When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.
The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.
To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:
#1: Limit Information Shared in Mobile Messages
In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.
To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.
If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.
#2: Be Cautious of Open Text Fields
A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.
Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.
To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.
#3: Evaluate Facility Advertisements
Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.
If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.
To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.
#4: Avoid Use of Patient Names
This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.
For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.