I’ve worked in many healthcare facilities and must admit to seeing and overhearing some blatant violations of HIPAA requirements. Some breaches were simple ignorance of the regulations while others were just plain dumb. There are some easy solutions to possible leaks in small practices. If patient information that you store is improperly accessed or breached, the penalties are quite substantial.
The monumental rise of EMRs (Electronic Medical Records) has led us to advise our customers about implementing data encryption technology. Protected health information (PHI) that is secured using encryption falls under the safe harbor provision from breach notification.
Since 1996, HIPAA Requirements have grown substantially and now includes actions against violators and enforcement methods. Some violations are unintended actions by healthcare providers while others are intentional and malicious in nature. This article will give you and overview of HIPAA requirements, protected health information (PHI), and potential consequences of HIPAA violations.
PHI is any data about a patient that would tend to identify that person including Social Security number, name and address, date of birth, diagnosis, test results, and account number. PHI rights include:
- Receive notice of an agency’s privacy practices.
- Know an agency will use its PHI for treatment, payment, operations etc.
- Consent to and control of the use and disclosure of their PHI.
- Access to their PHI except for psychotherapy notes.
- Receive accountings of disclosures for the prior 6 years.
- File privacy complaints to an agency officer.
HIPAA Requirements cover all forms of communication used in a healthcare facility, such as computer screens, patient orders, laboratory slips, medication records, and faxes. The laws restrict the sharing of PHI and cannot be released to individuals or companies interested in marketing ventures without the patient’s permission. This information should be shared with as few people as needed to ensure the patient care only to the extent required to fulfill that person’s role in their treatment.
Typical HIPAA Requirements Violations
There are two types of violations: negligent and purposeful.
Negligent HIPAA Requirements violations include:
Improper disposal of PHI
Faxing information to an incorrect number
Leaving detailed PHI on an answering machine
Exposing provider information systems to malicious code when connecting to the Internet outside the system.
Purposeful HIPAA Requirements violations:
Accessing or using PHI without having a legitimate need to do so.
Allowing another employee to utilize any systems via your password.
Disclosing PHI to an unauthorized individual
Sale of PHI to any source
Failing to secure confidential information.
Deliberately compromising Electronic Record security measures.
There have been numerous high profile breaches in the past few years that you might remember involving celebrity cases. The records of Tammy Wynette and Farrah Fawcett were viewed and sold to the media. In 2010, a court sentenced Huping Zhou, a former researcher at the UCLA School of Medicine to prison for accessing high profile patient files more than 300 times. These included Barbara Walters, Sharon Osbourne, and Leonardo DiCaprio. An unintentional breach in Florida occurred when the program director of a healthcare facility allowed an unauthorized employee to enter an area where PHI“could have been viewed.” Under HIPAA requirements, the potential for such a disclosure can constitute a violation, even when there is no communication of PHI.
Privacy and Social Media
The growth of online social media is another hotspot of problems. The potential pitfall for providers is that they can’t always verify that the patient is in fact who he says he is online. Posting pictures can be hazardous as well. Many of these violations are innocent but can put healthcare professionals at risk.
Legal disclaimer: The information herein should not be considered legal advice. Instead it is a summary of laws and rules. Refer to your attorney to determine how these laws and rules can apply to your organization.
Iron Comet Consulting is a certified Platinum Reseller for McKesson and is located in Stockbridge Georgia. We are a full service medical IT and billing company. We specialize in electronic medical record (EMR) technology and implementation.