Posted By Monique Dever On February 7, 2017

8 Common HIPAA Breaches to Avoid and What to Look for in Your EHR

hipaa breaches

All across the country Public Health Departments and Community Health Centers including FQHCs experience many forms of HIPAA breaches and violations.  Often, these breaches are unintended but not always.  So, understanding where employees fall short can help your staff prevent many common breaches.   Some of the most common breaches to be aware of are:


  1. Improper storage and handling of paper records

Paper medical records are notoriously vulnerable to HIPAA violations.  Never leave files open and unattended.  When not in use, always properly secure all paper documents in a locked filing cabinet or storage office.  Make sure to keep your document storage separate from other office supplies and restrict access to authorized people only.  Staff should pay close attention when filing patient records.  Incorrectly filing a patient’s record can lead to a HIPAA violation.   Adopting an Electronic Health Record (EHR) software can provide tremendous security.  The EHR can ensure that only authorized people access medical records of a patient.  Make sure the EHR is federally certified and that it has built in security features and functionality.


  1. Improper disposal of Protected Health Information (PHI)

Poorly disposing of PHI is easy to avoid, yet it’s also surprisingly very common. PHI should never be discarded in the regular trash can, rather, it should be shredded or burned.  Also, many modern photocopiers have a hard drive that saves recent files.  If somebody should access the memory of the photocopier, who isn’t supposed to have that information, it’s a HIPAA violation.   Placing signs at trash cans, recycling bins and shredding stations can be a great reminder for employees to dispose of PHI correctly.  Be sure to wipe all data from electronic devices including copiers, and cross-shred all paper documents containing PHI.   You should get an EHR which does not store any information on your local servers or devices (like computers or laptops).  Cloud-based EHRs which are federally certified include 128 bit or higher encryption capabilities to better protect all your PHI.


  1. Unauthorized Access of Patient records

Employee snooping is a HIPAA violation!  Unauthorized access of a patient record is one of the most frequent HIPAA breaches.  Peeking into the medical records of friends, former spouses, fellow workers and even celebrities may not make the news but the incident is still classified as a HIPAA violation and could potentially trigger an investigation by the Office of Civil Rights.   In a paper-based environment, it is very difficult to tell if someone has looked at a patient’s chart who had no business doing so.  Implementing a certified EHR that offers Role-Based Access Control (RBAC).   Ensure that users only get access to information they need vs. everything.  Good audit trails let you track down who accessed what part of the EHR.  Some EHRs go as far as track back mouse click and data entry for extensive audit capability.


  1. Releasing Unauthorized PHI

Before releasing any patient information to outside parties, it is imperative that patients’ authorization forms are completed in their entirety.  An incomplete authorization form is one of the most common breaches. The form should include the patient’s legal name, the specific information that is permitted for disclosure, and the date through which the authorization is valid.  When in doubt get a release!   Front office or patient registration staff get busy and collecting HIPAA requirements may get missed or misplace.  An EHR which captures and stores patient consents electronically can save time and effort while achieving compliance.  Look for an EHR with electronics signature capture to help in this area.


  1. Carelessness in Faxing or mailing PHI

Caution should be used when faxing or mailing any information that contains PHI.  Make sure you have a completed HIPAA form for the patient whose information you are sending.  A confidential fax cover sheet should always be utilized when faxing necessary patient information.   Double check the fax number/address to where you are sending the information.  Verify you have the correct medical record number. Verify you have the correct recipient names on the email. Wait for the entire fax to go through correctly and then cross-shred the information that was faxed.   Either get your IT department to include an electronic fax or see if your EHR vendor can provide one.


  1. Social Media Posts – Going Viral

There is a growing number of HIPAA violations from employees making poor choices when using social networks.  Keep all work comments off social networks.  Often, Health Departments and employees don’t realize their activities on social networks are violating HIPAA.   By developing a good social media policy and conducting employee training, many of these types of breaches can be prevented.


  1. Lost or Stolen Portable Devices

It only takes a few seconds for portable devices like laptops, tablets, cell phones and USB drives that contain PHI to be lost or stolen. In a perfect world, every device that has PHI would be encrypted and stored in a secure location.  Portable devices should only be accessed or moved for important, temporary needs and then returned back to its secure location.   Better still get a cloud-based EHR which does not store any data on internal devices.  Once you do get an EHR, revise all your policies to make sure these are aligned with new technology.


  1. Getting Hacked

It is critical to encrypt all of your electronic PHI, use firewalls, use password-restricted access, and other security measures. Using a federally certified EHR, with secure, cloud-based storage, offers the highest level of security and privacy of PHI data.   Take advantage of federal standards and only use federally certified EHR.  It is ultimate in your peace of mind for securing electronic PHI.   Keep in mind, that it’s your patient’s safety and privacy at stake.  HIPAA violations, regardless of being unintentional or not, can also have detrimental effects on your organization’s reputation and bottom line for years to come.  Don’t risk your health department.  Is now the time to go paperless with an EHR system?  If so, make sure it is certified for Meaningful Use to ensure the level of security you want as well to maximize the other numerous benefits of an EHR.


For more, watch our recorded “Common HIPAA Breaches” webinar.

About Monique Dever

Monique integrates research and networking with her passion for health and well-being to provide important, up-to-date news, resources and current events to the public health communities. She is the Marketing Executive for Patagonia Health, an Electronic Health Records (EHR) software company focused on the public health sector.