“HIPAA violation” is a phrase that is thrown around a lot. Experts constantly cite the HIPAA privacy law that protects patients’ health information. The law has been used as a reason why someone can’t be asked whether they’ve been vaccinated, for instance.
But asking someone such a question is not a violation of HIPAA rules. It’s actually okay for a non-doctor to ask a non-doctor such a question.
So what’s HIPAA?
It’s an acronym for the Health Insurance Portability and Accountability Act of 1996. It’s a federal law whose purpose is to create national standards that protect sensitive patient information from getting disclosed without the patient’s consent.
The United States Department of Health and Human Services issued the HIPAA privacy rule. The purpose of this rule is to implement the requirements under HIPAA. As for the HIPAA security rule, its purpose is to protect a subset of information covered by the privacy rule. The standards of the HIPAA privacy rule address the use and disclosure of an individual’s health information. These individuals and institutions are referred to as “covered entities.”
Common HIPAA Privacy Violations
Privacy law in healthcare is put in place to provide rights to access and reform protected health information. That’s because appropriate disclosures can help to reduce fraud, waste, and abuse.
If your organization is not HIPAA compliant, the penalty may be very high compared to the costs of compliance. The penalty can result in millions of dollars and may also include a jail term. Below are some common HIPAA privacy violations:
- Losing devices. One of the challenges in the healthcare sector comes from the fact that devices store patients’ information. These devices could be tablets, laptops, desktops, computers, and smartphones. Mobile devices can be easily misplaced due to their small size and portability.
To avoid losses, you need to keep a watchful eye on your devices. Be sure to keep them locked when you’re not around. It would also be best to secure your files on the device with encryption. You can also use a cloud hosting solution for remote access.
- Getting hacked. Several healthcare network servers have had their data hacked in the past. These servers hold PHI for millions of patients. When hackers get this data, they leak it or sell it to the highest bidder. Such information may include the date of birth, addresses, insurance information, or a social security number.
That’s why you need to use encryption and deep-packet inspection firewalls to block phishing and other malware attacks. This will safeguard PHI.
- Employees dishonestly accessing files. It’s unfortunate but you can’t trust everyone. An all too common HIPAA violation would be your employees’ getting access to files that they shouldn’t have access to. This can be done out of curiosity or spite. It could also be because a loved one asked for the information. This access is wrong no matter the excuse your employee may have.
This issue is amplified when accounts are shared between physicians and employees. Remember that policies and procedures with annual HIPAA security training enforce unique user IDs.
They also implement passwords, passcodes, and user ID codes. These are used to discourage employees from accessing a patient’s file without authorization.
- Improper filing and disposal of documents. When using a paper filing system, there may be human errors that result in employees incorrectly filing a patient’s record. An employee can also get rid of a document accidentally without shredding it first.
To avoid this, formulate policies and procedures to ensure that any ePHI on paper is locked at night. The policies and procedures can also help to ensure that ePHI or PII is stored in secured disposal bins before shredding.
This also means that healthcare professionals cannot leave online reviews for their patients. Google patient reviews are a violation of HIPAA since it blatantly exposes PHI like patient names and their medical history. Healthcare experts have been heavily fined for such violations.
Image Source: Pexels
Who Does HIPAA Cover?
As already mentioned, HIPAA is a federal law that introduced standards in healthcare. These standards relate to patients’ privacy and the protection of medical data.
HIPAA covers healthcare providers and healthcare clearinghouses. It also takes care of the business associates of HIPAA-covered entities. HIPAA applies to a lot of entities except for those that conduct transactions electronically. Healthcare providers include:
- Nursing homes
Health plans include health insurers, company health plans, and government programs that pay for healthcare. Medicaid and Medicare are examples of government programs that pay for healthcare. Healthcare clearinghouses are organizations tasked with transforming non-standard health data into a standard format. A business associate is an entity or a person who performs functions for a HIPAA covered entity. One that requires the use of protected health information.
What Does HIPAA Cover?
The HIPAA privacy rule protects all the individually identifiable health information that’s created, stored, and maintained. The information can also be transmitted by a HIPAA covered entity or a business associate of a HIPAA covered entity.
The HIPAA rule applies to all forms of PHI. That includes paper records, film, and electronic health information. That information is considered protected health information. That’s only if it contains identifiers that would enable a patient or a health plan member to be identified.
Note that HIPAA doesn’t incorporate the information in employment records. Not even if the information is included in the HIPAA definition of individually identifiable health information or protected health information. If individually identifiable health information gets stripped off of all identifiers, it stops being regarded as protected health information.
Penalties for HIPAA Violations
HIPAA penalties depend on the type and severity of the violation. The two types of violation are:
Each of these violations has graded tiers that determine penalties for the violation.
OCR will assess a case and the covered entity’s liability depending on four tiers of increasing culpability. Every tier comes with the minimum and maximum penalty amounts. It also has an annual cap on penalties for multiple violations of the same provision.
Here is a list of HIPAA fines based on the recent numbers released in March 2022, which are adjustable for inflation:
- Lack of knowledge–penalty ranges from $127 to $63,973
- Reasonable cause, not wilful neglect–penalty ranges from $1280 to $63,973
- Wilful neglect that’s corrected within 30 days–penalty ranges from $12794 to $63,973
- Wilful neglect that’s not corrected within 30 days–penalty ranges from $63,973 to $1,919,173
Organizations usually receive civil penalties for the violations committed by employees in healthcare. But if healthcare professionals knowingly or unlawfully access PHI, they get held criminally liable. It is the U. S. Department of Justice and not the OCR that handles criminal penalties for HIPAA violations.
Note that criminal penalties can range from fines to jail terms. It all depends on severity. The penalty that’s determined by a judge is based on:
- Wrongful exposure of PHI
- Exposure of PHI under false pretenses
- Exposure of PHI under false pretenses with malicious intent
Keep in mind that apart from providing excellent care, you need to engage with patients. That’s the best way of encouraging them to keep coming back to your practice. Ensure that you track and respond to all reviews whether they are positive or negative. With a little thought, you can easily protect a patient’s privacy, thus staying HIPAA compliant.
Read more interesting articles at timesofworld