News

Five Inadvertent HIPAA Violations by Physicians

---

---

Doctors do not plan ahead to violate HIPAA, but in this digital age, they may be doing it because they did not plan ahead. The recent final rule of the HITECH Act outlines that even if the physician is unaware of the violation, they may be fined a civil penalty of $100 - $50,000 per violation. It is time for even the most resistant doctors to pay attention to how they handle protected health information (PHI). Here, we will outline five common ways physicians are breaking HIPAA/HITECH privacy and security rules, and may not even know it.

1)    Texting PHI to members of your care team

It’s a simple scenario: you’ve just left the office, and your nurse texts you that Mr. Smith is having a reaction to the medication you’ve just prescribed. She has included his name and phone number in the text. You may know that texting PHI is not legal, but feel justified because it is a serious medical issue. Perhaps you even believe that deleting the text right away will protect you – and Mr. Smith

In reality, this text message with PHI has just passed from your nurse’s phone, through her phone carrier, to your phone carrier, and then to you – four vulnerable points where this unencrypted message could either be intercepted or breached. In a secure messaging app, this type of message must be encrypted as it passes through all four points of contact. Ideally, both sender and recipient should be verified and have signed a business associate agreement (BAA).

2)    Taking a photo of a patient on your mobile phone

To some this will sound silly, to others, it is as common as verifying a rash with a colleague or following the margins of a cellulitis day by day. Simple enough, but if these photos are viewed by eyes they are not intended for, you may be in violation of your patient’s privacy. It’s important to be aware of where and how patient information and images are stored. Apps that allow you to take a secure photo are just as important as sending the message securely. DocbookMD allows photos to be taken within the secure messaging app itself – never stored on your phone or within your phone’s photo album. Always use this type of feature when taking any photo of a patient or patient information.

3)    Receiving text messages from your answering service

Many physicians believe if they receive a text message from a third party, like an answering service, they are not responsible for any violation of HIPAA – this is simply not true. Many services do send a patient’s name, phone number and chief complaint via SMS text. The answering service may verify it is encrypted on their end, but if PHI pops onto the physician’s screen, it is certainly not secure on their end – and this is where the physician’s responsibility lies. Talk with your answering service today to see how they are protecting you at both ends of the communication.

4)    Allowing your child to borrow your phone that contains PHI

Many folks allow their kids to play with their phones – maybe play games on apps while in the car. If your phone has an app that can access PHI, then you may be guilty of a HIPAA breach if the information is viewed by or sent to someone it is not intended for. The simple fix is to utilize the pin-lock feature on your messaging app – and for double-protection, always password protect your phone!

5)    Not reporting a lost or stolen device that contains PHI

Losing your smartphone or tablet is a pain for many reasons, but did you know that if you have patient information on that device, you could be held responsible for a HIPAA breach If you do not report the loss right away. The ability to remotely disable an app that contains or handles PHI is an absolute must for technology that handles communications in the medical space. Be sure to ask for this feature from any company claiming to help you be HIPAA-compliant in the mobile world. Remember: Being HIPAA – compliant is an active process. A device can claim to be HIPAA secure, but it is a person who must ensure compliance.