A closer look at HIPAA: Part 2 — Violations and their mitigation

A closer look at HIPAA: Part 2 — Violations and their mitigation

By Lindy Benton, contributing writer

June 9, 2015 — In her first column, Lindy Benton of healthcare information exchange company MEA/NEA discussed what the Health Insurance Portability and Accountability Act (HIPAA) is and how breaches of information might occur. In this column, she looks at 10 common violations and offers practical tips for your practice.

Diverse forms of protected health information are at risk, as indicated by respondents to the Ponemon Institute’s 2014 benchmark study on patient privacy and data security. However, the following 10 common violations require that attention be paid.

10 common violations

  • Failure to adhere to the authorization expiration date: Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.
  • Failure to promptly release information to patients: According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.
  • Improper disposal of patient records: Shredding is necessary before disposing of patient’s record.
  • Insider snooping: This refers to family members or co-workers looking into a person’s medical records without authorization. This can be avoided with password protection, tracking systems, and clearance levels.
  • Missing patient signature: Any HIPAA forms without the patient’s signature is invalid, so releasing information would be a violation.
  • Releasing information to an undesignated party: Only the exact person listed on the authorization form may receive patient information.
  • Releasing unauthorized health information: This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
  • Releasing wrong patient’s information: Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.
  • Right to revoke clause: Any forms a patient signs need to have a “right to revoke” clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.
  • Unprotected storage of private health information: A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, flash drive, or any other mobile device.

Read the complete article at: