Customer loyalty is the ultimate goal of any business. Everyday companies should not only try to provide excellent service but also try to turn a dissatisfied customer into a happy one.
But how can one calm down an angry patient without violating HIPAA regulations? Sounds like this poses an additional challenge to healthcare providers. In this article, PissedConsumer.com tells you about the most common HIPPA violations and gives tips on how to respond to online reviews in accordance with HIPAA requirements.
Healthcare companies, more than companies in any other area of business, need to build trustworthy, reliable, and loyal relationships with their clients. But they have something very important to consider while communicating with their patients, especially online, on public platforms: HIPAA (The Health Insurance Portability and Accountability Act that was adopted in 1996).
This Act is aimed at securing the privacy of individuals’ health information that is held or transferred in an electronic form. The list of institutions that should comply with HIPPA regulations include:
- medical centers, clinics, and hospitals;
- private practices;
- outpatient providers;
- hospices and adult care providers;
- health plans and insurance providers.
Why Is HIPAA Compliance Important for Healthcare Providers?
Or, in other words, what consequences can HIPAA violations have for them? HIPAA violations are infamous for substantial fines that can go up to $5.5 million. Such significant HIPAA violation penalties may be particularly threatening to small private practices. Moreover, healthcare institutions can also be punished with sanctions or loss of license.
There are many real HIPAA violation examples and following fines that speak louder than words. For instance, in April 2017 CardioNet had to settle potential noncompliance with the HIPAA Privacy and Security Rule. The company was obliged to pay $2.5 million as HIPAA violation penalties and to draft a corrective action plan.
A similar issue happened to Memorial Healthcare System (MHS). This medical organization had to pay the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of HIPAA in February 2017. The protected health information (PHI) of 115,143 individuals was impermissibly accessed by MHS’s employees and disclosed to the physician office staff.
Another case of HIPAA violation took place in November 2017, according to Digital Guardian. Lahey Hospital and Medical Center (Lahey) agreed to pay $850,000 in HIPAA violation penalties and to adopt a corrective action plan so as to settle potential violations of the HIPAA Privacy and Security Rules.
And these HIPAA violation examples are not so rare. Nevertheless, businesses operating in the medical field have to keep up with modern technological advances to succeed in customer service and to meet HIPAA requirements.
5 Most Common HIPAA Violations
The entities that deal with people’s medical records have to always be on guard. They should not only be able to protect the data from unauthorized disclosures, but also to ensure integrity and availability of patient’s information upon request. Moreover, medical institutions also need to train their staff according to HIPAA requirements.
Regardless of all these preventive measures, the most common HIPAA violations are still rather common and occur frequently over the years. Take a look at the 5 most common HIPAA violations.
1. Disclosure or use of protected health information (PHI) without authorization.
Employees can accidentally share an individual’s private information with their colleagues or friends. The leak of data can happen if medical workers text their data via insecure telecommunication channels and expose them to hackers or mishandle patient’s records, so other medical staff members or patients can see it.
Last but not least is online posts, comments on different social media networks, review platforms, and blogs. Their customer service representatives can unintentionally breach an individual’s privacy and share his/her PHI.
2. Absence or lack of technical safeguards to protected health information.
This type of HIPPA violation poses one of the biggest dangers to any healthcare entity. Unfortunately, company security systems quite often turn out to be unable to protect their patients’ medical records and can be easily accessed by cybercriminals. Or health information can go public if employees access data through their home computers or any other unprotected computers.
3. Inability for patients to access their protected health information.
Medical institutions can fail to provide patients’ records upon request which can cause HIPAA complaints. Like, for example, this consumer shared a review about CareNow:
…Furthermore, they have no respect for HIPAA they refuse to release your complete records cover to cover and the records you do got are blacked out hiding full detailed information…
Even though this type of HIPAA violation seems minor, it can lead to quite costly settlements.
4. Lost or stolen devices.
Theft of cell phones, tablets, laptops, flash drives, and other devices with PHI in them can result in HIPAA violation penalties. Even if this HIPAA breach is considered incidental, this fact doesn’t lessen the sum of payments a violating organization has to cover. To prevent this from happening, management and employees must take respective security measurements.
5. Illegal or excessive access to patient’s files by employees.
It is also a quite common type of HIPAA violation when staff members access patient’s records without authorization. Especially, if employees are patient’s friends, relatives, or if a patient is a celebrity. Such curiosity can be seriously punished with substantial fines or even imprisonment.
An organization can be penalized not only for a committed crime but also for a potential threat to an individual’s medical data and for the lack of a respective action plan. To avoid possible noncompliance with the HIPAA regulations, an organization should trace all the updates and dynamics in the Security and Privacy Rules.
6 Tips on How to Respond to Reviews Under HIPAA Guidelines
The HIPAA restrictions are not the ground to ignore your patients’ HIPAA complaints. You just need to be more careful than other businesses when communicating with your clients. To succeed in this communication and to get the maximum for your company, you need to keep in mind some tips.
1. Respond quickly.
It is what your disgruntled customers expect from you first of all. But remember that HIPAA will not forgive impulsiveness. It might be an expensive mistake. Double-check everything you write to your customers publicly. Re-check the tone and phrases you use to respond to HIPAA reviews.
2. Be patient, polite, and helpful.
Bad things happen and patients CAN BE unhappy with your services. So, be ready that an angry client might express himself/herself in an aggressive way. But this behavior shouldn’t affect your attitude. Be objective and don’t take it personally.
Think about the answers to the following questions: Why did it happen, and why did the patient feel this way? Is there something you could have done to prevent it? Have you or your colleagues already heard about it? Should you consider a change or improvement?
Remember, that your “weapon” is patience and friendliness. Admit the mistake and take full responsibility for it. At first, it will soothe the person and make him/her open for further interaction. Your main goal is to take the conversation off-line and dispute the question mentioned in a HIPAA review face-to-face.
3. Comply with the “confidentiality” rule.
Since you can’t disclose a patient’s information in any way, you should create responses that will correspond to HIPAA requirements. You shouldn’t acknowledge that the person that was referred to your healthcare entity is your patient. Even if he/she publicly admitted it. It means that replies like:
We apologize that you’ve experienced some issues with our company. But we’d love to take the chance to make it right.
are not the best answer because you publicly recognize this person to be your patient. Your answers to HIPPA reviews on media sources have to be totally impersonal but not “robotic”. It means that you have to create at least several templates. But you also need to leave some space to refer to a particular problem.
For example, when a person is dissatisfied with some company policies or rules and you need to explain to them to eliminate conflict. Moreover, all the responses should be written in such a way, so that to encourage your customer to discuss the matter offline.
4. Take the dispute offline.
It’s the main goal of resolving any medical issue online. In an offline conversation, you can find out as many details as possible to help you fix the issue faster and not to violate HIPAA regulations. Also, it’s necessary to make the conversation more personal and to make your customer feel cared about and important.
5. Try to get as many details as possible.
Even if a customer hasn’t provided you with them. The information you collect is needed to make the right unbiased and empathic decision. You have to get answers to the basic questions: how/where/when it happened, who was involved, what actions were made to settle the issues. In turn, give as many details as possible to your customer regarding how you are going to resolve his/her problem and when it is going to happen.
6. Follow up.
Reach out to a person in several days to make sure that your customer’s HIPAA complaint has been addressed and resolved. Keep in mind that you must always provide the best customer service. Thanks to follow-ups and collected feedback, you will know for sure whether you’ve fully met your customers’ needs.
Remember that such close Company – Customer communications help not only to turn a disgruntled consumer into a loyal one but to identify possible flaws in your business and to prevent them from happening in the future.
HIPPA poses a real monetary danger to medical businesses if they do not meet its requirements. But knowledge and law-abiding behavior and business strategies have always been the best tools to avoid any legal issues. Be aware, stay updated and your medical entity will be perfectly safe.