Malicious third-parties can intercept protected Health Information (PHI) in several ways. This article pinpoints three of the top HIPAA mistakes that covered entities make and how to avoid them.

Lost Devices

Any device used at a clinic for practice purposes has the possibility of containing protected health information. You may not think about it, but PHI can be in your emails, messages, or even in the contact list of a device.

Mobile phones, tablets, or laptops are exposed to theft because of their size and mobility. If covered entities aren’t applying the correct encryption and security procedures to their devices, people’s PHI is at risk.

Here are a few safeguards that can be applied to protect your personal and work devices:

These are just a few security measures that can be applied to ensure the utmost security. Read what HealthIT.gov recommends for protecting health information on mobile devices.

Hacking

Hacking incidents related to Healthcare are happening every day. People are finding new ways to uncover PHI, forcing covered entities to be on their toes and pounce on any vulnerabilities.

The majority of attacks happen through unpatched software. Hackers have the ability to access health information due to the fact that entities are failing to update their software in a timely manner.

Here are a few tips that can be applied to help secure your device:

HealthIT.gov offers a Security Risk Assessment Tool that will conduct a risk assessment of your software.

Incorrect Disposal

Under HIPAA, you are required to protect the privacy of PHI in any form. Health information can come in paper form, bottle form, electronically, and in many other ways.

Several major organizations have been guilty of improperly handling patient information and have faced major punishments. The HIPAA Privacy Rule requires that entities take serious measures when disposing of PHI and have created a set of rules for doing so.

Here are the rules for disposing of patient health information:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • Further, covered entities, business associates, and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴

If you have any questions, visit this link from hhs.gov about the disposing of PHI.

Conclusion

Failure to follow the HIPAA mandates can lead to severe punishment by law enforcement. Be careful and take extra precautions to ensure that you’re taking the correct steps in safeguarding the Protected Health Information of your patients.

3 most Common HIPAA Mistakes to Avoid