HIPAA, The Health Insurance Portability and Accountability Act of 1996 is a federal law that required the creation of nation standards to protect sensitive patient health information from being disclosed with the patient's consent or knowledge, www.cdc.gov/phlp/publications/topic/hipaa.html.
I decided to talk about HIPAA compliance. Why? Because working in the healthcare field for over 20 years, I've seen it all. I've seen coworkers talking about a patients health issue in open spaces, patients financial issues, even patients family / home life. The HIPAA part comes in because, they used the patients name and other identifying information.
The biggest HIPAA violation I see commonly is on social media. I've seen people take selfies in front of their computer screen with patients information in the background. Seriously?! You can't turn the dang screen off?!
HIPAA Privacy Rule
According to the U.S. Department of Health & Human Services:
"The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections."
Who's covered under the HIPAA Privacy Rule?
Covered Entities: A covered entity is any health plan or clearinghouse or any healthcare provider that transmits Protected Health Information (PHI) in an electronic form.
*Healthcare Providers, Clinics, Behavioral Health Providers, Nursing Homes, Dentists, and Pharmacies
*Healthcare Insurance Plans (HMO, PPO, Dental, Vision, and Prescription Drugs)
*Healthcare Clearinghouses. Clearinghouses are considered "the middleman" between insurance companies and healthcare providers. When the provider (billing company or department) submits a medical claim for reimbursement, they go through the clearinghouse first. This is where any errors with the claim can be found and will transmit this error-free claims to the insurance company for payment.
*Business Associates. A business associate is a person or company that works outside of the covered entity who either acts on behalf of the covered entity or provides services to / for that covered entity. This includes: IT (contractors), billing and coding companies, legal, accreditation company and a financial company
HIPAA Security Rule
Centers for Medicare & Medicaid Services (CMS) defines HIPAA security rule as, "security requirements to protect patients’ ePHI confidentiality, integrity, and availability. The Security Rule requires you to develop reasonable and appropriate security policies. In addition, you must analyze security risks in your environment and create appropriate solutions. What’s reasonable and appropriate depends on your business as well as its size, complexity, and resources. You should always review and modify security measures to continue protecting ePHI in a changing environment."
To ensure HIPAA compliance, there are four security rules, to safeguard privacy, that must be implemented.
Ensure the confidentiality, integrity, and availability of all electronic protected health information
Detect and safeguard against anticipated threats to the security of the information
Protect against anticipated impermissible uses or disclosures
Certify compliance by their workforce
The three safeguards used to protect HIPAA privacy:
Administrative: written policies and procedures, written agreements with business associates, security awareness with employee trainings, incident reports, and background checks.
Physical: Locking computer screen when stepping away from desk, locking areas where PHI's are stored, alarm and security systems and never give your office key or locked drawer key to anyone
Technical: Control who has access by limiting the number of authorized people to access PHI. Use passcodes that are difficult to discover by others. Medicare uses multi-authentication when logging into provider portals. So, I adopted this as well to safeguard my providers information and patients information.
Consequences of HIPAA Violations
U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for the enforcement of the HIPAA Privacy and Security Rules
Per HHS (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html), OCR enforces the Privacy and Security Rules in several ways:
by investigating complaints filed with it,
conducting compliance reviews to determine if covered entities are in compliance, and
performing education and outreach to foster compliance with the Rules' requirements.
OCR also works in conjunction with the Department of Justice (DOJ) to refer possible criminal violations of HIPAA.
Penalties for Civil Violations:
*HIPAA violation: Unknowing Penalty range: $100 - $50,000 per violation, with an annual maximum of $25,000 for repeat violations
*HIPAA violation: Reasonable Cause Penalty range: $1,000 - $50,000 per violation, with an annual maximum of $100,000 for repeat violations
*HIPAA violation: Willful neglect but violation is corrected within the required time period Penalty range: $10,000 - $50,000 per violation, with an annual maximum of $250,000 for repeat violations
*HIPAA violation: Willful neglect and is not corrected within required time period Penalty range: $50,000 per violation, with an annual maximum of $1.5 million
Penalties for Criminal Violations:
Criminal violations of HIPAA are handled by the DOJ. As with the HIPAA civil penalties, there are different levels of severity for criminal violations.
*Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information, in violation of the Administrative Simplification Regulations, face a fine of up to $50,000, as well as imprisonment up to 1 year.
*Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
*Finally, offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
Release of Information (ROI)
Release of Information (ROI) is critical information and needs to be understood and taken seriously. ROI is defined as "the process of providing access to protected health information (PHI) to an individual or entity authorized to receive it." In plain words, have a consent form signed! If the request person / office is not a covered entity or business associate, do not give out any phi, unless you have a signed consent form and they can verify they are that person / company on the consent form.
A great example is: a spouse calls saying they are the spouse of a provider and need to have copies of their last exam. Without verifying you have a signed consent form from the patient and you give the spouse that information, you my friend are in HIPAA violation and will probably lose your job (which you should). That "spouse" could use those records against their spouse in court or confrontation. It could be an ex-spouse trying to find dirt on their ex. No matter what, who or how, do NOT give any personal information without a consent form!
There are a few reasons when a consent form is not required to give PHI out.
Corner's investigation / report
Communicable disease reporting to the health department
***Family that's involved in the patients care, can be given PHI (without a written consent) when the patient gives a verbal consent, or if the patient is incapacitated. Then you would need to use reasonable judgement on what information to give.**
I chose the HIPAA topic because we see these violations occur on a daily basis, mostly with social media. It's not only rude to disclose personal information, it's illegal! Use common sense, ask questions about security, report breaches and stay up to date on HIPAA reporting changes.
References and good websites to learn more about HIPAA:
Until We Meet Again...