Everyone in the digital health space wants to be HIPAA compliant and avoid HIPAA violations. Health software developers spend substantial time and energy making sure their vendors are compliant, and ensuring their own systems are compliant as well. But once compliant software or systems are installed in clinical settings, a new challenge arises: operating software and systems in ways that don't create HIPAA violations.
It’s a fact. Even systems that meet every compliance requirement can be used in ways that create HIPAA violations. We’re going to take a look at three of the most common mistakes people make while using technology that can lead to violations – and how to avoid them.
Unfortunately, this is one of the most common ways to cause a violation. HIPAA Regulations [ §164.312 (a)(1) ] require the use of "Unique User Identification" for all systems that contain or use PHI ( Protected Health Information ) that's regulated by HIPAA. In busy clinical settings, it's tempting to share passwords with other employees to save time while providing rapid patient care. However, HIPAA strictly forbids this as it makes tracking down problems and errors nearly impossible. HIPAA's enforcers are more than happy to penalize medical entities who share logins as well as vendors whose systems don't enforce unique user ID's. Think of it this way: you wouldn't make copies of your house key for every neighbor on your block. Likewise, don’t share login credentials with your co-workers either.
With so much going on in a typical clinical setting, sending data or records to the wrong party can happen in a heartbeat. Entering a fax number incorrectly or mistyping an email address can quickly create data breaches that expose sensitive patient data, damage reputations, and lead to expensive HIPAA violations. Best practices to avoid creating such violations are:
Let's say you’re traveling. Your laptop is configured correctly, you're using a secure VPN for your connection, your email provider is HIPAA compliant, and data you're sending and receiving is fully encrypted. Every required HIPAA compliance element is in place. So what could go wrong? Plenty! If you're in your airplane seat or the airport, catching up on patient-related work, and you inadvertently allow a person near or next to you to see PHI on your laptop screen, you've just created a potential HIPAA violation. If the bystander reports the incident or files a complaint, you may have created an actual HIPAA violation – complete with an OCR investigation and monetary penalties. This is an easy to avoid mistake that's all too common. Be careful and watch out for shoulder surfers! The same concept applies to computer screens in your office. If a visitor to your office can easily see PHI on workstations while walking around, that's a potential HIPAA violation. And the more sensitive the data, the more serious the violation. The solution? Turn office monitors or desks so visitors can't easily see what's on your screens. Or use add-on screen filters that allow viewing only from a narrow angle, directly in front of screens.
To avoid HIPAA violations, it's not enough to just have HIPAA compliant systems, software and vendors. Digital health technologies must also operate in a compliant manner as well. Thorough employee training certainly helps, but common sense and a watchful eye are the best safeguards against these sorts of problems. Make sure you implement the appropriate safety measures to protect those who entrust you with their PHI.
This post was written in collaboration with MedStack . Based in Toronto, Canada, MedStack, Inc. focuses on empowering broader innovation in health care by removing barriers to digital product development. MedStack’s platform provides built-in operations to streamline technical security, privacy legislation and data integration in health care. MedStack’s powers over 30 healthcare companies across North America with its one-of-a-kind cloud offering.