A large portion of healthcare breaches occur due to human error, whether it is a lost/stolen device, clicking on a phishing email, or accidental disclosure of protected health information (PHI). Protecting patient information in the workplace can be a daunting task, however getting employees involved is the best way to manage HIPAA compliance.
How Employees Can Help Protect Patient Information with HIPAA Compliance
- Do not share passwords or login credentials
All employees should have unique login credentials, allowing for actions to be attributed to specific users. When employees share their login information, in the event of an insider breach, it will be difficult to determine which employee is responsible.
- Do not leave documents or portable device unsupervised
As stated previously, protecting patient information in the workplace is largely a human issue. Employees that leave portable devices or paper documents unattended pose a huge risk to their organization. When a device that is not password protected or encrypted is lost or stolen, it would result in a major HIPAA violation, especially if it is found that the employee left the device unattended.
In addition, paper records should be left in locked filing cabinets or rooms. Leaving out paper records can easily lead to a healthcare breach, a curious employee or patient can easily view records left out in the open. In some cases, individuals with malintent can steal or copy paper records and distribute them further.
- Do not share patient information via text
Although it is convenient to text information, it is not permitted to share PHI in this format. Traditional messaging apps don’t have the necessary security and access features to be used for HIPAA compliant messaging. However, there are text messaging platforms created specifically for healthcare. Provided they are encrypted, enable access controls, and will sign a business associate agreement (BAA), healthcare text messaging platforms can be used to safely transmit PHI.
- Do not dispose of PHI in your regular garbage
Any document containing PHI must be disposed of properly. It is recommended that documents containing PHI are shredded or incinerated so that documents cannot be reconstructed. If there are documents waiting to be shredded, they should be kept in a locked shredder bin until they can be properly disposed of.
- Do not access patient information without cause
HIPAA requires organizations to adhere to the “minimum necessary” rule when accessing PHI. This means that employees should only have access to the information they need to perform their job function, and they should not excessively access patient files. Some employees may be tempted to access patient records out of curiosity, however, this violates HIPAA law.
- Do not take medical records with you when changing jobs
When starting a new job, employees should never take patient records with them. Taking patient records may give them a leg up at their new job, as the information can be used to poach patients. However, this is a HIPAA violation that can lead to criminal charges.
- Do not access your own medical records using your login credentials
It is not permitted for employees to access personal health records using their login credentials. Employees must go through the same process of obtaining their records as patients.
- Do not share ePHI on social media
Sharing PHI on social media is a clear violation of HIPAA. Patient information cannot be shared without written consent. However, even with written consent, patients must explicitly consent to their information being shared on social media. Additionally, healthcare staff must be careful when posting pictures that they took at work. If there are any patients, or patient information in the background, this is a HIPAA violation. When in doubt, do not post.
- Always report suspected HIPAA violations
Suspected HIPAA violations must be reported to an organization’s compliance officer. However, HIPAA requires employees to have a means to report suspected breaches anonymously, without fear of repercussions.