HIPAA isn’t as cut and dry as some might have you believe, and many healthcare agencies violate it without realizing they’ve done so. Unfortunately, ignorance is no excuse. You need to make sure you are aware of some of the more common blind spots – that way, you can avoid fumbling into them yourself.
The digitization of healthcare has done some amazing things for both staff and patients. Unfortunately, it’s also introduced a huge laundry list of stumbling blocks and pitfalls. Worse still, many agencies are unaware of them – unaware they’re even violating HIPAA.
Let’s talk about that.
The security failings of SMS have been exceedingly well-documented. Texts can easily be sent to the wrong number, be read on an unsecured phone, and are not an encrypted form of communication. The fact that anyone would use it to share any sort of sensitive information is frankly baffling. Yet that is precisely what happens in many hospitals.
Staff who lack access to a secure messaging solution instead rely on text messages. And more often than not, they may be sharing personal health information (PHI) in those messages. This is doubly true for organizations that send SMS reminders to patients. With 80% of medical professionals using their own mobile devices in popular BYOD situations, security precautions are more important than ever.
There are a few things you should do to avoid these pitfalls. Provide your workers with an enterprise-grade secure messaging platform – one which you know for certain is HIPAA compliant. When sending appointment or prescription refill reminders to patients, limit information to only the essential beats – ie. “Hello, it is time to refill your prescription” or “You have an appointment at X PM on X day.” Never include any personal identifiers.
It is tempting to use a personal device to directly text a patient, but it is vital to take the extra time to log in to the secure messaging platform each time to relay a message to a patient, even the simplest ones about changing the time of an appointment.
It isn’t difficult to see why many healthcare organizations have digitized the collection of patient data. Unfortunately, what a lot of them do not realize is that they may inadvertently be violating HIPAA in doing so. Let’s say, for example, your organization has an online form through which a patient is surveyed about their experience during their appointment that day.
If that patient shares PHI in the survey – and that PHI is not adequately protected and encrypted – that is a HIPAA violation.
Fortunately, this one is fairly easy to get around. You can either include a disclaimer warning patients against sharing sensitive or identifying information in their surveys or simply avoid text fields altogether and make it all multiple choice. I would also advise you to collect patient numbers rather than names in satisfaction surveys and use patient IDs instead.
Sites like Facebook, Twitter, and Instagram are very much new territory for hospitals and other healthcare organizations. But their value – both for advertising one’s services and engaging with friends and colleagues – it abundantly clear. What is not so obvious is the risk they pose of causing a HIPAA violation.
Consider the following scenarios: A nurse talks on Facebook about a tragic accident where the victim wasn’t wearing a seatbelt. A dermatologist advertising their services posts a picture of a patient’s skin on Instagram after performing work on them. A surgeon shares a funny story about a particularly irate patient on Twitter.
Any of the above scenarios is a potential HIPAA violation. Any of the above scenarios could land both your facility and its staff in trouble. Any of the above scenarios can threaten the privacy and confidentiality of your patient data.
Even if the patient name is not listed, it could be considered a violation of HIPAA. In fact, even pictures of staff members at lunch or smiling around a birthday cake could have private files or chart information in view. This sharing, although unintentional, is still a huge violation of HIPAA. If you are sharing a photo for marketing purposes, make sure that you have the appropriate permissions. A permission form should have the patient sign off that you retain rights to the photo and the patient grants you the right to share the photo on social media.
The best thing you can do here is to instruct your staff in what they should and shouldn’t share on social – and when in doubt, avoid sharing.
HIPAA can be complicated – of that, there can be no doubt. But if you’re careful and conscientious with your patient data, compliance isn’t especially difficult. And now that you’re aware of a few of the ways you might fall short, it will be simpler than ever.