Could HIPAA Ignorance Cost You Your Medical Practice FB

Could HIPAA Ignorance Cost You Your Medical Practice?

HIPAA (Health Insurance Portability and Accountability Act) went into effect over 20 years ago (1996) but with all the news and attention it has gotten recently you would think it is a brand-new act.

In short, HIPAA is designed to protect patient confidentiality and privacy.  The primary goal is to not allow patient information to be released without their prior knowledge.

Seems simple enough, right?

WRONG.  There are numerous ways for PHI (Protected Health Information) to accidentally or intentionally fall into the wrong hands.

What’s worse is even an accidental HIPAA violation can cost you tens of thousands of dollars, loss of license or loss of your practice.  It can even cost you jail time.

Not only is the medical practice responsible to ensure HIPAA best practices are followed but any vendors/business associates the medical office works with are also required to follow best practices (IT, Accountant, etc.…).

It makes sense.  Would you want your medical records to be seen by other people?  Would you be OK if a bookkeeper was able to see your medical records?

The truth is there are a lot of opportunities as it relates to HIPAA and HITECH in medical and dental offices.

HIPAA Compliance for Medical OfficesI have personally visited doctors, dentists and other practices that have glaring opportunities.  Here are a few things that I have witnessed:

  • Laptop or Tablet left unlocked in the same room as a patient while the doctor or nurse steps out.
  • Printed forms with diagnosis and/or prescriptions left in high traffic, high visibility areas.
  • Medical Office calendar viewable and showing patient names and appointment times.
  • Lackadaisical office administration allowing potential access to patient information.
  • Conversations (overheard by others) at the reception area between a patient and the office staff that included name, address, and insurance info, as well as why they were visiting the doctor.
  • Sign in sheets with names and reason for visit left at the reception window.
  • Open wireless networks with doctor’s laptops/tablets connected to them (in one of the world’s most well-known hospital).

These are just a few examples that I can recall, all within the last year.

Less scrupulous people may have taken advantage of these very real scenarios.

Not to Worry.  There Are Solutions.

9 Steps to Decrease Your Medical Office Risk Exposure.

  1. Education – tell me if you’ve heard this one before, on this website! It’s worth repeating.  Education is probably the biggest component of any successful plan, especially one that involves critical/sensitive information.  It’s very important to educate your employees and business associates on HIPAA, HITECH, and PHI.
  2. Disable USB Drives – Not allowing USB drives protects you in several ways. First, it is easy to connect a smartphone or tablet to a computer through USB and copy data to that device. Second, connecting a USB drive with a key logger or some other software that is capable of copying files only takes a few seconds. Another exploit used by would-be hackers is to leave a USB drive with malicious software somewhere an employee might pick it up and connect it to their computer.  This could then autorun a program that will steal data. 
  3. Lock All Computers When Not in Use – This one is a little easier to accomplish but is so often overlooked. Set a policy to lock your computers when the user is not at the computer.  Also, set it to automatically lock after a short period of inactivity. Some employees and business associates might find this annoying but it’s certainly better than the alternatives. Imagine this scenario: An employee leaves their desk for lunch but fails to lock their computer.  Your medical practice has not set up any policies with employees or on the computer.  Another employee wants to get information about a patient and sees an opportunity.  They use the first employee’s computer to get the information they want.  Now it looks like the first employee is the one who accessed this information. You now have a HIPAA violation for which you can be fined $50,000 and possible jail time. 
  4. Protective Screens – They make protective screens that you can put over your monitors. These screens make it almost impossible for someone to shoulder surf. 
  5. Quiet Area for Sensitive Conversations – I am always amused when I see the separate window for private conversations at the pharmacy. They’re always right next to all the other windows and the waiting area…not very private. The reception area at many doctor’s offices is similar.  They are in the waiting area where anyone listening can eavesdrop and pick up sensitive information about a patient. 
  6. Avoid Paper Whenever Possible – We live in a digital world. There’s almost no reason to give sensitive patient information on paper.  Records can be transmitted electronically if needed.  Prescriptions can be transmitted electronically.  There are even apps that allow patients to get their medical information.  Why are medical offices still printing this information? 
  7. Managed IT and Managed Anti-Virus – If an IT (MSP) is monitoring your servers, workstations and other technology it’s easier to identify unauthorized activity. Remote management and monitoring mean access is controlled and monitored, patching and software updates are performed as needed, content can be blocked, uploading can be prevented, installation of software can be controlled, etc…If the same IT support team is also managing your medical practices anti-virus software and processes as well as proactively protecting against phishing and SPAM your risk decreases significantly. 
  8. Regular HIPAA/HITECH Compliance Checks – If this isn’t already happening then it needs to take place immediately. There’s simply no way to know what risks are present unless you’re checking.  It should be a regular practice to perform a HIPAA/HITECH Compliance check at least once per year. 
  9. Security Audit – Along with the HIPAA Compliance Check you should do a security check of the physical building as well as the technology/network. Check for vulnerabilities and address them as they’re needed to prevent the vulnerabilities from being exploited.

Medical Office ITYour reputation as a medical provider (or business associate) can be destroyed in the blink of an eye.  The financial and legal repercussions can damage your business and personal life beyond repair.  It’s enough to make some medical personnel and business associates think twice about getting into the medical industry.

It’s also enough to scare off any business associate who does not take their business seriously.  Make sure any vendor or business associate with you understands HIPAA and HITECH and does not take it lightly.

If you would like to schedule a free HIPAA Compliance Check call us at 888.665.4111 or fill out this form and we will schedule some time with you and your medical practice.

Could HIPAA Ignorance Cost You Your Medical Practice

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Join the discussion 24 Comments

  • Amber Myers says:

    Yikes, I hope all the medical people follow this. I always worry about staying safe when I see a doctor. And I want my info safe. I’ve gotten alerts saying that there MIGHT have been a breech and my info has been released, which is annoying.

  • Alexandra says:

    Certainly a great post – I hope that the medical professionals I use are following the necessary procedures and legalities.

  • Brittany says:

    It’s so important to secure patient information and ensure that patients trust your medical care practice. HIPPA compliance is important.

  • Terri Beavers says:

    This is a great post. I have always felt the same way about the points brought up in this article. The “privacy” windows are right next to the waiting area, this not private at all. Or the pole that says ‘wait here for customer privacy’, is like 5 feet from the window. Maybe they will do something about this to truly give the customer their privacy.

  • Jill Nunn says:

    Wow! lost of great information I had no clue about most of this! When we visit the doctor we like to think we are protected with our information but this makes me question that.

  • Joan says:

    These are all true my husband is a doctor and all these rules are followed thoroughly.

  • Tara Pittman says:

    I never thought about this. I sure hope that my doctors are following these rules.

  • Natalia says:

    To be honest I’ve never been thinking of the possible risks related to this topic. Thanks to this article I’ll be more aware of the possible problems and some efficient ways to avoid them. 🙂

  • OMG! Reading this made me nervous. But you’re absolutely right. As a patient, I must thank you for all the provided info.

  • Heather says:

    That is very interesting. I don’t have a medical practice, but I’m sure those that do would benefit from reading this.

  • Nabanita says:

    I don’t know if this is strictly followed. I hope so it is because a patient trusts the doctor with most personal details at times.

  • What an interesting post. I’ve visited some doctors that put their calendars on the table or wall with patient names and appointment times on it, but I thought it was “common”. I hope every doctor, nurse, and other medical professionals would read and apply this.

  • Gladys Nava says:

    Wow! I love reading this blog post! They have a love of information that we need to know! And I am really glad to know these all from you. Thanks for sharing your knowledge!

  • Just when you thought that the biggest worry about attending the doctor’s office is picking up something contagious, think again. You now have the added worry of your personal data getting into the wrong hands. I guess that comes with life.

  • Medical practitioners really have to be very careful before they lose their whole career to mistakes. Above all, education is very important!

  • Joanna says:

    I actually never thought about all of this, from the point of a view of a patient. But now that you mentioned them, I have seen unlocked computers or WiFi networks in hospitals and health clinics.

  • Monidipa Dutta says:

    Like the HIPAA civil penalties, there are different levels of severity for criminal violations. The minimum penalty is $50,000 and up to one year in jail. Violations committed under false pretenses require a penalty of $100,000 and up to five years in prison

  • What an interesting article about some of the inner workings of the medical field. My husband is a doctor, so I always love learning about this kind of stuff from him.

  • Becca Wilson says:

    Making sure that doctor’s offices are following this practice is so important. This is such a great reminder that it could cost you.

  • Sigrid Says says:

    Oh no! That would be too sad if that happens. Doctors work and study hard to get where they are and they can be removed because of a technicality?

  • Charli Bruce says:

    I have a neurological condition that makes me very sick, I lose my eyesight, have stroke-like symptoms and can be in severe pain for days on end so spend a lot of time in doctors offices or the hospital. I definitely hope all the medical professionals I use are sticking to rules accordingly.

  • Right on, some great information here!

  • Such an interesting post!

Leave a Reply