My Employee Violated HIPAA.
Am I Responsible?

Dr. Linda G. Drake

When healthcare privacy breaches occur, it’s not always malicious. In fact, it’s often because of carelessness or a lack of understanding of HIPAA rules. To prevent HIPAA violations, healthcare organizations should ensure employees receive full training — sometimes in addition to getting recertified annually — and that they understand the allowable uses and disclosures of private health information (PHI).

Without proper training, it’s easy for employees to find themselves in an inappropriate conversation or compliance gray area because they don’t know better. Here are a few things to look out for to steer clear of potential penalties.

Three Ways Your Staff May Be Violating HIPAA:

1. Gossiping and Inadvertently Sharing Patient Information

Eye care practice employees with access to a patient’s PHI need to be careful about the information they share with others.

In situations where medical practice employees need to discuss a specific patient’s diagnosis and treatment plans, medications, etc., it’s critical that those conversations occur only in private. Carelessly discussing patient information can damage a patient’s privacy and result in financial consequences for your practice.

Employee icon
Copying icon

2. Leaving PHI Visible on a Computer Screen

If you’re using a computer to store or access patient records, make sure to lock or log off before walking away. Leaving your computer unattended for anyone to access PHI (on-purpose or not) is a serious violation. This is true for in-person meetings and video conferences.

You can also position computer screens so people passing by can’t read private information, or set up sleep timers so that the screen turns off when not in use for a few minutes and requires a password to turn back on.

3. Not Using Encrypted Communications When Sending Sensitive Information

If you’re transmitting sensitive personal data over the internet, it’s highly recommended you use an encrypted communication channel.

Encrypting data is an added protection if a device containing PHI is lost or stolen. It ensures that the data can only be read by the person who is authorized to have access to it. If you choose not to encrypt data, the HIPAA Security Rule states you must implement an equivalent solution to meet the regulatory requirement.

unlock icon

How Can You Ensure Compliance From Your Staff?

Every time you or a member of your staff inputs a patient’s information into your system, it represents a powerful promise to keep it secure. HIPAA violations occur intentionally or unintentionally. Either way, they’re unlawful and can result in significant penalties. As a doctor or practice administrator, who is responsible?

By the letter of the law, “the practice” is primarily responsible for all breaches of HIPAA. This means, that even if something happens once without your knowledge — you don’t even have to be in the office when it happens — if you represent the practice, you bear some responsibility and may be held accountable financially.

Essentially, everyone in the organization who interacts with PHI in any way must take responsibility for HIPAA compliance and help to prevent HIPAA violations. Even relatively minor violations of HIPAA rules can have severe consequences.

Thorough training and retraining is the only way to be safe — sometimes, certification isn’t enough. PCS can help you make sure your staff is aware of what not to do and make our extensive library of resources available at all times.

PCS Can Help You Protect Your Passwords

Remember: a single misstep with your passwords can lead to major consequences. For more on this or any other cybersecurity concerns, please reach out to PCS — we can provide security and peace-of-mind.