Most healthcare facilities have ironclad HIPAA policies. They implement HIPAA guidelines that have the series of administrative, technical and physical safeguards required to ensure the integrity and confidentiality of electronic protected health information (ePHI).
And yet, with the rise of electronic health records and the increased usage of mobile devices, there has never been a more important time to take a closer look at enhancing a HIPAA compliance program.
Even with the best HIPAA training and most thought-out planning, there may be holes healthcare facilities don't even realize exist. Below are four potential risks healthcare professionals should consider when reviewing their policies.
1. Web contact forms or appointment forms
In the world of healthcare, there is often confusion regarding which web contact forms need to be HIPAA compliant. And because of that uncertainty, many contact or appointment forms are not compliant. If you are a HIPAA covered entity (regardless of the facility's size), all of your web forms should be HIPAA compliant.
Here's why:
When collecting contact or appointment request information on an online form, there are often free text areas where patients can include additional pertinent information. If patients assume the form is compliant, they may share ePHI unknowingly.
For example, if your online appointment request form includes a text field for a brief explanation of the reason for the appointment, a patient may state, "I urgently need to make an appointment because I had a bad reaction to the pain medication I'm using."
2. Patient review forms
Healthcare facilities and professionals often give patients the opportunity to review their care through patient satisfaction surveys or review forms. If those forms contain open, free-form text space, rather than requiring specific answers, patients may inadvertently share ePHI while offering thoughts on their experience.
As with appointment and contact forms, review forms need special care because a patient who is reviewing a physician or facility could reveal protected information. For instance, someone giving a review of a physical therapist may offer up how kind the therapist was after learning about the patient's cancer diagnosis.
3. Social media and advertising
Using social media is still new in healthcare, so many organizations have yet to adopt or integrate social strategy into their current healthcare marketing and advertising efforts. This is largely because they are fearful of how it could impact patient privacy and HIPAA compliance. The nature of social media and advertising suggests a lack of privacy, so there are understandable risks.
Any advertising or posting on social media sites that contains even the slightest hint of patient information could be in violation. For example, if a plastic surgeon posts before and after photos of a patient's procedure or a dermatologist posts a photo of a patient's skin condition, the patient's identity could be revealed. Even if a social post or advertisement only contains half of the patient's face, that person might be recognizable to family or close friends, violating his or her privacy.
4. Email or text confirmations
Confirmations of doctor's appointments or prescriptions via phone, text or email should not contain a lot of identifying information. While the HIPAA Privacy Rule does allow a physician to communicate with patients, including to confirm appointments, the physician should take precautions to protect patients' privacy.
For example, when leaving a voicemail for a patient, the physician should limit the message to just the information necessary to confirm an appointment time or request that the patient call the physician's office.
Safeguarding Patient Information
One way healthcare facilities can ease the pain and uncertainty around HIPAA compliant forms is to streamline the process through a HIPAA compliant form builder. This type of software allows for easy collection and storage of ePHI in a HIPAA compliant manner. It also allows for the secure management of information across multiple touchpoints, including doctors, administrative staff and other stakeholders.
Regardless of technological advancements, a patient's health information must be handled with the utmost care and concern for privacy. And it's up to those working in the healthcare industry to make sure respect for privacy progresses along with the technology.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.