HIPAA violations: Warning signs to watch for

By Dava Stewart

The Health Insurance Portability and Accountability Act (HIPAA) has been in place for long enough that virtually every clinician and practitioner in business is aware of the law and the consequences of not following it to the letter. That knowledge, however, doesn’t mean that DCs across the country know exactly how to follow the rules laid out in HIPAA. Knowing the warning signs of incompliance can help keep the chiropractic office running smoothly, even in the event of an investigation.

How and why would a practice be investigated?

The Office of Civil Rights (OCR), which is part of the Department of Health and Human Services (HHS), is responsible for enforcing the privacy standards set forth in HIPAA. There are many reasons an investigation could be carried out, and, according to the HHS website, there are three ways the OCR enforces HIPAA privacy regulations:

• by investigating complaints filed with it,

• conducting compliance reviews to determine if covered entities are in compliance, and

• performing education and outreach to foster compliance with the Rules’ requirements.

What are some “symptoms” of incompliance?

There are a few warning signs that may indicate a practice is out of compliance with HIPAA. Keeping a check on the workflow of the practice, as well as with whom information is shared, are important steps when considering patients’ privacy. Here are some signs a practice is unintentionally violating patients’ rights:

Paper files are accessible. Charts hanging on doors or lying on tables are like blaring red warning signs when it comes to HIPPA violations. If anyone besides a healthcare provider or the patient could pick up a file and flip through it, the patient’s privacy is not being protected.

With the rise of electronic health records (EHR) systems, paper files are becoming less of a concern in most practices; however, there are still quite a few offices that maintain paper files. Making sure those files are protected must be a priority in those practices.

Staff members casually discuss patients. It may seem hard to believe, but it happens more often than most DCs imagine: Staff members describe patients, or use names, and talk about treatment plans, insurance coverage, conditions, and of other topics that are HIPAA violations — within hearing range of other patients or people in the waiting room. After all, staff members are at work, and they are talking about work, so it doesn’t seem like a violation.

Regular training and discussion of HIPAA and all that goes along with remaining compliant is the best way to prevent violation through casual conversation. The more often staff members hear, read, or talk about HIPAA, the more likely they are to have the regulations in mind.

Computer screens left unattended and open. In offices using EHR systems, an open computer screen is the equivalent of leaving a paper chart on a table. In fact, an open screen is worse in some ways because navigating to other patients’ files is a fairly simple thing to do. However, even without that kind of purposeful snooping, leaving private information on a screen that other people could see is a violation of HIPAA regulations.

Again, training is the best way to address the potential problem. Once staff members develop the habit of closing everything when they walk away from the computer, patient information is more secure and the possibility of a violation is lower.