HIPAA GUIDELINES

Common HIPAA Violations

• • Failure to adhere to the authorization expiration date - Patients can set a date when their authorization expires. A violation would be releasing confidential records after that date.

  • Failure to promptly release information to patients - According to HIPAA, a patient has the right to receive electronic copies of medical records on demand.

  • Improper disposal of patient records - Shredding is necessary before disposing of patient’s record.

  • Insider snooping - This refers to family members or co-workers looking into a person’s medical records without authorization. This can be avoided with password protection, tracking systems and clearance levels.

  • Missing patient signature - Any HIPAA forms without the patient’s signature is invalid, so releasing information would be a violation.

  • Releasing information to an undesignated party - Only the exact person listed on the authorization form may receive patient information.

  • Releasing unauthorized health information - This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.

  • Releasing wrong patient's information - Through a careless mistake, someone releases information to the wrong patient. This sometimes happens when two patients have the same or similar name.

  • Right to revoke clause - Any forms a patient signs need to have a Right to Revoke clause or the form is invalid. Therefore, any information released to a third party would be in violation of HIPAA regulations.

  • Unprotected Storage of Private Health Information - A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive, or any other mobile device.

  • Unencrypted Email of Private Health Information - An example is sending email sent without authorized unencrypted email permission signed and store in patient emr chart. See HIPAA Forms.

Scenarios that Violate HIPAA

• • Telling friends or relatives about patients in the hospital

  • Discussing private health information in public areas of the hospital, including the lobby of a hospital, an elevator or the cafeteria

  • Discussing private health information over the phone in a public area

• Not logging off your computer or a computer system that contains private health information

  • HIPAA regulations for "need to know" include: The security guard in a healthcare institution needs to know the name and room number of patients to guide visitors. This is allowed; but, any other information, such as diagnosis or treatment, is not to be disclosed.

  • HIPAA regulations for "need to know" include: A nurse needs access to private health information for the patients in his/her unit but not for any patients that are not in that unit.

  • HIPAA regulations for "minimum necessary" include: A health insurance company will need information about the number of visits the customer had; but, isn’t allowed to view the entire patient history.

  • Allowing members of the media to interview a patient in a substance abuse facility

• Including private health information in an email sent over the Internet -

  • Releasing information about minors without the consent of a parent or guardian

When is a violation of HIPAA criminal.

• If convicted, the level of punishment depends on the seriousness of the offense: