In today’s society, a patient’s privacy is protected under Federal regulations. This private information is otherwise commonly known as Protected Health Information (PHI), and the regulations for this are all part of HIPPA (the Health Insurance Portability and Accountability Act of 1996).
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule in 2001. The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
What Information is Protected?
Protected Health Information.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information” (PHI).
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical/mental health or condition.
- the provision of health care to the individual.
- the past, present, or future payment for the provision of health care to the individual.
- the identity of the individual or information which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Civil Money Penalties.
OCR (Office of Civil Rights) which is governed by HHS (Health and Human Services) may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, or whether the covered entity’s failure to comply was due to willful neglect. Penalties may not exceed a calendar year cap for multiple violations of the same requirement.
A covered entity must disclose PHI in only two situations: (a) to individuals (or their personal representatives if they are legally authorized) specifically when they request access to, or an accounting of disclosures of, their PHI; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.
Authorized Uses and Disclosures
Authorization. A covered entity must obtain the individual’s written authorization for any use or disclosure of PHI that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting authorization, except in limited circumstances.
An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.
All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.
Notice and Other Individual Rights
Privacy Practices Notice.
Each covered entity, with certain exceptions, must provide a notice of its privacy practices. The Privacy Rule requires that the notice contain certain elements. The notice must describe the ways in which the covered entity may use and disclose protected health information. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices. The Rule also contains specific distribution requirements for direct treatment providers, all other health care providers, and health plans.
A covered healthcare provider with a direct treatment relationship with individuals must have delivered a privacy practices notice to patients starting April 14, 2003 as follows:
- Not later than the first service encounter by personal delivery (for patient visits), by an automatic and contemporaneous electronic response (for electronic service delivery), and by prompt mailing (for telephonic service delivery);
- By posting the notice at each service delivery site in a clear and prominent place where people seeking service may reasonably be expected to be able to read the notice; and
- In emergency treatment situations, the provider must furnish its notice as soon as practicable after the emergency abates.
Covered entities, whether direct treatment providers or indirect treatment providers (such as laboratories) or health plans must supply notice to anyone on request. A covered entity must also make its notice electronically available on any website it maintains for customer service or benefits information.
5 Most Common HIPPA Privacy Violations
1. Releasing Patient Information Without Proper Authorizations
On the first encounter with a patient, you must ensure that the proper HIPPA paperwork is completed and stored in the patient’s record. This includes:
- Request of Access to Protected Health Information (PHI)
- Notice of Privacy Practices (NPP) Form
- Request for Accounting Disclosures Form
- Request for Restriction of Patient Health Care Information
- Authorization for Use or Disclosure Form
- Privacy Complaint
SOLUTION: Ensure that these documents are executed and properly stored in the patients record. You may never need them again, but if you don’t have them and you do need them, you have no defense to support your compliance.
2. Getting Hacked and Failure to Prevent the Incident from Happening
One of the most egregious violations is from external sources and your failure to have a properly executed Business Associate Agreement (BAA). The BAA establishes a legally-binding relationship between HIPAA-covered entities and business associates to ensure complete protection of PHI. This type of agreement is necessary if business associates can potentially access PHI during their work with the covered entity.
If your practice is hacked by an external party, and you do not have a BAA, then you may be just as liable as the perpetrator themselves since your failure to prevent this from happening or a remedy by the 3rd party was not clearly defined, leaves you liable.
SOLUTION: Ensure that you have a properly executed BAA from each and every 3rd party vendor who may potentially have access to PHI whether it is electronic in nature or by visual on-sight access.
Ensure that you secure proper cyber insurance with a minimum of $1 million of coverage.
3. Improper Filing and Disposing of Documents
Documentation and Record Retention
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
You may or may not be aware that photocopiers and all types of computers have an internal hard drive that can store any information that was copied on that device. You must clear these hard drives prior to disposing of or returning these devices.
SOLUTION: The information on these hard drives can be recovered by I/T professionals or hackers, so ensure that these are either demagnetized or drill holes through the hard drives to prevent the data from being accessed. Be careful of which information may have also been stored in the cloud and ensure that it has been deleted in its entirety.
Ensure that all paper files containing PHI are properly shredded by a licensed, insured, and bonded document disposal or information destruction company and that you ensure that you get a receipt for the disposal similar to that of your biomedical waste.
4. Losing Devices or Using Personal Devices and Taking Them Off Premises
Unfortunately, many practices allow their staff to take photos on their personal devices which may leave the premises with the staff member who owns the device. If any 3rd party would either see these identifiable photos of patients, or the phone or device is lost and anyone is able to see these photos, you will become liable since the patient had their picture taken by an agent of your practice.
SOLUTION: DO NOT ALLOW PHOTOS TO BE TAKEN ON ANY PERSONAL DEVICE THAT WILL LEAVE THE PREMISES. I hear all kinds of excuses as to why this is done, however, you will be liable.
5. Employees Dishonestly Accessing Files
You may have heard of hospital employees accessing the health files of celebrities and releasing information. This is a major breach that leaves you liable. This may occur by a staff member having access via stolen passwords or leaving the EMR system open without shutting it down in a timely manner.
- Do not share passwords with your staff member.
- Limit the access that you allow to certain staff members.
- Conduct a prior background check on your staff members.
- Conduct proper HIIPPA training.
Protecting the privacy and confidentiality of your clients and your business is paramount. Using software like Weave’s Team Chat that is designed with the highest level of security and compliance in mind, making it the ideal solution for having important conversations about work and patients/clients safely and securely. Built to support HIPAA compliance, Weave provides a safe space to have needed conversations about work and your patients safely and securely.
No matter what, make sure you prioritize your patient’s privacy, and safeguard your business and patients’ information with confidence by following the suggestions in this article. Good luck, and please make sure to take the HIPPA rules seriously.
9 out of 10 practices agree that great technology is essential for patient communication
Weave helps you better manage your practice while improving your patient experience. See how Weave can help your practice grow today!Schedule Demo