff members log in under the same account. This creates a risk that, if PHI is indeed exposed, you will be unable to track who was responsible, which is itself another possible violation of HIPAA.
Insecure Storage (or Destruction) of Records
A Colorado pharmacy had to pay a settlement of over $125,000, after it was discovered they had thrown out an unlocked container of documents which contained patient information in a publicly accessible trash can.
This shows just how essential the storage and disposal of such records are. Disposal should always take the form of something non-retrievable. That may mean shredding paper documents and physical destruction of hard drives (simply deleting a file does not actually remove it from your computer!)
Of course, these are just a handful of tips, and not meant to be an exhaustive list. For more information on HIPAA compliance, you may wish to check out some of the documentation at HealthIT.gov. In general, most of HIPAA's requirements are good best-practices for any type of record-keeping. And, using a HIPAA-compliant EMR/EHR system like BHC Portal takes care of much of the guess work.
* The content of this post is not to be taken as legal advice and may not account for all rules and regulations in every jurisdiction. For legal advice, please contact an attorney.