Automated HIPAA Privacy

HIPAA Blunders: Hard Lessons to Learn

People who work in the healthcare industry have time and time again been educated and undergone training exhaustively on the principles and application of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). But just as the sun always rises in the east, it is not always easy to foolproof oneself, nor a process from HIPAA mistakes. Some of these blunders usually originated from an innocent mistake. Workers usually have the best intentions for their patients/clients, and on the way, they conduct their duties in their workplaces. Let us tackle a few examples of these incidents so that we may learn from these mistakes and prevent such blunders from happening. For privacy purposes, names of individuals, offices or organizations, and dates may have been changed.

This first case was a lesson learn which in a nutshell teaches employees that the fast and easy way is not always the best way. The ABC private practice has made it their standard operating procedure (SOP) to put visible tags on patient’s chart as precautions for some of the medical conditions. The tags were color-coded and specific medical conditions were written on them. As an example, a red tag with the word “AIDS” was placed on the outer part of the chart.

Let us examine this incident. This concept certainly was not born with intentions to embarrass anybody. However, as we all know, the end does not justify the means. ABC private practice may have just been trying to protect their personnel so that when the need arises, the employees will be guided accordingly – perhaps to stress universal precautions and any other special endorsement related to the patient’s care.

Situations such as when they may have to render invasive procedures to a patient who happens to have a communicable disease. And vice versa, in situations where patients may also need specific care related to their medical condition (e.g., a blue tag indicating “reverse isolation” for an immunocompromised patient who needs extra preventive measures so as to maintain surroundings that minimize risk to the patient in contracting illness from around them.

The problem with above predicament as obvious as it seems is that it will also be easy for other people to see the tags indicating a patient’s medical illness and/or precautions. Hence, unnecessarily exposing the patient’s condition. A situation which could have been easily prevented if the practice has carried out this concept and process with care and prudence.

In this particular case of HIPAA Privacy violation, ABC private practice was instructed by the Office of Civil Rights (OCR) to study and revise its policies and procedures. They were also required to put the tags on the inside of the chart where it is not easily visible to others, limited to the staffs who are directly involved in the care of an intended patient. In addition, the HIPAA Privacy Officer and other concerned employees of this practice had to carry out a meeting with the affected patient in order to formally apologize and followed this up with a written apology letter.

The above matter, however, may be considered is a little more subtle of a consequence, as compared to another issue of a HIPAA violation. This next case required XYZ hospital to settle an amount of $387,200 for its violations. The source of this case was when one of the staffs of the hospital mistakenly faxed PHI of a patient to his/her employer’s office and another office to where he/she volunteers. The PHI included very sensitive information pertaining to the patient’s HIV status, medical care, sexual orientation, mental health diagnosis, and others. It was also discovered that nine months before this particular incident, a similar incident took place involving the same hospital when one of its staff has also faxed a PHI to an incorrect destination. It was deemed that no appropriate measures were placed after the previous incident which could have reasonably prevented further blunders and HIPAA Privacy violations.

To conclude, observing practices that are consistent with the requirements of HIPAA may not be as easy as some perceive. Concrete, comprehensible, and religiously enforced policies and procedures must be established and implemented. Such measures are not negotiable and cannot be substituted with other unjustifiable nor inefficient practices.

Shopping Cart