It can be.
The way a healthcare provider handles HIPAA can be the difference between a patient coming back and giving you a good review – or walking out the door and posting their bad experience on social media.
A patient calls to tell you they received a letter with information for another patient.
How the employee answering the phone responds can make the difference between a good outcome – and an unhappy customer who submits a complaint to the Office for Civil Rights.
Does your compliance team train receptionists to thank the person for calling, and keep them on the line until you can get a supervisor – or, better yet, the Privacy Officer, on the phone? Does the receptionist give the caller the direct number of the Privacy Officer in case they get disconnected? Or does the person who answers the phone direct the call to someone else, where the caller gets voicemail, and starts to get frustrated and thank your organization doesn’t care?
A nurse aide takes a video with patients in the background and posts it on TikTok.
Are your employees trained to know that this is a potential HIPAA breach? Will they immediately notify the Compliance Officer or Privacy Officer? Or is it possible that your employees will “like” the video, and share it to a few co-workers? How fast your organization hears about – and mitigates – these issues determines how many patients or potential patients learn about them.
A potential patient walks into your organization for the first time.
Do they overhear PHI? Do they see PHI on monitors? A few months ago I was referred to a new doctor. While in the patient room (alone), I could see a TV screen next to my chair, showing the name of every other patient who had an appointment that week – and the reason for the appointment. On my way out, I saw X-rays on a tv screen at the reception area, and I could see patient names on the X-rays. I did not go back. Would you?
It wouldn’t be a HIPAA blog if we didn’t mention TikTok. A few weeks ago, a friend of mine who also works in healthcare and who loves a good HIPAA horror story, sent me a TikTok video. A woman is telling viewers that she recently went to the doctor for some tests, and on the intake form, there was a box asking if the doctor’s office could share test results with her husband. The patient checked the “No” box. The doctor’s office did not call the patient. They called her husband and gave him the test results. When the patient called the doctor’s office to discuss this, the doctor was defensive.
This video has 538,100 likes, 21,700 comments, and 1,584 shares. Here are some of the comments:
“this is a textbook HIPAA violation. Like they’d put this in the training of ‘what not to do.’”
“you definitely could report her for violating [HIPAA]”
“You might need to consider a lawyer”
“I would report simply to avoid it happening to someone in bad situations”
“After that attitude I would switch Doctors…immediately”
I didn’t read all 21,700 comments, but… you get the idea. Every one of the comments I read was a strong negative reaction to the doctor’s office. They understand their privacy rights. Privacy is important to everyone. Social media has the potential to exponentially amplify one mistake into a huge public relations nightmare.
Let’s end with a positive example. A few years ago I had an outpatient surgical procedure. I provided my driver’s license, I was given an ID bracelet, and throughout the check-in process, my personal information was verified multiple times. Not once did they ask for or say my name out loud. Not once was my identity revealed to anyone else nearby. This hospital went beyond what HIPAA requires to show me even more respect than is required by law. Surgery is no fun – but feeling respected helps. . And because I appreciate the way I was treated, I want to pay it forward and let everyone know that Missouri Baptist Medical Center truly understands patient privacy.