When you operate a non-profit that deals with clients’ health information, you need to be careful to keep your organization HIPAA compliant. You might follow computer etiquette and train your employees well, but in the middle of a hectic day, one of your caseworkers could inadvertently create a HIPAA violation, if they’re not careful.
Here are 6 common mistakes that can create an unintended HIPAA violation.
1. Physical Written Records
If you keep health records in physical written form, it’s easy for an employee to set them down momentarily in a client’s room or on their desk and walk away. This is especially true if an emergency or crisis situation arises. It’s natural to set them down and run to help.
Those records left out in the open are an easy target for someone to pick up and look at – creating a HIPAA violation. Make sure printed medical records are kept locked up and out of public view. Or better yet, switch to encrypted electronic records.
2. Home Computer Access
A caseworker’s work is never done. It’s not uncommon for them to use their home computers or laptops after hours to catch up or get a head start on the next day’s workload. However, if part of catching up includes accessing a client’s medical information, this could lead to potential HIPAA violations.
All it takes is for them to leave the information up on the screen where a family member or roommate could see it. Making sure their computers and mobile devices are password protected helps, but make sure employees are aware of the potential for a violation.
3. Just Being Helpful.
It’s the nature of caseworkers to want to help others. So, when a concerned friend, relative or even fellow coworker wants to know how a particular client is doing, it’s natural for a caseworker want to check the records and share the information, especially if it’s good news.
This creates two potential violations. One, if the caseworker isn’t authorized to access that particular medical record. And, two, sharing the information with an unauthorized person – even if it is a concerned friend of the client.
4. Social Media Posts
Social media can be a great way to share what’s going on with your organization and drum up support. However, showing a photo or video that includes a client who is dealing with medical issues could create a violation. Even if you don’t post their name, someone could recognize them and figure out why they’re there. Make sure all your employees are aware of this issue and are not posting potential privacy violations on social media.
5. Lost or Stolen Mobile Devices
If your caseworkers have smartphones or other mobile devices that contain medical information of your clients and they are lost or stolen, this could result in a theft of PHI (protected health information). That could result in HIPAA violations and fines. Your best bet to avoid that is the double security of password protection and encrypted medical records.
6. Loose Tongues
Talking about work and gossiping about the unusual things you see at work is just human nature for some people. But a caseworker talking to friends or coworkers and revealing medical information is also a HIPAA violation. Make sure that everyone understands they shouldn’t share any medical related information with friends and family. And even if they’re talking with another authorized caseworker, they need to restrict those conversations to private places where they are not likely to be overheard.
Those are just a few ways violations could creep up on your organization that you might not have considered. It only takes one slip up to potentially lose your HIPAA compliant status. A little forethought and education of your team can go a long way towards keeping that compliance and avoiding sanctions and fees.