While there are many, many reasons to make sure your practice is HIPAA compliant, it’s safe to assume that the fear of being subjected to fines and lawsuits tops just about everyone’s list. Much of what is expected of healthcare practices and clinics under HIPAA revolves around securing PHI from external threats and data breaches, but it can often be overlooked internal factors that pose an even bigger risk.
The OCR has already begun leveling fines at non-compliant Covered Entities and Business Associates for a variety of violations. One such penalty to the tune of $25,000 was handed down to a physical therapy provider in February of last year. Complete P.T., Pool & Land Physical Therapy, Inc. was found to have released PHI without proper patient authorization. In addition to the fine, they were also told to create and implement a corrective action plan, and report regularly on their efforts for one year.
What caused this data breach? A client testimonial posted to the clinic’s website. If that was not the answer you were expecting, you’re not alone. With so much focus on secure storage, access, and transmission of PHI, it’s easy to overlook small but critical elements of your internal staff policies and protocols that can cause severe damage.
In the case of Complete P.T., their employees failed to get express authorization from clients before posting their full names and photos to the website. By effectively “outing” them as patients at the clinic, Complete P.T. was in violation of the HIPAA Privacy Rule. Things like the website and social media content need to be given the same amount of thought and treated with the same care as any other type of information or communication.
Situations like this is what makes staff training such a vital part of HIPAA compliance. Your employees need to be acutely aware of every part of HIPAA regulations and requirements and be thoroughly educated on the proper way to handle and share PHI. Even something as seemingly innocuous as a testimonial requires documentation.
Your practice needs to have policies in place to obtain authorization from individual patients to be able to use any personally identifying information – especially when that information will be viewable to the public online. An acceptable solution would be a form that:
- Is written in plain, easy to understand terms
- Clearly outline what you are asking them to give permission for
- Explains that they can revoke their consent at any time
This is something to keep in mind while creating or updating your practice’s Policies and Procedures, especially when you’re getting ready for an audit. Make sure your staff knows every detail of what is outlined in your Policies and Procedures and receives regular training to guarantee they are fully aware of what is expected of them. Both your Policies and Procedures and staff training should be updated annually to include any changes in Federal law or HHS guidance.
As a general rule, your employees should be making every effort to disclose only the bare minimum amount of information required for any given set of circumstances and be just as discreet when requesting information from another practice or clinic.
Want to learn more about the steps you can take to help your practice with HIPAA compliance? Contact us at firstname.lastname@example.org or (561) 432-7823. We’re the IT professionals practices in South Florida trust.