Laptop with handcuff on keyboard

This year, the federal government plans to begin audits to ensure compliance with privacy and security provisions under the Health Insurance Portability and Accountability Act (HIPAA).

The audits signal a shift to proactive enforcement of HIPAA rules, in contrast to the past, when the feds typically reacted to complaints of alleged breaches.

If you are a healthcare provider, far from the elaborate schemes of hackers, your greatest threat is more likely to be in carelessness or neglect. In recent years, the top two issues in the most serious HIPAA investigations related to:

  1. Impermissible uses and disclosures of patient information
  2. Inadequate safeguards

 

Lapses in judgment

Often, violations get down to basic lapses in judgment, such as leaving computers containing patient information in unlocked rooms.

Here are a few examples, illustrating the type of routine behaviors that lead to investigations:

  • In one case involving the Indiana-based Parkview Health System, a physician complained that as she was transitioning to retirement, Parkview employees left 71 cardboard boxes of patient health records unattended in her driveway in a high-traffic area. Parkview settled the case for $800,000.
  • In another case, Lahey Hospital and Medical Center, affiliated with Tufts Medical School, settled potential violations for $850,000 after a laptop was stolen from an unlocked treatment room. The feds reported evidence of widespread non-compliance with the HIPAA rules, including failure to conduct thorough risk assessments.

Aside from these more high profile cases, several lesser cases illustrate the everyday situations that spark investigations and lead to corrective action plans. Consider:

  • A mental health center failed to provide a notice of privacy practices to a father or his minor daughter, who was a patient at the center.
  • A private practice failed to provide a patient access to his medical records.
  • After treating a patient injured in a sporting accident, a hospital released the patient’s skull x-ray and other detailed information to a local newspaper. The hospital argued it acted in the public interest, but the feds said the disclosures did not meet the appropriate standard.
  • A staff member of a medical practice discussed HIV testing procedures with a patient in a waiting room, and by doing so, disclosed protected health information to others in the room. At this same practice, computer screens displaying patient information were easily visible to patients.

The lesson: Tend to the details and create a culture that values the protection of patient privacy. It’s a mindset more than anything. The idea of patient information in open view on a computer screen, or on paper, should be as unthinkable as leaving the office doors wide open overnight.

After a recent workshop presentation, a woman asked me to explain the difference between security and privacy. In a medical practice, security relates to keeping patient records in locked rooms, for example, or contingency plans in the event of a natural disaster or power outage.

 

Security and privacy are inter-related

Security and privacy are inter-related, but privacy is more personal. In an environment where privacy is respected, no one would imagine chatting up HIV testing procedures in a waiting room where others could hear.

Of course, protect against hackers and other potential assaults from the outside. But look carefully around your workplace, and think hard about the real threats as a result of lax procedures. If someone walking by a work station can glimpse the protected health information of a patient, privacy has been violated. Worse yet, what’s to prevent that person from sharing this new found information on social media? Nothing—and if that happens, expect the HIPAA police.

2 COMMENTS

  1. I have an atty after being involved in a accident caused by a semi hauling a log trailer who hit from the rear. They happen to have less insurance than I do on my Toyota yaris. The state of TN has limit laws of 1 million – 3 million depending on the weight of the semi. I was told they were self bonded many times so the atty firm went after my insurance for uninsured motorist. Come to find out they were never uninsured but under insured. They sued my insurance company knowing this but never disclosing the truth. The driver of the peterbuilt admitted to fault and got the ticket. The trucking company in TN doesn’t have to disclose their limits although they are self bonded and millionairesee at that with plenty of assets. The atty’s involved had me sign medical releases but leaving them undated and they were giving to my insurance companies atty so he could get my medical records. I never gave them permission to allow my own insurance to go after me as the villain when I’m certainly a victim living with chronic pain issues from two herniated cervical disc and a possible spinal cord injury reveled. This has been on going for over 6 years now creating alot of hardship for me and my family. Isn’t it against HIPPA law for my atty to have me sign releases then give them to my auto insuracne atty allowing them to take the lead to save my attorney from paying the fees to order my medical records? I’ve been a loyal memer of TN Farm Bureau paying premiums to for over 23 yrs.. Also suing them for non insured while telling me the trucking company was more than likely self bonded with a high deductible. We all know there are no deductibles if self bonded millionaires. I have photos of the property and them using a non existing address, I was told this when I called the tax/property assessors office, of coarse doin my attorneys job to save them time and money while expecting 1/3. My insurance shouldn’t be involved and because so and after depositions I’ve had to pay for with other expenses, my personal insurance has caused delay after delay although we went through mediation which was a joke compared to my medical bills. I feel they may’ve very well broke HIPPA laws by having me sign releases then giving them to my insurance who’s worked against me and on the defendant/guilty party’s side. It’s impossible to believe this king sleeper 2000 long nose peterbuilt has 25k less coverage than me on my Toyota yaris and drives these semis up and down state hways and interstates. I was hit on a state hway.. please assist if this is breaking the law. I need this to end once and for all and stop them from breaking laws at my expense causingredients delays when my insurance shouldn’t be involved at all. They are self bonded and I’ve givin my atty the bonding motorist aids name. They are Mennonites by the way who skirt the laws payingredients no taxes who have an atty representing them but my own auto insurance has stuck themselves in deep where they don’t belong. He’s gotten many of my medical records to review which I never signed a release for them to have my medicals nor sue my insurance. There’s somthing that smells rotten involving my case. I have been requesting my right to a speedy trail but it hasn’t been honored. Who can I contact to have an investigation done on the truckinground company to shut them down until they for not meeting state law limit requirements amultilingual I get my day in court knowing my records were released to my insurance whom I never gave permission for them to have to terrorize me at depositions as I’m the villain and the trucking company hasn’t paid a dime. I believe more unlawful justice is happening in my situation unfortunately by greed and payoffs. Please help!
    Despite for justice

  2. Yes, the government is going to further interject itself into our lives and expand its control. They will continue to regulate, create more useless government jobs and tax,tax,tax.
    The Office of Personnel Management has recently informed me that persons unknown had stolen all of my personal information from them. This includes not only all of my personal info but the information on others who are related to me or provided reference information for me !
    The Federal Government is full of incompetent, useless layers of breaurocratic misfits who burden working people with their hubris. They are so far behind in technical expertise that they will never be able to accomplish anything effectively.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.