Although HIPAA has been impacting the healthcare industry since the late ’90s, far too many businesses still struggle to comply with the various facets of the law. One particular area of weakness for covered entities involves the protection of their patients’ protected health information [PHI]. Time and again, they fail to adequately safeguard the personally identifiable information that has been entrusted to their keeping. Naturally, such lax defenses can result in a host of issues such as data theft, fraud, loss of client trust, fines, and even jail time.
Over the years, one of the main causes of noncompliance with HIPAA is the result of human error. In most cases, employees unknowingly open up the floodgates to prying eyes or cybercriminals due to a simple lack of understanding, education, or forethought. Although such actions are rarely malicious, ignorance is not an excuse readily accepted by Health and Human Services [HHS]. Therefore, it’s crucial that you ensure that your team members are complying with the rules and regulations of HIPAA.
Check out our HIPAA guidelines for employees here!
Are Employers Bound by HIPAA?
If your business falls outside of the realm of healthcare, you may be asking your HR team, “Are employers bound by HIPAA?” Although you may not be a covered entity, you still collect your employee’s health information for things such as Workers Comp or Americans with Disabilities Act [ADA].
Generally speaking, HIPAA only applies to “covered entities.” These are defined as:
- Health plans
- Healthcare providers that electronically store, share, or send PHI
- Healthcare clearinghouses
In short, HIPAA typically does not apply to the direct act of collecting your employee’s personal health information; however, it will apply to the health care entity from whom you are gathering such information.
According to the boundaries set forth by HIPAA, covered entities are only allowed to disclose protected patient health information when permitted by the individual. In a broad sense, a covered entity can disclose PHI for the purposes of treatment; after that, limitations on revelation grow more stringent. Typically, what can be disclosed is subject to the “minimum necessary” limitation established in HIPAA. Per HIPAA Section 164.512:
A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, use or disclosure permitted by this section, the covered entity’s information and the individual’s agreement may be given orally.
In 2009, the American Reinvestment and Recovery Act (ARRA) expanded HIPAA’s umbrella to cover business associates, which are defined by HHS as: “A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity.”
Examples of business associate’s functions and activities can include:
- Data analysis
- Data processing
- Data administration
- Claims processing
- Claims administration
- Utilization review
- Quality assurance
- Benefit management
- Practice management
Therefore, business associate services can cover any of the following occupations:
- Data aggregation
- Data management
- Data accreditation
HIPAA Guidelines for Employees
What is PHI?
If your business is a covered entity or a business associate, it’s essential that you and your employees take special care of your client’s protected health information. But what’s considered PHI? Per the HIPAA Journal it’s:
Any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
The 18 identifiers that qualify as PHI are:
- Account numbers
- Any unique identifying number or code
- Biometric identifiers (fingerprints, retinal scan)
- Certificate/license numbers
- Dates, except the year
- Device identifiers and serial numbers
- Email addresses
- FAX numbers
- Full face photos and comparable images
- Geographic data
- Health plan beneficiary numbers
- Internet protocol addresses
- Medical record numbers
- Social Security numbers
- Telephone numbers
- Vehicle identifiers and serial numbers including license plates
- Web URLs
If you are a covered entity or business associate, the Security Rule dictates that your business input the following administrative safeguards:
- Security Management Process – Covered entities are required to identify and analyze potential risks to ePHI. Once done, they are required to add security protocols and procedures to decrease said risks.
- Security Official – You must designate a security official who will be in charge of creating and applying security protocols and procedures.
- Information Access Management – You are required to limit the use and disclosure of PHI to “minimum necessary.”
- Workforce training and management – You are legally required to ensure that you provide both adequate supervision and training of any employee that handles ePHI. This includes instructing them on security policies, procedures, and sanctions for noncompliance.
If your business handles sensitive client information on a regular basis, you are bound by the law to protect that information. By mandating HIPAA compliance training, you take proper preventative precautions and, in the case of failures, can then demonstrate to outside sources that you did everything in your power to train your employees to act correctly.
Common Employee HIPAA Violations and Faux Pas
As mentioned, employees are the most common cause of HIPAA violations. The vast majority of such cases of malfeasance are simply the result of laziness and a lack of training. Employees don’t know better, even though they should, and then act out of incompetence. With this in mind, it’s your duty to regularly educate your employees about the dangers of HIPAA noncompliance both for them personally and the business they work for.
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by their workforce.
To help you in the task of creating an employer HIPAA compliance checklist, it’s crucial that you are aware of common violations that employees typically engage in as well as preventive actions you can take. These include:
- Snooping on patient files – According to the HIPAA Journal:
Snooping was the largest single cause of exposure of patient health information according to the survey with 27% of having experienced a breach when an employee viewed medical records of friends and family, while 35% occurred when employees checked the medical records of their work colleagues.
An employee who illegally accesses client PHI for non-work-related purposes is acting both unprofessionally and cavalierly. Whether they do so out of malice, curiosity, or friendship, doing so is illegal and can cause serious harm to your business.
Steps you can take to prevent such actions include restricting access to patients’ or employee’s records unless explicitly required for work purposes.
- Mishandling of medical records – HIPAA requires that any printed medical records containing PHI be kept in a secure place. If a nurse leaves a previous patient’s file in the exam room and that file can be read, accessed, or stolen by another patient, that is a clear breach of HIPAA.Therefore, cover charts so that patient names or identifiable information are not visible. Also, do not leave records or similar PHI unattended; instead, input a policy of immediately storing charts, tests and other patient documents upon completion of an exam.
- Social media – Ineptitude on social media has caused its fair share of headaches for both businesses and individuals alike. Posting pictures of client’s faces, especially without their expressed consent, is one of the simplest ways you can violate HIPAA. Unless the patient gives you the green light, posting a picture of them would potentially expose them to others discovering that they go to that specific doctor for what may be a private and/or embarrassing reason.If you wish to avoid social media blunders, make it very clear to the person in charge of your social media and/or employees to be very careful about what you do or do not post. Convey to them how even an innocent post could potentially cause a host of negative ramifications to them, the business, and most importantly, the patient.
- Employees discussing patient information – Whether it’s at work or home, employees should not ever talk about or gossip about a previously seen patient, unless they are currently working on their case. This is particularly true for having such conversations in places where unrelated employees or patients could overhear and thus glean PHI. Many employees make the mistake of discussing patients with friends, family, or other coworkers, which is a serious breach of HIPAA.Encourage your employees to avoid talking about patients or even referring to them by last name when in the presence of others who have no relation to their case. Also, highlight the fact that verbal dissemination of PHI is just as much a violation as the act of physically sharing patient papers.
- Lost or stolen devices – Work phones, tablets, or laptops are a special kind of security threat, particularly since they are far more vulnerable to theft, loss, or cyber intrusion.If an employee loses or has a work device stolen, it’s crucial that they report it immediately. In addition, any work-related device with access to PHI should have security measures installed in order to prevent unwarranted access. Steps you can take include:
- Messaging patient information – Some covered entities will use messaging systems or their phones to share particular information. Even if this is simply done out of convenience and speed, including PHI via a messaging application exposes that information to prying eyes.If you want employees to be able to discuss patient information via messages or texts, it’s essential that every employee installs an encryption application in order to protect that data.
- Exposing PHI on home computers – Naturally, doctors need to be able to review casework from the comfort of their homes. This might mean that their computer or laptop contains PHI. By itself, such an action is not a violation of HIPAA; however, if they were to leave that information on the screen unattended, it could be viewed by unwelcomed eyes. This is a violation of HIPAA.
As an employer, encourage your employees to close their computers if they are working from home and need to step away from their tasks. In addition, ensure that all devices have dual-authentication passwords, encryption, and other such security protocols.
Alert and Train Your Employees
It’s vital that your employees are aware that their actions, whether intentional or not, can have serious ramifications on not only themselves but the business and its patients as well. Should they be found guilty of a breach in HIPAA, particularly one that they were fully aware of violating, they may be faced with stiff penalties such as monetary fines and jail time.
If you wish to protect your business, you need to take proper precautions to ensure that your employees have been adequately trained in accordance with HIPAA guidelines. You can do so by enlisting RSI security to evaluate your organization’s process, controls, policies, and training procedures. Our comprehensive audit can help you identify gaps between practices and HIPAA requirements and then provide prescriptive actions and employee training.
Interested? Reach out today and we can help you ensure that employees aren’t your business’ bane.
Cornell Law School. 45 CFR 164.512. Uses and disclosures. https://www.law.cornell.edu/cfr/text/45/164.512
HHS. Business Associates. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
HIPAA Journal. What is Considered PHI Under HIPAA? (2017). https://www.hipaajournal.com/considered-phi-hipaa/#targetText=PHI%20is%20health%20information%20in,when%20it%20includes%20individual%20identifiers.
HHS. Summary of HIPAA Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Northern Illinois University Division of Information Technology. HIPAA Security Rule: Explanation and Guidance. https://www.niu.edu/doit/policies_root/HIPAA%20Security%20Rule.shtml
HIPAA Journal. Employees Snooping Most Common Cause of HIPAA Security Breaches. (2013). https://www.hipaajournal.com/employee-snooping-common-cause-hipaa-security-breaches/