While the most commonly-known HIPAA violation may be a data exposure stemming from a computer vulnerability that went undiscovered until it was too late, healthcare organizations may be suffering from a number of other HIPAA violations without even realizing it.
Kays Harbor Technologies, a software and applications developer, notes that even if providers take a number of approaches to protect their information systems, they may still not be practicing safe guidelines with sensitive patient data, writes Kays Harbor co-founder Manisha Kathooria in a company blog post.
Here are six unexpected ways healthcare organizations may be accidentally disclosing HIPAA-protected patient information.
1. Responding to reviews on listings or websites. While many organizations have Google, Facebook or even Yelp pages that may feature negative reviews, replying to these comments can have serious consequences. Responding to a comment may insinuate that person was your patient or a patient you interacted with, even if you do not post any information specific to that individual's case.
2. Unintentional attachments in emails. HIPAA requires email communications to patients be encrypted beyond the typical layers used by most email services, which are called Secure Sockets Layer or Transport Layer Security.
3. Missing or hidden meta information in special file formats. Files formats, such as JPEG or Microsoft Office documents, often contain protected health information even if it is not immediately apparent. Scrubbing files of metadata before sharing them with coworkers could protect against unintended distribution.
4. Automatic syncing of devices to apps or clouds. Tools like iCloud and Dropbox may not secure patients' PHI without a business associate agreement in place that follows HIPAA guidelines.
5. Social media posting at your workplace. Many organizations post to their social media sites, like Facebook, to keep their patients up to date on their hospital's news. But, if their employees are not careful of their posting behaviors — including taking photos with patients in the background or revealing the backs of desks or computer screens — HIPAA violations ensue.
6. Seeking a second opinion from peers. While discussing healthcare cases with colleagues may garner fruitful results, special attention must be paid so that no PHI is shared with physicians not on that patient's case.
More articles on cybersecurity:
Northwell Health cuts ribbon on $15M innovation center
IDC Health Insights: 10 health IT predictions for 2018
Study: 4 factors that influence whether patients share medical records with providers