How Small Practices Are At Risk For HIPAA Violations

May 2, 2017 | Info for Professionals

In a recent publication, it was revealed that small healthcare practices are at a higher risk for HIPAA violations, and it may not be for the reasons you would think. What’s more is that the federal government does not scale fines to the size of the organization, costing practitioners a hefty sum for each infraction.

The reasons for the infractions may seem innocent enough. When offices are small, sometimes it’s the closeness of their coworkers and patients that leads them to take more chances with the personal and private health information of their patients than they should.

There are many different ways that small practices share information that can and will lead to HIPAA violations. We’ll take a look at a few of the most common.

Big Ways Small Practices Are At Risk For HIPAA Violations

Since the nature of the infraction is sharing confidential information with people who should not have it in the first place, it is simple to why the problem lies in a lack of understanding around how patient information should be communicated:

Not Being Cautious When Talking About A Patient – With in-home patient care dramatically on the rise, there are many people caring for and interacting with a patient that may be calling on your practice. They may ask for information that they don’t have any proper authorization for. You need to be sure that anyone calling about the patient has written permission, signed by the patient or their legal conservator, before divulging any information. What may seem like an inconvenience to the person calling now, could mean big trouble for your practice later by missing this step.

Texting And Emailing Patient Information To Anyone Is Illegal – You can’t transmit any personal health information about any patient to any person outside of what modes of communication are designed for secure communication. Hospitals and larger practices invest in expensive technology and software that is HIPAA-compliant for these reasons. However, smaller private practices of allied health professionals, like a speech-language therapy office or neuropsychology group practice, may not have such deep pockets to invest in expensive electronic health record systems. So, the temptation to respond quickly to a patient-related inquiry via email is so tempting! Now for the good news – there are emerging, affordable technologies out there for a small practice like yours. Read on! Not having such a HIPAA-compliant technology is no longer an option, given the heavy fines involved. If anyone would like to you to email or text patient information to them, the answer is ‘No.’ Period. The risks are far too great for anyone to see the information casually, be it obtained through hacking or otherwise.

Don’t Forget – Sharing Unauthorized Patient Information Is Criminal – In small towns or in offices where patients and staff tend to know each other, even co-workers, it might be tempting to look up information about a patient and share it with someone when you don’t have any professional or legal reason to. Maybe out of curiosity or concern, maybe their best friend is just asking you for information about their friend because they are concerned. None of these reasons are any reason to pay heavy fines (paid by you personally) or even go to jail. If you don’t have any professional reason to be in a patient’s file, the choice is simple; stay out of it.

In situations where well-intentioned people may want information about a patient, remind the person that it is illegal to share information with them without prior authorization, even a family member. If they need information about a patient, they can ask the patient or their authorized family member for information.

What A Small Practice Can Do To Mitigate The Risk For HIPAA Violations

For small practices, there are a few things they can do to reduce the risk without breaking the bank. Utilizing the practices suggested, can significantly improve HIPAA-compliance and let the entire practice breath easier about HIPAA violations.

Make Sure Your Office Knows HIPAA – As a practitioner who owns a practice, an office manager at a practice, or even a professional working at a practice, it is incumbent on all to know and follow the HIPAA regulations. Most professionals have had extensive training regarding HIPAA for continuing education credits, but other staff members also need to be trained and coached on HIPAA safety as well. If you own your own practice, you will need to have your staff adequately trained if you hope to avoid any trouble with HIPAA.

Perform Your Own HIPAA Audits Regularly – Take the time to be sure that your office is following the proper protocol with HIPAA-compliance. Are your records stored properly? Are there patient files left on desks that shouldn’t be? Is your staff communicating with each other about patients in a way that is safe? Make sure the rules are being followed properly.

Use Secure Solutions For Patient Communication – For small offices, large HIPAA patient record and communication solutions are just financially out of reach. However, there are a couple things you can do to keep a secure lock on patient communication and interaction to make your practice safe against HIPAA violations. Cloud-based solutions are the next wave for patient records and communication and make compliance more affordable for the small practice.

eCare Vault Is The Perfect Solution For Patient Care And Communication Management

Since communication management is the problem, the only solution can be the right patient care coordination solution. Security of patient information, especially via interpersonal communication, is the cornerstone of HIPAA. The only real valid way to ensure that is only communicating through a solution that provides that surety.

eCare Vault is the first cloud-based HIPAA-compliant solution of its kind to specialize in fixing this problem. Within eCare Vault, only those who have been invited to a patient’s care team based on appropriate consents (obtained through the usual written means outside the eCare Vault platform) can share information about the patient. Each care team has a team owner or quarterback that can approve suggestions made by the other team members and even remove team members, if need be.  The team owner is typically the patient or their legal caretaker, but it could also be a caseworker or therapist, if they have obtained the appropriate consents to take such actions.

Each team member can determine who within this care team should see what information this team member chooses to share. This facilitates collaboration in pairs and triads within the care team, so that everyone on the care team does not need to see everything. A team member can even upload a document or save a note and share with no one, just so all information is saved and organized for each patient.

Every member of a care team for a patient in eCare Vault is able to share information, participate in threaded conversations and read what progress is being made and any critical information that arises within the care team about the patient. Most of all, it is secure and HIPAA_compliant. Even better, it is affordable; in fact the core features come for free! A phone app allows you to access and contribute to the care conversation through eCare Vault no matter where you are, at any time.

For the small practice that needs better care management communication, this is the best news they’ve had about HIPAA compliance yet.