HIPAA violations can result in hundreds of thousands of dollars in fines. These violations are often caused by breaches, cyber threats, and human errors that compromise patient protected health information (PHI). Here are some tips for managing HIPAA violations that impact your patients and your organizations.
After A HIPAA Violation - Lessons Learned From VUMC
Healthcare providers can take some notes from Vanderbilt University Medical Center. Through an internal audit, the organization was made aware of a breach of more than 3,000 patients’ data from May 2015 to December 2016. The steps taken by the University to remedy the situation and maintain relationships with its patients are noteworthy.
As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of a covered entity, the VUMC notified patients and reported the breach to the Secretary of the Department of Health and Human Services (HHS), to be investigated by the OCR.
The University also mailed out letters to all affected patients notifying them of the breach and what information was compromised. Although not required, but commonly encouraged, VUMC also enrolled the patients whose social security numbers were compromised in a one-year membership to Experian Family Secure to help them monitor their credit and protect against identity theft.
Because the patient data was accessed electronically by two patient transporters, employed by VUMC, the organization has modified the patient transporting process so as to limit the access these employees have to patient PHI. Patient transport staff has also been trained again in regards to appropriate data access policies. Vanderbilt University Medical Center is also transitioning to another EHR system with capabilities to limit permissions and data access based on job duties.
Patients trust healthcare providers with their personal data and with the task of keeping it secure. When an organization is undergoing a HIPAA violation situation, it is best to be as transparent as possible with patients to help address concerns. If a fuller picture of the violation is provided, as soon as possible, patients will be able to make the right decisions to protect their identities and take necessary precautions. Approaching communication during this time in a human-like manner as opposed to a strictly business approach will help patients feel more comfortable and appreciated, increasing the likelihood of a continued relationship.
Providing staff through training and education on HIPAA violation related policies and procedures may help retain more clients in the long-run. With an influx of patients following up with additional questions and concerns, preparing teams with information to best answer patients and media inquiries will help make the situation more manageable. Organizations should designate a point person that handles any inquiries in a timely manner. Depending on the severity of the violation, healthcare organizations may also be required to notify the media. In any case, organizations should be prepared to provide media statements that adequately explain the situation and provide contacts.
Lua is a HIPAA Compliant mobile messaging solution built for healthcare organizations. Learn more about Lua and how it can help your organization improve communication and increase efficiency.