And what to do to prevent them
The protection and security of patient information is of the highest importance in behavioral health care. A breach in confidentiality can cause immeasurable harm to patients—not to mention result in a fine of up to $50,000 per incident to the provider.
The following are five common examples in which behavioral health providers may be inadvertently subjecting patient confidentiality to risk.
General gossip or chit chat is common in any place of business, but PHI should always be off limits. This principle applies to any scenario in which the wrong set of ears might pick up on sensitive information, including when patients are within earshot in the waiting room or traveling through the halls to a therapy space. If PHI must be discussed, it should be done in private and only with authorized personnel.
PHI should only be shared with authorized personnel, whether it be spoken or written. A common mistake for providers is to inadvertently share PHI with vendors or third-party organizations by way of unsecured electronic communication. It is important to remember that regardless of whether or not the third party is also HIPAA compliant, such disclosures may still be a breach.
Given the uniquely involved nature of behavioral health care and the prevalence of mobile technology in our everyday lives, many providers bring personal devices into the office and take work home with them at the end of the day. The need for provider availability after normal office hours won’t likely go away any time soon, so providers should be especially mindful of the risks.
The theft of personal devices (laptops, in particular) account for a significant number of reported HIPAA breaches. Providers should implement appropriate measures to mitigate this risk. These can include data encryption, password protecting files, and locking down unattended laptops.
Lapse in training or policy
If a patient arrives early to an appointment and walks down the hall to use the restroom, how likely is it that a private conversation will be overheard? Whether it be large or small, the practice must establish appropriate policies and procedures to protect patient privacy and data security. This includes documenting rules and guidelines, including an appropriate plan of action should a breach occur, and making employee training with regular refresher courses an ongoing priority.
Even the most disciplined providers can experience HIPAA breaches. How well the practice responds can reduce its financial and reputational damages.
Prompt action is necessary to mitigate any existing breaches and reduce the chances of any additional problems developing. Under HIPAA, practices are afforded up to 60 days to give proper notice, which might sound like a lot of time, but there is a lot to account for. Any unauthorized access to PHI must be terminated, any improperly disclosed PHI must be retrieved where possible, and any affected patients, the HHS, and even the media, in some cases, must be notified—the list goes on. In summary, practices must be as proactive as possible to avoid incurring additional fines and prevent further problems.
Maintaining the integrity of the practice is of the utmost importance, particularly in regards to HIPAA and the seemingly benign daily occurrences that can actually put it at risk. Being mindful of the common areas in which a practice can slip up can help providers to continue to achieve positive outcomes for their patients without distraction.