IT departments at health care providers around the country are scrambling to stay ahead of hackers and others who might be trying to get at the HIPAA-covered patient information on your network.  Your office - big or small - is probably no different.

But hackers may be the least of your HIPAA-compliance worries.  According to Jill Dennis, a senior VP at the American Health Information Management Association,

The internal [hospital] mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system.

Computer mistakes are easy to make, particularly for typically overworked and understaffed admitting or nursing areas, and it's unlikely that another written policy will offer much of a realistic solution.  That said, that's also unlikely to be the biggest hole in your HIPAA-compliance strategy. 

The biggest hole in your HIPAA-compliance strategy is most likely to be conversations among employees in which they're discussing personal health information.  No, I'm not suggesting you keep your office workers from talking, and instead make them pass notes (in invisible ink, of course).  But in just about every admitting area or nursing station - particularly in facilities over 10 years old - sound travels.  Conversations are easy to overhear.  And your organization is not covered - even if the conversation is legitimate - if someone overhears personal information and does something nefarious with it.   

Have you plugged the acoustic security holes in your network?

Could this be one of your employees? 

According to the indictment, Howell disclosed "personally identifiable health information" to two people from June to August, knowing they would use it to commit "access device fraud" and identity theft.

How much "personally identifiable health information" gets inadvertently disclosed just to those in your admitting areas or waiting rooms? 

Privacy is a big deal to your patients, clients - and employees.  Maybe you've got a pretty strict document security policy in place.  But what have you done about the acoustic security of your "human network"? 

Walk through your admitting area/waiting room or stand near a nursing station at a peak time and listen.

What information do you hear?

It's a well documented fact that patients in noisy hospitals recover more slowly than patients in quiet environments, and it's certainly a benefit from a customer service perspective.

HHS just launched a tool (yes, on April Fools' Day, but it appears they're serious) that allows your potential customers to choose their coverage based on - among other factors - how quiet your hospital is.

Are you falling behind in this critical area?

Fox News reports that celebrities such as Britney Spears and George Clooney aren't the only ones in danger of having their medical records snooped through.  According to the story, those forms you sign often give the hospital the right to sell your data to drug companies,  

But even the most strict consent form can be pretty meaningless, and you should be very concerned about who's overhearing your HIPAA-covered private information.  Are you taking steps to ensure your patients' private information is kept private - both inside and outside your facility? 

In a small but significant survey of HIPAA compliance among dentists, exactly none of the surveyed dentists were HIPAA compliant.  The reasons ranged from honest misunderstandings of the requirements to open defiance.  From recent surprise HIPAA audits, however, it doesn't appear this is a great long-term strategy.

How would your office do on the test?

HHS has begun conducting surprise audits of hospitals' HIPAA compliance with HIPAA's privacy rules.  Are you ready? 

Oral privacy is often a blind spot for HIPAA-governed entities - one which most healthcare providers have significant exposure to fines and costly litigation.  Have you applied "reasonable safeguards" to ensure that, for example, people near your hospital's nursing station don't overhear a doctor's diagnosis of a patient? 

Remember, the same protections afforded to paper and electronically based information must apply to verbal communications as well. 

You've probably spent a lot of money securing your computer network.  How about your "human network"?

Need help providing cost-effective oral privacy? 

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal privacy law that went into effect on April 14, 2003. As of that date, health care providers, health plans, and other health businesses have been required to comply with the law.

The law is designed to provide privacy and security to citizens, to ensure their health information can’t be used against them in any way, and that their medical records can’t be accessed by another party without their permission.

HIPAA prohibits health care providers from disclosing any health information to a third party without explicit, written authorization from the patient. In order for an authorization to be considered valid under the law, the authorization must have a description of the information that is to be shared, as well as the name of the person with whom the information is to be disclosed, an expiration date, and the patient’s signature.

One major exception to the law is the sharing of information between doctor’s offices. Patient medical records can be transferred from one doctor’s office to another without patient consent for treatment purposes.

Treatment, in this case, includes consultations between different providers for the purpose of referrals and for treatment of a patient by multiple providers. This can be done by fax or other means, without patient consent.

The fact that it appears patients can't sue providers for federal HIPAA violations doesn't provide much security.  Patients have sued - and won - under different state laws, with several judgments running into the tens of millions of dollars.  Or patients can file a complaint with the Secretary of Health and Human Services by way of the Office for Civil Rights. HHS could impose civil penalties on the health care provider that might range from $100 to $25,000. It could even include criminal sanctions that could range from $50,000 to as much as $250,000, and could even include a prison sentence! With such strict rules and requirements and such stiff penalties for noncompliance (to say nothing of the negative PR), it is vital to make every effort to keep your organization in compliance.

Employees should all be thoroughly versed on the letter of the law, and should all be given very specific rules about how they should handle patient privacy. Unfortunately, rules and regulations don’t always prevent accidental leaks of information.

If employees are distracted, they might inadvertently violate a portion of the law, and put the company in violation of the law. In addition to accidental leaks through employee negligence, patient information could also be overheard by a third party when it is discussed between employees within the establishment.

For example, when a celebrity like Britney Spears goes to the hospital, the paparazzi are never far behind.  They might listen in on conversations between employees.  If that celebrity patient (with bottomless pockets and a high-power legal team) has opted out of having their information shared, they could be very upset by this, especially since reporters are not bound by HIPAA and can freely disclose any information they do manage to find out.  Even if you don't count many celebrities among your clients, legally, your clients can demand the same privacy protections.  What confidential patient information is routinely discussed in your waiting rooms or nursing stations?

A good sound masking system can help keep you in compliance. It will help your employees tune out distracting noises, making them less likely to make mistakes and inadvertently share patient information with the wrong party.

It could also help prevent third parties from accidentally - or not so accidentally - overhearing conversations about a patient’s condition, because it helps make the noise from conversations harder for the brain to distinguish unless the conversation is taking place nearby, and the person is specifically trying to listen to that conversation.