The healthcare industry is fast-changing, especially since Covid-19 prompted the world to rely more on technology for communication. More and more physicians are using and seeing the benefits of telehealth. Offices across the nation are implementing the use of video conferencing systems in lieu of in-office appointments and the benefits and advantages for both physicians and patients are endless.
Although telehealth and video conferencing systems have turned into a necessary way of practice for many people, physicians must be vigilant and ensure that they are consistently staying HIPAA-compliant even through telehealth.
Since telehealth has seen a rise in popularity and use, healthcare now exists within a new context—technology. The heavy use of technology in order to do business and communicate must also stay HIPAA-compliant and actively avoid HIPAA violations. The consequences of HIPAA violations are great, often ending up costing practices millions in terms of financial penalties.
Here are 10 common HIPAA violations to avoid:
- Lost of devices or use of unprotected devices
Since telehealth’s most common way of communication is through devices like desktops, laptops, and even high-performing tablets, physicians and healthcare providers must ensure that they do not leave these devices unattended to ensure they do not lose these devices or have them get stolen. Unfortunately, lost or stolen devices are HIPAA violations so stay vigilant about where your devices are and properly close or shut them down before leaving them unattended.
- Failure to use encryption to protect ePHI
Telehealth means a heavy reliance on technology like video conferencing systems. The first thing that you have to make sure you are doing is you are encrypting data and this leads to the appropriate protection of ePHI. Take security measures to ensure that electronic patient information is safeguarded properly.
- Unauthorized disclosure of PHI and ePHI
Physicians should ensure that they do not ever disclose patient information, both physical and electronic forms, without proper authorization. Besides from dependents, physicians should not disclose information like results and records to other family members without proper permission. In a virtual setting, physicians should make sure that patients know they will be discussing sensitive information before disclosing information just in case patients want to ensure it stays private from others.
- Unauthorized verbal circulation of patient information
Unauthorized verbal circulation of patient information means gossiping and speaking about a patient’s situation in a casual setting with clear authorization from them. Restrain from speaking about patient information and gossiping about it. Especially since telehealth is most likely conducted at home, physicians should ensure that they are in a place where others can’t easily listen in on appointments by accident.
- Lack of employee training
With a new medium of communication, staying HIPAA compliant is more important than ever. One of the easiest and most important things that your office can do to ensure that you do not accidentally violate any HIPAA rules is to ensure that there is proper employee training in place. Make sure that your employees are trained and knowledgable in HIPAA rules and regulations to easily avoid trouble and mistakes and having mandatory employee training helps reduce HIPAA violations at the workplace and through telehealth communication.
- Circulation of the wrong patient information
Being remote and using telehealth video conferencing systems leave room for more careless mistakes. One of them is circulating the wrong patient information. Avoid these mistakes by double-checking you are sending the correct patient information and records to the correct patient. Patient information is sensitive and must always stay confidential and protected by the appropriate people involved.
- Lack of HIPAA-compliant Business Associate Agreement (BAA)
Failure to enter into a HIPAA-compliant Business Associate Agreement (BAA) is an immediate HIPAA violation and one of the most common. If any vendor or third party is given access to sensitive PHI and ePHI, a signed BAA must exist between the physician’s office and the third party.
- Failure to prevent hacking and data breaches
The heavy reliance on telehealth means the heavy use of technology like video conferencing systems. Since telehealth information is communicated through technology, there is a higher risk of hacking and data breaches and unfortunately, these are common HIPAA violations. So make sure that the video conferencing system your office or business is using is HIPAA compliant, has proper encryption, and antivirus software.
- Incorrect disposal of patient records
The incorrect disposal of patient records is also a common HIPAA violation. To avoid the incorrect disposal of PHIs and ePHIs, first, make sure that your employees are trained and know the HIPAA regulations regarding the proper disposal of patient records. They should be properly physically shredded or electronically wiped from the hard drive.
- Exceeding the 60-Day deadline for issuing breach notifications
In the case of a data and systems breach, physicians and any healthcare producers must properly notify the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days. The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches in the wake of a data breach.