Privacy Alert – Real Life Stories

Privacy Alert – Real Life Stories

With the majority of personal data online, most people strongly feel the need to protect their privacy for security and safety reasons.

You may even be hard-pressed to find anyone arguing that protecting personal data is unnecessary, even though privacy laws in many countries are far stricter than in the US.

When we hear of another HIPAA incident, many think of a hospital data breach or a hacked healthcare network.

Most of us don’t think about HIPAA violations in the context of small, private practices.

But they exist and happen more often than we’d like to admit.

Let me share a couple of my own experiences…

Regular Email will not Suffice…

Last week, I called an eye doctor’s office to make an appointment, as recommended by my retinal specialist.

I had a detachment about 18 months ago (… long story), so these visits are very important to me.

Incidentally, this is a new provider office for me, and when the phone kept going to voice mail, I went to their website and filled out a form asking for an appointment with the recommended provider.

So today, I received an email asking me to reply with my full name, insurance number, DOB, etc.

But regular, non-HIPAA-compliant email is unsafe, and I politely said no!

I categorically do not send personal information via regular email and certainly will not send insurance and similar information, nor should I have been asked to do so.

Unfortunately, some patients will be unaware that basic, unencrypted email is not safe. Most will simply comply with the request from the “Doctor’s Office.”

Encryption is a Must

Here is another example…

A couple of days ago, I saw a new PCP today (I finally found an NP with her own office!).

It was a great visit, and I am glad I made the change (#NPsRock). But the receptionist leaves something to be desired.

  • She did not ask to see my insurance cards. Her reasoning was that since I filled all that out in the portal, there was no need for it. ALWAYS ask for ALL the cards. She had no way of knowing if I filled it out correctly or if I was who I said I was.
  • Later, she called me to say I needed to fill out a new Release of Information form and that she would email it to me. I asked her to put it in the portal where it would be HIPAA secure and reminded her that email (Gmail) was not HIPAA compliant.

So why do people continually ignore or violate privacy laws and regulations, even though it’s not intentional?

Why don’t they pay attention?

Because once the damage is done, it might result in a devastating blow to a small practice that is hard to recover from.

I realize you are well familiar with HIPAA. However, a little refresher never hurts anyone.

What constitutes a HIPAA Violation?

HIPAA (Health Insurance Portability and Accountability Act) violations occur when the privacy or security of protected health information (PHI) is compromised.

Here are some common examples of HIPAA violations and the potential consequences that could result from such breaches:

  • Unauthorized Access/Disclosure: This happens when PHI is accessed or disclosed without proper authorization. For example, if a healthcare worker accesses patient records out of curiosity or to share them with others for reasons not related to their job duties, it constitutes a violation. Consequence: Depending on the level of negligence, the organization might face fines ranging from $100 to $50,000 per violation. In extreme cases, the individuals responsible could even face criminal charges, resulting in fines or possible jail time.
  • Loss or Theft of Devices: If devices containing PHI (such as computers, laptops, iPads, smartphones, or USB drives) are lost or stolen and are not properly encrypted, the information stored on them can be accessed unlawfully. Consequence: The fines can be substantial, often reaching hundreds of thousands of dollars, depending on the amount of data compromised and the perceived negligence involved.
  • Lack of Employee Training: Failure to adequately train healthcare staff on HIPAA compliance can lead to accidental violations, such as sharing patient information without consent or asking for protected information via non-HIPPA secure channels. Consequence: Not training employees could result in fines and mandated corrective action plans by the Department of Health and Human Services (HHS).
  • Improper Disposal of Records: Patient files or other documents containing PHI that are disposed of in dumpsters or other insecure locations without shredding or other proper destruction can lead to violations. Consequence: Fines for such violations can also be significant, and the organization may be required to revise its disposal procedures and retrain staff.
  • Hacking/IT Incidents: Cyberattacks that lead to the exposure of PHI due to inadequate security measures are a serious violation. Consequence: Organizations may face huge penalties for breaches affecting large numbers of patients. They must also notify affected individuals and may need to offer credit monitoring services.
  • Social Media: It goes without saying that sharing patient information, photos, or any PHI on social media without consent is a violation. Consequence: This can lead to fines, loss of license, and severe damage to the reputation of the practice and provider.
  • Mishandling of Patient Access Requests: A healthcare provider who fails to provide patients with timely access to their records is also considered a violation. Consequence: The entity may face a penalty for these violations, typically starting at $100 per day, and for every day, the response is delayed.

The Office for Civil Rights (OCR) within HHS manages enforcement actions for HIPAA violations, and penalties are determined based on the severity and extent of the breach and the perceived level of negligence involved.

Frequently, organizations must implement changes to their policies and procedures to prevent future violations.

The Takeaway…

So, what’s the moral of the story?

Do NOT let this happen in your office… TRAIN YOUR STAFF!

In Conclusion,

As with everything in your business, the buck stops with you!

Do your best to stay up to date with HIPAA!

Unless you know what is and is not HIPAA compliant, you and your office will be in danger of committing violations, even though nobody intends to do so.

What’s been your experience with privacy and safety issues in the office? Leave a comment below and let us know…

Leave a Reply

Your email address will not be published. Required fields are marked

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. yes to all these things. This is why I am hiring a professional IT company to monitor my It and also getting additional cybersecurity.My website that texts me requests for appointments through my web designer IS HIPPA COMPLIANT otherwise I would have NEVER USED THEM.

  2. Is texting insurance info and drivers license info in HIPPA violation.

  3. If the patient is sending it, and know understand that it’s not a secure way of sending info, then they make the choice. On the other hand, you as the provider must use a HIPAA compliant service to text PHI.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}