1. Using Windows XP
For some doctors this may seem a laughable idea, but a full seven percent of businesses in the US are still using computers running the operating system Windows XP, which is no longer being updated or investigated for security holes. This extends well beyond the operating system itself – nearly every application has stopped being updated for Windows XP, so if any security flaws in an application are found, it will be by hackers, and not the developers such as in the recent WannaCry ransomware attack.
How to fix it: Pony up for Windows 10. Although the time frame for a free upgrade has passed, it's much cheaper than paying to de-virus your network in addition to any HIPAA penalties should your breach include patient information. You are liable for any breaches in most cases, not your IT department.
2. Not Shredding Trash
Another item that is obvious in hindsight yet often overlooked is the need to completely shred all patient-related trash, including documents but also other accessory items. A pharmacy incurred severe penalties for throwing out pill bottles with patient information on the label still affixed to the side. Rather than try to feed pill bottles through your shredder, simply remove and shred the labels.
How to fix it: If you're not willing to invest in a quality paper shredder (which, even so, can still jam and be a major pain) consider using a secure shredding service like Iron Mountain.
3. Releasing Information to a Non-Designated Party
Here's a familiar scenario: the 18-year-old college kid forgets to include his mom on his HIPAA release forms. His mom is paying for treatment and swings by your office on her way home, looking to pay the bill and know what treatment was performed. Flustered, your front desk assistant tells her that the dentist gave her son a filling and patched a small chip. While a well-intended gesture, this is a HIPAA violation.
How to fix it: To remain compliant with HIPAA, you cannot release any information pertaining to an adult patient to a parent without proper authorization from the patient. Even if it's obvious they've simply missed an item on the form, it's better to be safe than sorry. You never know whether a parent trying to pay a bill might be estranged and attempting to locate or put pressure on their child and the other parent, possibly in violation of a protective order.