We all make mistakes. It’s a part of life, but sometimes the consequences can be significant. If you’re handling personal health information (PHI) on a regular basis and doing so improperly, there can be real harm to the patients whose PHI has been leaked. Following all of the security and privacy regulations laid out by HIPAA (similar to PHIPA in Ontario, Canada) is the best way to avoid data leaks. Even encrypted email can be vulnerable if proper precautions are not taken. Fraud and identity theft are the most common, and potentially devastating, uses for leaked information, leading to potentially disastrous consequences. What are some potential mistakes that could be made?
1. Not Using an End-to-End Encrypted Email Service
The most crucial regulation a person must adhere to is that all transmissions of data must be done so by means of an encrypted pathway. The simplest and most reliable way to do this is to employ an encrypted email service. End-to-end encryption is a type of cryptography that obscures information within an email or message from the moment it is sent to the moment it is opened. This protects the information from hackers who may try to steal PHI for criminal purposes, often by intercepting and duplicating the data being sent from one covered entity to another. Ensure you send only encrypted emails at all times to prevent these leaks.
2. Sending Identifying Information
One of the worst and most consequential mistakes that can be made is to transmit personal identifying information, such as full name, date of birth, and social security number. If a document you are sending – even by encrypted email – contains this information, you must redact the information. Not doing so is negligent and is often the basis for termination if repeated or particularly acute transgressions occur. Take care to redact it properly, because improperly editing some files can allow for an unauthorized person to view the blocked-out PHI.
Redacting a name can be as simple as blocking out all but the first letter of the first name and leaving the last name unredacted before sending by encrypted email. Dates of birth and social security numbers, being more useful for fraudsters, should be redacted in full. Any deviation from these practices not only opens a person up to civil litigation on the part of any patients whose information has been stolen but criminal charges may also be filed. Generally, these would involve fines and paying damages, but in cases of gross negligence, incarceration may be a possibility.
3. Sending Personal Health Information to an Entity Not Covered by HIPAA
A common mistake that covered entities may make when handling PHI is to send the PHI to someone who may not adhere to HIPAA guidelines. This may happen for a number of reasons. A person may misspell the recipient’s email address or address it to another saved contact. Consequences can be significant and there is a chance that someone will use information from an unexpected email for illegal purposes. If you deliberately send it to an entity that’s not covered, by way of misunderstanding or misinterpreting HIPAA regulations, there is a higher risk of misuse.
4. Sending Personal Health Information Using an Unsecure Internet Service Provider
Picture this: one day, you’re working from home. Everything is going fine until your internet goes down. No one is able to repair it until after a major deadline you have that requires some files to be pulled from the pharmacy management system. As a last resort, you head to Starbucks to connect to public WiFi and get the documents sent in time.
If this were you, you’d have just violated one of the rules governing how medical information is handled. By using a public internet connection, you have exposed the patients’ information to potential criminals. Any emails that are sent could be intercepted, or files on your computer could be seen before encryption, leading to a data leak. It is best to always use a connection that at least has password protection if not more stringent security features. Other tech-related mistakes include failure to use a firewall when handling sensitive information.
5. Failure to Warn the Patient of The Risks of Communicating by Email
In the event that a data breach were to occur through no fault of the entity handling the PHI and that entity has failed to explain clearly and fully the risks of sending PHI by email, then they can be cited with a HIPAA violation anyway. Failing to properly inform patients of the options available for sending PHI is an offense in its own right. It is best practice to have a specific form for the patient to sign upon intake that indicates all the potential risks involved with the handling of their information and to go over that form with them to ensure that they have a full understanding of the risks and benefits of each method of communication.
6. Not Displaying A Disclaimer in The Email
A simple clerical error may seem inconsequential, but without a disclaimer at the bottom of each email, perhaps as part of the signature, a person can be cited with a HIPAA violation. Each email containing PHI, or carrying PHI as an attachment, must have a disclaimer describing the sensitive nature of the email and what to do if you receive it accidentally: delete the email immediately. Failing to do so opens an entity up to potential civil litigation on the basis that the PHI has been handled improperly, and if it leads to criminal activity this may rise to the level of criminal proceedings on the matter.
7. Failure to Document Communications Properly
Another simple, common mistake made by covered entities is to fail to document communications properly. All communication, including PHI, must be documented properly, or it can be considered a HIPAA violation. It may seem like a small infraction, but if a patient were to allege that a covered entity mishandled their PHI, the entity would have a record of their adherence to HIPAA regulations. State regulators may audit these and other records from time to time, so it’s best to get in the habit of documenting every time you send or receive PHI.
Conclusion
Adhering to HIPAA regulations when sending and receiving confidential patient information is a serious business. It is always better to be safe than sorry, and following these seven tips will help you make sure you’re not in breach of HIPAA regulations. Keep patients and yourself safe by using an encrypted email service, using a secure WiFi connection, and making sure you fully understand HIPAA guidelines.
