Ask the Expert: 10 Ways You May Be Violating HIPAA

Keeping patient information confidential is an essential part of patient care. Patients expect that their protected health information (PHI) will be kept private, and failing to guard it could make them question the quality of their health care. Employees may be violating HIPAA without knowing it. Read today’s Hopkins Happenings’ Ask the Expert to read a few things that you should keep in mind, so that you’re in compliance and patients’ information is secure.

Also, if there is a question that you would like to ask an expert on HIPAA, post it in the comments section below.

1. Do not access records for a patient who is no longer under your care because you are concerned about what has happened to him or her.

2. Do not post patient information on a social media site, even when the posting is done on your own private Facebook page, Twitter account, etc.

3. Do not post or share pictures of your workload or paperwork on your private social media site. Pictures can be enlarged to reveal protected health information on documents.

4. Do not post pictures of a Johns Hopkins patient on your private social media site, even when the pictures are taken during your non-work hours.

5. Do not download protected health information to an unsecured device (such as a laptop, iPad, cell phone, etc.) or desktop computer to make data more accessible for you to perform your job.

6. Do not check the medical record of a co-worker or friend because you are concerned for his or her well-being.

7. Do not use a medical record to find an address or phone number for personal reasons.

8. Do not share your log-in ID and/or password.

9. Do not leave your computer unattended while you are logged into a system containing protected health information.

10. Do not discuss information about a current patient with his or her family member without authorization or without knowing that the person meets the “involved in the patient’s care” standard.

 

 

VN:F [1.9.17_1161]
Rating: 4.7/5 (3 votes cast)

Ask the Expert: 10 Ways You May Be Violating HIPAA , 4.7 out of 5 based on 3 ratings

8 Comments

{ 8 comments… read them below or add one }

Comments

Alicia O. Aydlett December 27, 2013 at 10:42 am

Can a patient be sent an appointment via MyChart/email, or if a patient states, " I have no telephone, but I will leave my email address for any issues regarding my care". Should we email this patient?
Thank you

Reply

Don Bradfield December 30, 2013 at 10:05 am

Alicia:

Yes, you may use the e-mailing capacity of a properly established My Chart account to send an appointment reminder. My Chart is a secure system accesible only by a patient id and password.

If a patient wants to use e-mail outside of My Chart, then please go to the JH HIPAA webiste--www.insidehopkinsmedicine.org/hipaa, on the left hand side in the table of contents, click on the second item down, review that guidance and, if you want to proceed, have the patient sign the form that is accessible from that site.

Reply

Gail Graustein December 12, 2013 at 11:13 am

If you're within the new Epic system, the MyChart feature is very efficient for the patient and doctor and/or qualified medical staff if necessary, but regular email I would be very careful.

Reply

Don Bradfield December 11, 2013 at 9:40 am

Yes, it is okay to send PHI within the Hopkins email networks since they are behind JH firewalls.

Reply

CSA December 11, 2013 at 9:36 am

Mark, no e-mail is secure and using personal e-mail addresses such as gmail are tantamount to a public release of PHI. Google sells e-mail content to advertisement agencies and from there, the sky is the limit. Also FYI, mobile devices including phones are are not secure either. We really have entered the age of Big Brother. All e-mail should contain an appropriate disclaimer about security and this is regarding all content.

Another (unrelated) reminder about following HIPAA guidelines concerns clinical trial recruiting/management of patient volunteers. [Everyone] Make sure when all of those calls are being made to prospective/participating vounteers that the calls are being made in an office or space where passerby can't hear the names and diagnoses of those people. Common sense there.

Reply

Don Bradfield December 11, 2013 at 10:08 am

While Mark's comments are generally good guidance, JH networks (those email addresses ending in @jhmi.edu, etc.) are behind firewalls and we do allow sending PHI to those email addresses.

Reply

Mark Inge December 11, 2013 at 8:51 am

Is it OK to email PHI within the Hopkins network for work-related purposes?

Reply

Roselia Hernandez December 13, 2013 at 8:51 am

1.- NOOOOO. BECAUSE EMAILS ARE NOT SECURE.
2.- PERSONAL EMAILS ARE TANTAMOUNT.
1.-PHONE IS NOT SECURE EITHER.
3.-ALL EMAILS SHOULD CONTAIN AN APPROPIATE DISCLAMER ABOUT SECURITY.
4.- ALL THE CALLS HAVE TO BE MADE IN A SPACE WHERE NOBODY CAN HEAR.

Reply

Cancel reply

Reply to CSA:

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Johns Hopkins Medicine does not necessarily endorse, nor does Johns Hopkins Medicine edit or control, the content of posted comments by third parties on this website. However, Johns Hopkins Medicine reserves the right to remove any such postings that come to the attention of Johns Hopkins Medicine which are deemed to contain objectionable or inappropriate content.

Previous post:

Next post: