You and your employees most likely use technology in various aspects of business and care. Front desk staff members will use a computer to schedule appointments, input patient information and bill people for their visits. Speech, occupational and physical therapists may use a tablet to keep track of their patients’ progress, make notes and develop their treatment programs.
While technology is useful for practice management, it’s imperative that this equipment is Health Insurance Portability and Accountability Act-compliant (HIPAA). Otherwise, your practice could face violations and fines for going against this regulation, which was put in place to protect private patient health information.
Some HIPAA violations are obvious, but others are lesser known, so it’s important to complete routine checks to ensure that your computers are always up to date, secure and in accordance with this law.
Here are five ways your computer may not be HIPAA compliant:
1. Computers running Windows XP may not be protected
In April 2014, Microsoft announced that it would no longer support the operating system (OS) Windows XP, which meant the company wouldn’t be releasing any more security patches for this OS. After April, computers using Windows XP were no longer considered secure by Microsoft, which means that any device running this operating system could be violating HIPAA. A lack of protection and security could lead to a breach of patient information. Practice computers that run on a Microsoft operating system should be upgraded to Windows 7 or 8.
2. Computer logins and passwords are being shared
Per HIPAA policy, each employee should have their own login and password for the practice computers. You might be monitoring activity on the machine, so it’s a good idea to check and see if this data is being shared. Therapists and employees sharing their passwords and/or logins could be violating HIPAA because it might be seen as sharing private health information. To counter this, make sure to stress the importance of employees keeping this information to themselves and not allowing a co-worker to use it.
3. Leaving a computer logged in and unattended
It’s not HIPAA compliant to leave a computer logged in and walk away from it. Your practice should have a policy that employees must log off before leaving their work station. If a machine stays connected, it allows unauthorized third-party individuals to see what is stored on the computer. This means that they can access and take private patient health information, which is a serious HIPAA offense. To avoid this, it’s best to have a strict policy regarding logging off before leaving a computer unattended.
4. Private health information is stored on laptops or mobile devices
According to Healthcare IT News, the most common cause of HIPAA breaches is lost or stolen laptops, which accounted for six out of 10 cases. Unlike a desktop, portable devices can easily be misplaced or taken. If these laptops and mobile machines contain electronic health records and patient information, it’s a breach of HIPAA. Last year, Gibson Hospital in Southwest Indiana reported a HIPAA breach that involved 29,000 patients, which was caused by a laptop stolen from an employee’s home. To avoid a similar issue, you might want to use desktops in your practice or require that all mobile devices stay in the office.
5. Employees send unencrypted emails
It’s normal for employees to correspond with one another and with patients via email. However, if these messages are being sent without any encryption, they might not be considered secure. This means they might not be complying with HIPAA. Encryption converts the original message to one with encoded text through an algorithm. Make sure that messages and emails being sent from your practice are encrypted to ensure that you’re in line with the regulation.
This article is brought to you by PREFERRED Therapy Providers Inc. PREFERRED is the nation’s leading payor management services network. Our expertise is working with physical, occupational and speech therapy practices – from single clinics to multiple clinic locations.