[Insights] Avoid Common and Costly HIPAA Mistakes

Why becoming proactive is critical to the health of your practice.

By Christine Schneider, Executive Vice President, OneSpot

Let’s begin with three gritty questions:

• Does your eyecare practice email sensitive patient information without an encryption?
• Does your practice allow multiple employees to use the same login credential?
• Do your employees walk away from their computers without logging out?

If you answered yes to any of these, your eyecare practice is not compliant with HIPAA. As you know, failing to comply with HIPAA can result in a wide range of criminal penalties—including hefty fees and, even, imprisonment.

Many eyecare practices overlook basic HIPAA compliance regulations, not willfully or maliciously, but mostly because they are unaware. We’ve put together a list of the most neglected HIPAA regulations and how to fix them.

Common Sense for Handling HIPAA Identifiers

Over the last few years, technology has transformed the way patient information is collected, stored, accessed, and shared. This makes it easier to deal with patient data. But it can also lead to preventable HIPAA violations, especially when it comes to HIPAA identifiers.

A HIPAA identifier is any sensitive information that can be used to identify, contact, or locate a patient. HIPAA identifiers can be broken into two categories:

• Direct identifiers: This information explicitly identifies an individual. It includes their name, address, social security number, and medical record number.
• Indirect identifiers: When combined with other data, this information can identify an individual. It can include dates related to an individual’s medical treatment, geographic location, and other unique identifiers like license plate numbers or device serial numbers.

Most employees know that this information must be safeguarded. It’s common sense. But technology makes it easy to overlook basic HIPAA regulations. Here are three, common-sense reminders to safeguard HIPAA identifiers:

1. Only share patient information with employees who need to know it. This includes employees working with treatment, payment, or eyecare operations purposes.
2. Only provide protected health information (PHI) to authorized employees who require that information to perform their job.
3. Avoid sharing PHI in public areas or through unsecured channels.

Easy-to-Fix HIPAA Violations

Most eyecare practices conduct annual HIPAA compliance training. However, too many practices fail to comply with HIPAA at the most basic level. Here are the three most-overlooked HIPAA violations and how to fix them:

1. Send Information through Secure Channels.

All patient information must be sent through secure channels—for both email and fax. This means that all emails and faxes containing ePHI, both at rest and in transit, must be encrypted.

To ensure you’re protecting patient information in emails:

• Use encrypted email services or secure messaging platforms (these encrypt messages and attachments). You will need to provide the recipient with the decryption key or password separately.
• Send attachments through password-protected emails. Securely share the password with the recipient through a separate communication channel (phone call or text).
• Do not include PHI in subject lines. Subject lines should be generic and use identifiers that do not reveal the nature of the information in the email.

When faxing patient information:

• Use a secure fax transmission method. The selected method should encrypt data during transmission and ensure that the fax is delivered directly to the recipient’s fax machine.
• Do not use traditional fax machines in shared or unsecured areas. The information can be intercepted.
• Use secure fax cover sheets. These sheets should include instructions for handling sensitive information.
• Clearly mark the document as confidential. And make sure you specify any security protocols or access restrictions.

For both email and fax, double-check the recipient information. It may seem redundant, but you don’t want to email/fax sensitive information to the wrong person! Finally, make sure you request confirmation of receipt from the recipient. This will ensure that the patient’s information was successfully delivered and received.

2. Follow Physical Security Measures.

Multiple times throughout the work day we often leave our computers. We need to use the restroom, speak with someone, or collect a file from the fax machine. Because these trips take only a few minutes we don’t bother shutting down our computer. Logging out only to log back in is a time-consuming pain.

Being away from the computer for a few minutes isn’t that big of a deal, right? We justify.

But it is a problem. Your computer houses sensitive patient information. By not logging out, anyone who walks by can access that information. The same applies to those who work at-home. It may seem tedious, but it’s a necessity. Whether you’re in the office or at-home, avoid these things:

• Walking away from your computer with a patient chart up.
• Leaving paperwork or records unattended.
• Allowing unauthorized individuals access to restricted areas.

Correcting these problems might be an inconvenience. But it’s better to play it safe than risk legal repercussions.

3. Overcome Weak Access Controls.

In 2020, Verizon revealed that 31% of healthcare breaches were due to human error with external breaches at 51%.[1] One way to avoid breaches is by overcoming weak access controls. Weak access controls are the vulnerabilities in the systems that manage user access to patient data. These vulnerabilities can lead to unauthorized individuals gaining access to sensitive patient information.

To prevent weak access controls, your eyecare practice should:

• Improve password policies. Make sure your employees change their passwords regularly. Encourage employees to use complex passwords to prevent attacks. 
• Revoke access. When an employee leaves your practice, you must revoke their access to all patient data. Failure to do so can result in employees retaining access to that data. This increases risks of data breaches or unauthorized disclosures.
• Create individual login credentials. Sharing user accounts or allowing multiple employees to use the same login credential can increase the risk of unauthorized access. And it makes it difficult to trace actions back to specific users.
• Implement MFA. Multi-factor authentication (MFA) requires users to verify themselves through multiple steps. This significantly reduces the risk of unauthorized access. Even when passwords are compromised or stolen.

Implementing these changes into your eyecare practice can enhance data security and protect patient privacy.

Are You Complying with State Laws?

HIPAA is the standard when it comes to evaluating sensitive patient health information. However, it’s not the only law you need to be aware of. State laws are just as important as HIPAA. And ignorance of these laws can lead to worse repercussions than failing to comply with HIPAA.

Under HIPAA, an individual who believes that their privacy has been violated can file a complaint with the government—Health and Human Services (HHS). They cannot sue an eyecare practice for negligence or violations. But state laws don’t have these restrictions.

As of 2020, multiple states have implemented laws addressing aspects of privacy and security beyond what is covered by HIPAA. States like California, Colorado, Utah, and Virginia have patient protection laws that are even more stringent than HIPAA. For example, the California Confidentiality of Medical Information Act allows patients to sue providers for violations—a harsher punishment than HIPAA’s civil penalties.

Check with your state law and its regulations. You may find that your state’s regulations are more stringent that HIPAA and its punishments more severe. While HIPAA compliance is mandatory for all eyecare practices, understanding your state laws and implementing necessary measures will protect your practice from legal penalties, reputational damage, civil lawsuits, and more.

[1] https://www.verizon.com/about/news/verizon-2020-data-breach-investigations-report