A closer look at HIPAA: Part 2 -- Violations and their mitigation

Lindy Benton
Jun 8, 2015
2015 06 01 14 37 33 930 Benton Lindy 200

In her first column, Lindy Benton of healthcare information exchange company MEA/NEA discussed what the Health Insurance Portability and Accountability Act (HIPAA) is and how breaches of information might occur. In this column, she looks at 10 common violations and offers practical tips for your practice.

Diverse forms of protected health information are at risk, as indicated by respondents to the Ponemon Institute's 2014 benchmark study on patient privacy and data security. However, the following 10 common violations require that attention be paid.

10 common violations

Lindy Benton is the CEO of MEA|NEA.Lindy Benton is the CEO of MEA|NEA.
  • Failure to adhere to the authorization expiration date: Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.
  • Failure to promptly release information to patients: According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.
  • Improper disposal of patient records: Shredding is necessary before disposing of patient's record.
  • Insider snooping: This refers to family members or co-workers looking into a person's medical records without authorization. This can be avoided with password protection, tracking systems, and clearance levels.
  • Missing patient signature: Any HIPAA forms without the patient's signature is invalid, so releasing information would be a violation.
  • Releasing information to an undesignated party: Only the exact person listed on the authorization form may receive patient information.
  • Releasing unauthorized health information: This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
  • Releasing wrong patient's information: Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
  • Right to revoke clause: Any forms a patient signs need to have a "right to revoke" clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
  • Unprotected storage of private health information: A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, flash drive, or any other mobile device.

Scenarios that violate HIPAA

Additionally, there are several scenarios that clearly violate HIPAA. Some of these scenarios can be quite simple and some should be common sense, but they can carry some heavy costs. For example, practice employees telling friends or relatives about patients in the practice or discussing protected health information in public areas, including the lobby of a facility, an elevator, or the cafeteria.

Practice leaders should be aware of a number of other scenarios, including the following:

  • Discussing private health information over the phone in a public area.
  • Not logging off a computer or a computer system that contains private health information.
  • HIPAA regulations for "minimum necessary": For example, a health insurance company might need information about the number of visits the customer had, but isn't allowed to view the entire patient history.
  • Including private health information in an email.
  • Releasing information about minors without the consent of a parent or guardian.
  • Leaving too much patient information over a phone message: A patient may give the practice approval to call, but practice leaders should be sure their staff does not leave a message disclosing too much patient information. A friend or family member could check your patient's message and hear things they shouldn't.

The real world

Let's take a look at a real-world example of a HIPAA violation. An Office of Civil Rights (OCR) investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker.

When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and also move medical alert stickers to the inside cover of the records. Further, the covered entity's privacy officer and other representatives met with the patient and apologized and followed the meeting with a written apology.

Keeping your practice compliant

Administratively, is everyone in your office trained in HIPAA compliance? Do you regulate who has access to sensitive information?

From a technical perspective, do you have an inventory of computers and devices that store protected health information? Do you use your smartphone or tablet to capture or store sensitive documents? Do you email patient information and records? Are the items discussed above encrypted for security protection?

When dealing with physical records, how are you storing or disposing of your paper files?

All these factors can affect your HIPAA liability.

Tips for mitigating HIPAA violation

Here are some tips to keep the HIPAA cops from coming after you or your practice:

  • Always use a cover sheet when faxing protected health information.
  • Email protected health information using secure, encrypted email only.
  • Assign different levels of security clearance to specific people. Role-based security prevents employees from accidentally changing or seeing information that does not pertain to their specific duties.
  • Never share passwords among staff members.
  • Properly dispose of information containing protected health information by shredding paper files.
  • Make sure computers have updated antivirus scanning software installed. This insures that your practice is reasonably guarded against malicious software.
  • It's important to make sure any vendors or other businesses associated with your practice are properly following HIPAA standards as well.
  • Always consult a HIPAA compliance attorney for any legal advice or questions concerning HIPAA. You can never be too careful.

Lindy Benton is the CEO of MEA|NEA, a provider of electronic attachment, health information exchange, and secure cloud storage solutions for dental and medical practices.

The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.

Latest in Dental Practice
Boy Panoramic Xray
Where kids have the best oral health may surprise you
April 17, 2024
We care about what you think.
Sponsored
We care about what you think.
November 9, 2023
Legal Scales
2 dentists, practices sued by U.S., state authorities
April 17, 2024
Lawsuit
2 dental hygiene professors sue Calif. college
April 16, 2024
Related Stories
2015 06 01 14 37 33 930 Benton Lindy 200
Dental Practice
5 simple tips to improve your practice's processes
2016 05 11 13 37 46 778 Wood Amy 200
Dental Practice
CDA Presents 2016: Could a security breach kill your practice?
2015 06 01 14 37 33 930 Benton Lindy 200
Insurance
Dropping claims and attachments to paper: What you need to know
We care about what you think.
Sponsor Content
We care about what you think.
More in Dental Practice
Where kids have the best oral health may surprise you
By Ava Barros
Massachusetts may be the U.S. state with the best children's health, but the District of Columbia was ranked No. 1 for pediatric dental health.
April 17, 2024
Boy Panoramic Xray
Podcast: 3 things to create team longevity in your dental practice
By Kevin Henry
In this episode that is the second in a six-part series focused on the hiring crisis in dentistry and what can be done about it, Dr. Roger P. Levin discusses the importance of maintaining staff longevity in dental practices.
April 17, 2024
Dr. Roger P. Levin.
2 dentists, practices sued by U.S., state authorities
By Melissa Busch
U.S. and state authorities recently filed a lawsuit against two dentists and their practices for allegedly engaging in a Medicaid kickback scheme.
April 17, 2024
Legal Scales
2 dental hygiene professors sue Calif. college
By Melissa Busch
Two professors at a college dental hygiene program in Califiornia have sued the school claiming they endured retaliation for filing a formal complaint about "severe and pervasive" racial discrimination.
April 16, 2024
Lawsuit
Podcast: Dental Lifeline Network's 1st 50 years and what comes next
By Kevin Henry
Kevin Henry interviewed Lynda Ricketson, the president and CEO of the Dental Lifeline Network, to discuss the organization's mission and its impact.
April 16, 2024
Lynda Ricketson, president and CEO of Dental Lifeline Network.
Zentist launches Cavi AR
By DrBicuspid.com staff writers
Zentist, a revenue cycle management software provider for U.S. dental service organizations, has introduced Cavi AR.
April 16, 2024
Patient Credit Card
Changing dental assisting laws, rules in U.S. states
By Melissa Busch
The Dental Assisting National Board's spring 2024 State of the States report reveals the latest legislative and regulatory changes.
April 15, 2024
Dental Assistant 2
Do's and don’ts for facing the competition
By Dr. Roger P. Levin
Competition in dentistry is formidable now. Dr. Roger P. Levin outlines the do's and don'ts of carving out a strong position among competing practices.
April 15, 2024
Levin Practice Success Resized Image Only
Ex-employee cops plea to embezzling $100K from dental practice
By Melissa Busch
A former employee at a dental practice accused of stealing $100,000 from her employer pleaded guilty.
April 12, 2024
Judge Gavel Court
Diving into a documentary about a dental hygienist's passion to help others
By Kevin Henry
Filmmaker Jim Tuttle and dental hygienist Amber Lombardi discussed "Filling the Gaps," a documentary about mobile dentistry in Maine and the people impacted by it.
April 12, 2024
From left to right, Kevin Henry, Jim Tuttle and Amber Lombardi, RDH
12M lost Medicaid after the COVID-19 emergency expired
By Ava Barros
In 2023, approximately 12 million adults and children lost dental coverage under Medicaid due to reevaluations following the end of the public health emergency declared during COVID-19, according to a report from the CareQuest Institute for Oral Health.
April 11, 2024
Boy Dentist
Dentist under investigation for role in fraud scheme
By Melissa Busch
A dentist is being investigated for his connection to an alleged multimillion-dollar scheme to defraud Medicaid.
April 11, 2024
Scales Of Justice2
Page 1 of 523
Next Page