Top 8 Ways You're Violating HIPAA... and You Don't Even Know It

Jan 03, 2019 at 10:41 pm by Staff


By MARA SHORR AND JAY A. SHORR

Today's age of technology has brought about an incredible increase in communication and efficiency, making it easier than ever for practices to communicate with their current and prospective patients instantaneously.

However, we're finding that more and more medical practices are violating the HIPAA rights of their patients without even knowing it. In the spirit of keeping as many doctors out of trouble as possible, here's a list of the top tips to keep your medical practice HIPAA compliant.

  • Review the verbiage on all of your photo consents prior to sharing ANY of your patients' Before and After photos.For instance, make sure that patients are consenting to allow the practice to use the photos and patient testimonials for your patients' records, to show to other patients, on the practice's website, print and on-air marketing AND digital marketing campaigns, including, but not limited to, social media. Include the option of the patient's identifying features being blurred out, if this is an option. No patient photos should be published on ANY marketing channels without the patients' express written consent! Don't assume your staff has completed this process. Remember, YOU are ultimately the responsible party.
  • Confirm with the patient who is able to share these photos.For instance, are the patients' photos able to be shared on the practice's social media platforms only, or are your mid-level providers are able to share on their own Instagram account as well? Be sure to outline these policies, in writing, not only with your patients, but with your staff as well. This is two-fold process... your photo consents must outline where the photos can be shown, and by whom.
  • When responding to a patient complaint on any review site, such as Yelp or RealSelf, keep your response generic. If a patient were to outline, in detail, how horrible your staff treated them, refrain from describing your side of the account in detail. Instead, educate your staff with a generic response that does not share any patient-specific information. For example: Thank you for letting us know of your prior experience. We value every experience inside our practice, and would like to discuss this with you personally. Please call our office at 555-5555 and ask for Sue."
  • Correspond via Email or text message with a patient only when you are certain you are using a HIPAA compliant platform. Many email platforms, such as Office365, allow their account holders the option of securing their emails on a HIPAA-compliant platform... but only after you opt-in to this selection. (It's not automatically done!). However, doing this is typically as simple as checking a box on the user's end, and helps make sure your email stays secure. Although more and more practices are allowing their staff to correspond with their patients through text messages, beware that this is not-HIPAA compliant. Third party platforms can certainly be explored in order to remedy this.
  • Store patient photos and notes only on a secured platform or through a HIPAA compliant app or software, not on your smartphone's "Photos" or "Notes" section.Consider this: what happens if you leave your phone unattended? (We can't tell you how many phones we've found in the bathroom!). Even a password-protected phone can be easily broken into, and in a moment, all of your patients' information is in the hands of a stranger.
  • Screen protect your reception desk's computer monitor.A simple screen cover can keep private patient information away from curious eyes at checkout. When a passerby glances at the computer screen from anywhere but the perfect angle, all they'll see is a black screen.

  • Don't allow paper charts to be seen hanging on the entrance to the exam room. If you are so inclined to place the patient chart in a box or clear leucite cover on the wall, ensure that the patients name cannot be seen.
  • Finally, make sure you have a Business Associate's Agreement signed by every vendor who either deals with your patient information online OR in your office.Yes, it may seem like overkill, but all it takes is one person see a copy of your patient's paper chart or electronic medical record open at the reception desk, to turn a "whoops" into a lawsuit.

In today's world, it's easier than ever before to accidentally violate your patients' privacy. Simple precautions will make all the difference.

Mara Shorr, BS, CAC II-XIII serves as a partner, as well as the Vice President of Marketing and Business Development for Shorr Solutions, assisting medical practices with the operational, financial and administrative health of their business. She is a Level II - XIII Certified Aesthetic Consultant and program advisor, utilizing knowledge and experience to help clients achieve their potential. A national speaker and writer, she can be contacted at marashorr@shorrsolutions.com.

Jay A. Shorr BA, MBM-C, CAC I-XIII is the founder and managing partner of Shorr Solutions. He is also a professional motivational speaker, an advisor to the Certified Aesthetic Consultant program and a certified medical business manager from Florida Atlantic University. He can be reached at jayshorr@shorrsolutions.com. More information on Shorr Solutions can be found at www.ShorrSolutions.com.