HIPAA and the Holidays

As the holiday season builds momentum we are faced with numerous distractions like holiday decorations, taking advantage of online sales and soaking in the traditions that we look forward to each year. But this season of joy and giving should also be met with a heightened sense of awareness and adherence to HIPAA policies and procedures. You’re likely thinking to yourself, “How can Christmas, Hanukkah, Kwanza or the New Year impact HIPAA?” Well, those holidays can’t, but your employees’ behavior sure can.

Electronic Protected Health Information (ePHI)

This busy season will cause some employees to take advantage of online shopping while at work. While that seems relatively harmless, and in most cases it is, this also invites the possibility of introducing viruses into your system from unprotected and/or unapproved sites. It is important to have a clear policy and procedure regarding internet access on your entity’s equipment and it is equally important to ensure that your entity is enforcing compliance. Likewise, the threats of ransomware are ever increasing. A distracted employee is more likely to click a suspicious link or open a questionable email that could introduce ransomware into your computer system or electronic medical records. This is a great time to remind staff of their responsibilities to protect ePHI.

Physical Security

Unfortunately, the season of “giving” for some means a season of “taking” for others. Generally, criminal activity like property theft and break-ins rise during the shopping season. This makes it extremely important for your entity to adhere to mandatory HIPAA Physical Safeguards. The HIPAA Security Rule requires entities to have a documented Facility Security Plan, which memorializes the use of physical access controls. Specifically, entities are required to “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”[1] The entity’s designated HIPAA Security Officer should be reminding employees of the policy of not providing keys or swipe access to individuals who are not employees or staff members of the entity. Additionally, HIPAA Security Officers should review and document the use of cameras, alarm systems, keys and swipe cards to assess whether any changes need to be made to address any areas of vulnerability.

This is also particularly important for employees and staff who travel with PHI or ePHI. Whether it is paper records or a laptop, employees and staff should ensure they are not leaving these items in their vehicles in plain view. We advise our clients to have a policy that requires employees to leave any PHI or ePHI in the trunk of their vehicle where it is not visible or inviting for a would-be-thief. This can significantly reduce the entity’s risk of HIPAA breaches, as well as property loss.

Workstation Security

Many health care providers will experience an increase in patient activity as people clamber to make their end of the year appointments to take advantage of any cost savings before the new year begins. Combine that with flu-season and the prevalence of winter illnesses and all of a sudden the waiting room just became standing room only. The euphoric nature of the season, coupled with a dramatic increase in patient activity can be a recipe for HIPAA violations. While employees struggle to keep up with the demand, they are more likely to be careless about workstation security. They become less likely to lock their computers when they walk away from their station and more likely to share usernames and passwords in order to accomplish certain tasks more quickly. While these activities seem relatively harmless, these are violations that can cost the entity greatly if it leads to breaches of PHI or ePHI.

Visitors and Guests

The holidays aren’t nearly as fun without office holiday parties. These parties generally include catered meals, outside delivery services and even invited guests. Entities should ensure that they have a documented visitor/guest policy and procedure and that their employees follow that procedure. This includes a visitor/guest sign-in. Depending on the layout of the facility, these visitor/guests should be escorted to their destination so that they don’t have an opportunity to view documents or lab reports that may be left unattended in the facility.

Delivery personnel and vendors are not the only individuals subject to that policy. Family members and friends who present to the facility to visit with staff members and employees must also adhere to the entities visitation policies. Just because the person may be a relative or close friend does not earn them the right to overhear conversations about patient PHI or the right to view PHI that may be on someone’s desk or workstation.

Tone of Voice

One of the biggest complaints that our office receives regarding patient privacy is the tone of voice used by employees and staff as they discuss their health conditions. During the holiday season, many entities play festive music in their waiting areas which automatically cause employees and staff to raise their voices as they converse with patients or other providers. Entities should pay particular attention to the location of their waiting rooms and the position of their reception desk. Employees and staff should be advised of this concern and reminded of the importance of using a professional tone that would not give rise to unauthorized or inappropriate disclosures of PHI.

This is without argument “the most wonderful time of the year.” It’s a time to enjoy family, get reacquainted with friends, and provide for the health and well-being of patients. As the activity of the season builds, it is important to make every effort to ensure that your entity is in compliance with HIPAA regulations. Adhering to appropriate policies and procedures will not only ensure that you provide appropriate patient care, it will also reduce the likelihood of liability for violations which is a great way to start the New Year.

[1] § 164.310(a)(2)(ii)

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com  Read other articles from Dunson Group here.