The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that provides for the privacy and security of patients’ medical information. Under HIPAA, protected health information (PHI), which is defined as individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium, must be kept confidential. Violations of HIPAA can result in civil and/or criminal penalties, so it is important to understand the different ways (whether negligent or intentional) HIPAA can be violated so you can take preventative action.
What is a HIPAA violation? The best way to understand what constitutes a HIPAA violation is to look at examples, so I’ve compiled a list of 7 different types of common HIPAA violations. This is by no means an exhaustive list, but it does illustrate just how easy it is for HIPAA violations to occur.
Lost or stolen devices—if there is not proper encryption and password protection on electronic devices such as laptops and smart phones, unauthorized people can gain access to PHI if one of these devices falls into the wrong hands.
Improper disposal of information—all paperwork containing PHI needs to be shredded, because if it is simply thrown away, anyone could walk by the trash can and pluck confidential patient information out of the garbage. Similarly, data stored in digital form needs to be properly wiped from devices and old hard drives or flash drives should be physically destroyed.
Third-party disclosure—most practices have subcontractors and business associates, and if these associates violate HIPAA than YOU are legally responsible for their non-compliance! Businesses must ensure any third-party associates have policies in place regarding HIPAA compliance.
Unauthorized release of information—unless the patient is a dependent or Power of Attorney has been granted, PHI cannot be released to anyone other than the patient, including family members, without their signed consent.
Using or selling PHI for personal gain—employees with access to PHI aren’t always honest, and whether they simply snoop to satisfy personal curiosity or actually use or sell patients’ PHI for personal gain, this is a serious infraction.
Unsecured records—under HIPAA, electronic and paper files containing PHI must be secured. This includes making sure electronic devices are password protected and paper files are stored in secure, locked areas. This also applies to leaving paperwork with PHI out in the open (such as on a desk) where it can be seen by prying eyes.
Overheard information—discussing PHI, even with co-workers or other authorized parties, in public places or anywhere it can be overheard by others is asking for trouble. This is tantamount to discussing PHI with your significant other, best friend, or posting about it on social media.
Ensuring all personnel are properly trained and have a good understanding of HIPAA is vital to preventing violations. Employers can take precautions such as encrypting data, password protecting electronic devices, and securing records; however, employees are personally responsible for exercising integrity in regards to PHI and not releasing confidential information in person, via the telephone, electronically, or on social media.
Additionally, the HIPAA Breach Notification Rule “requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.” A breach is an improper disclosure of PHI which compromises the information’s security, privacy, or both, and there are breach notification guidelines that include notification of the affected individuals, the Secretary of the U.S. Department of Health and Human Services, and possibly the media.
It is in the best interest of professionals and patients alike to abide by HIPAA—not only that, but it’s the law. As U.S. citizens we have a right to the privacy and security of our personal information, and in the digital age we all must be especially vigilant in preserving this right.
Written by: Margaret Durkovic