The Health Insurance Portability and Accountability Act, commonly known as HIPAA, has been in effect for a decade. In the last law column, we looked at how the HIPAA privacy rule has been enforced; in this column we provide some tips for avoiding HIPAA violations.
First, it’s essential to understand what is being protected by HIPAA. The privacy rule applies to protected health information, or PHI, which the U.S. Department of Health and Human Services defines as “information, including demographic data, that relates to:
This information can be in any form — electronic, paper or oral.
Criminal penalties, including up to 10 years of jail time, may result if PHI is knowingly obtained or disclosed, or when information is gained under false pretenses or with the intent to sell or use the information for personal gain. However, most enforcement actions are civil, and many are the result of accidental release of PHI. Civil penalties include monetary fines and corrective actions, such as changing a procedure, training or instituting safeguards on personal information.
One example of a civil action involved a doctor’s office mistakenly faxing a patient’s medical records to his work, rather than his new physician. The records contained PHI about the patient — specifically, that he was HIV-positive. After an investigation, the Office of Civil Rights concluded that while the slip was not intentional, the physician’s office needed to revise their faxing policies, strengthen the privacy language in their fax cover sheets and make all employees take HIPAA training to avoid similar mistakes in the future.
Five tips for staying compliant
1. Never access a patient’s records unless you are managing that patient and need to access the record for those purposes. Numerous HIPAA violations have taken place when healthcare practitioners accessed records of relatives, friends or in at least one case, an ex-husband, in order to get information. Even if you are the healthcare proxy for that person, it is not acceptable to access records in that way — and probably also violates your employer’s internal policies.
2. Use discretion when talking about a patient. HIPAA violations can arise when healthcare practitioners discuss a patient’s health status in public areas, such as a waiting room, in front of other people.
3. Ensure that protected health information is safeguarded. The OCR has held that even insurance cards, presented at a pharmacy, are considered PHI and must be treated as such. Obviously patient medical records, test results and diagnostic information are all PHI.
4. Do provide health information where it is authorized. HIPAA violations also can occur when a practitioner or other entity withholds PHI from those who are entitled to such information. For example, a doctor’s office violated HIPAA by refusing to provide a minor patient’s mother with his health records. In another case, a medical practice hired by an insurance company to conduct an independent medical exam on an injured individual refused to provide the medical records to that individual. OCR held that the individual had a right to the information regardless of who was paying for the exam.
5. Use care in labeling files. One practitioner’s office was fined for using large red stickers with the word “AIDS” on the outside of files of patients who were HIV positive. Since the stickers were visible to everyone in the waiting room, as well as the office staff, this was a violation.
The bottom line is this: PHI must be treated with great care in all its forms, whether paper records, faxes, computer records, pharmacy logbooks or oral discussions. Being aware of what information is protected will help you avoid HIPAA snafus.
Ann W. Latner, JD, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.