HIPAA: Everyone’s Responsibility
April 2018
In 2017, a medical employee was fired after she violated the Health Insurance Portability and Accountability Act of 1996(HIPAA) by posting about a patient on Facebook. The 24-year-old medical technician commented on a post about a patient killed in a car accident by saying, “Should have worn her seat belt…”
In 2016 a cardiology group of five physicians paid a $100,000 HIPAA settlement because they posted surgical and clinical appointments on a public, internet-accessed calendar.
A cardiac monitoring vendor had to pay a $2.5 million settlement after a laptop containing hundreds of medical records was stolen from a parked car.
An HIV-positive patient asked an office manager to fax his medical records to his new urologist. Instead, the office manager accidentally faxed them to his new employer. Even though the manager and urologist apologized to the patient, it still resulted in a HIPAA violation and a mandate for regular training for all the employees.
A staff member talked with a resident about procedures for medical testing in a waiting room, thereby disclosing Protected Health Information (PHI) to others in the vicinity. The waiting room’s setup also allowed others to see PHI on employee computer screens. After an Office for Civil Rights (OCR) investigation, staff were required to take regular HIPAA trainings and computer monitors were re-positioned.
HIPAA is now the highest compliance officer priority, according to the ninth annual Healthcare Compliance Benchmark Survey,conducted by SAI Global and Strategic Management Services. HIPAA is not only the responsibility of compliance officers. Everyone in a facility is responsible for resident confidentiality.
PHI includes demographic information that identifies an individual and
–Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse
–Relates to the past, present, or future physical or mental health or condition of an individual
–Describes the past, present or future payment for the provision of health care to an individual
Who has to follow HIPAA?
Anyone who:
• Works directly with residents
• Sees, uses, or shares PHI as a part of their job
•Accesses any facility systems, records, tools, and information that may contain PHI
There are many possible PHI identifiers including name; full face photo; finger or voice print; telephone number; address; email; social security, medical record,insurance, and account numbers; device ID/serial number; certificate/license;and any unique identifying number, characteristics, or code. PHI can be found in medical records, information systems, billing information and receipts, test results, X-rays, labels on IV bags, menus, mobile devices, and conversations.
Printed materials containing PHI identifiers should not be left lying about or discarded in the trash. They need to be filed away safely, and, if no longer needed, shredded, or put in special locked recycling containers.
To further safeguard resident privacy and comply with HIPAA requirements, employees should:
- Only use/access the minimum necessary information to perform their jobs
- Never look at a resident’s record out of curiosity
- Double check names, phone numbers, and email addresses before sending PHI by fax or email
- Log out of their computers if they must leave their workstation
- Not gossip about residents to friends, family, or coworkers, and restrict essential conversations about residents to private places
- Not post resident photos on social media
- Keep medical records locked away and safely out of the public’s view
The privacy and security of PHI should be a priority for everyone in a facility.
For more information, go to https://www.hhs.gov/hipaa/index.html.
