What should entities do to avoid PHI disclosure HIPAA violations?

Covered entities need to take patient privacy very seriously as the former examples have shown that HIPAA violations may lead to termination, possibility of license forfeiture, fines and in most extreme cases, jail time. Covered entities need to have proper administrative, technological and physical controls to protect patient privacy and security.

All covered entities need to analyze their own needs and circumstances, potential risks to patients’ privacy, potential effects on patient care, and financial and administrative burden of implementing those safeguards. However, not all covered entities will have the same safeguards and not all safeguards are necessary for all entities. They must also implement minimum necessary policies and procedures limiting how much protected health information is used, disclosed, and requested for certain reasons. Minimum necessary must reasonably limit who within the entity has access to PHI and under what conditions depending on job responsibilities and business nature, yet minimum necessary does not apply to oral disclosures, for example, between physicians.

Several safeguards covered entities may use include: flagging potential personal conflicts between employees and patients, a logging system in the IT back-end to track and record all access to files containing PHI so any improper viewing of medical files will be caught/noticed and to tell employees about this system so they do not get curious about patients’ medical information such as those of celebrities.

Furthermore, all staff must undergo HIPAA compliance training with recommended regular staff training regarding different situations that may occur. All staff should speak quietly when discussing a patient’s condition with family in public areas (like waiting room), to generally avoid disclosing any PHI in any public areas, and to log-out of electronics that they’re using to access PHI if they leave the room or area. Also, rooms or file cabinets with PHI should be locked and monitored. All computers, laptops and flash drives containing PHI should be encrypted especially those of medical professionals that carry those devices around with them.