Ensuring the security, privacy, and protection of patients' healthcare data is critical for all healthcare personnel and institutions. In this age of fast-evolving information technology, this is truer than ever before. In the past, healthcare workers often collected patient data for research and usually only omitted the patients' names. This is no longer permitted, now any protected health information (PHI) that can identify a patient or the patient's relatives, employers, or household members, must be omitted before being used for research. The health insurance portability and accountability act (HIPAA) public law 104-191, was enacted into federal law to ensure that that patient medical data remains private and secure. There are two main sections of the law, the privacy rule which addresses the use and disclosure of individuals' health information, and the security rule which sets national standards for protecting the confidentiality, integrity, and availability of electronically protected health information. The privacy rule specifies 18 elements that constitute PHI. These identifiers include demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual.
HIPAA was enacted to encompass three areas of patient care:
- Portability of insurance or the ability of a patient/worker to move to another place of work and be certain that insurance coverage is not denied
- Detection and enforcement of fraud and accountability
- Simplify administrative procedures in health care and other professions (this is an area where communication and transmission of records are done electronically). With improved technology, the role of wearable technology and androids to disclose PHI is now under scrutiny.
The penalties for failing to comply with HIPAA can be severe.
HIPAA applies to all healthcare institutions and healthcare workers, who submit claims electronically. For example, if you are a healthcare worker and transmit or even discuss PHI with others who are not involved with that patient's care, then you violate HIPAA. However, there is a HIPAA rule that permits disclosure of PHI without prior obtained consent for healthcare operations, treatment, and payment. This includes consultation between providers regarding a patient, referring a patient, and information required by law for public health safety and reporting. These exceptions cover the majority of clinical uses of PHI. Other disclosures demand explicit patient consent and apply to everyone in a healthcare facility, including:
- Administrative personnel
- Janitorial service
- All other healthcare professionals
The HIPAA policies also apply to any interns and volunteers who work under supervision at a health clinic or hospital, third-party contractors, or business associates, including:
- External laboratories
- External imaging services
- Outside computer repairman
- Accredited agencies that conduct patient surveys
- Medical equipment companies
- Pharmaceutical salespeople
HIPAA broadly defines PHI as any health information that is transmitted or maintained in electronic media. It is also important to know that PHI is not only restricted to transmission on electronic media but also any oral communications of individually identifiable health information that constitutes PHI. For example, if a surgery resident speaks about a surgical procedure in an elevator full of people, that can be a HIPAA violation if any PHI is mentioned. The majority of medical records in healthcare institutions and clinics meet the definition of PHI, some of which include:
- Admission profile
- Billing records
- Patient profile
- Prescription records
- Discharge and follow up appointments
Hence all healthcare institutions and clinics must satisfy HIPAA standards for security and privacy.
Where is the HIPAA Privacy Rule Applicable?
The HIPAA privacy rule applies to almost every department in a medical facility, even when walking to the parking lot with a colleague or on your home internet, the confidentiality of PHI must be preserved. Only the bare minimum health information that is necessary should be disclosed during any health care service, and this also includes human resources or ancillary services. For example, when a pharmacist is about to dispense medication to a patient, he or she should only ask the patient if they know how to take the pill when to take the pill, and to follow up with their healthcare provider. No in-depth discussion with the patient in full view of other people is permitted. This rule also applies to other healthcare providers who may be exchanging information with other healthcare workers who are also actively involved in patient care. For example, it is permitted for a radiologist to ask the ordering medical resident a few questions about why the patient is having the test to ensure that the procedure is necessary and the best choice for the situation, but he or she is not at liberty to discuss this with a third party who is not actively treating the patient. In all such matters, one must first obtain consent from the patient to determine if he or she is willing to permit the doctor to divulge medical information to others. This rule not only applies to verbal communication but all written and electronic text.
In addition to HIPAA, many states have their own restrictive rules on the privacy of PHI, which may be far more stringent than HIPAA, particularly when the information concerns patients with infectious diseases like HIV, mental health problems, certain genetic disorders, and substance abuse. Further, there are also federal rules that are more stringent than HIPAA, such as those pertaining to substance abuse and drug addiction records. However, this does not mean that HIPAA is void when other more stringent rules are in place. In situations where a more stringent rule regarding privacy is in place, the more stringent rule will take precedence over HIPAA for that jurisdiction. All healthcare workers must be aware of both HIPAA and the state and federal rules that govern PHI.
Contents and Authorizations
When a patient is admitted to a healthcare institution, he or she must be provided with the information on rights to privacy, what type of PHI will be shared, and for what reason. This notice of privacy practice is now a requirement of HIPAA for all patients, regardless of age or gender. The patient must sign this document, and one copy must be kept in the hospital files. This also indicates that the patient did receive the privacy notice. If for any reason, the patient cannot sign, the reason must be documented and witnessed. If another person signs the document, the reason why the individual is signing must be documented. Once a notice of privacy practices is signed, the healthcare institution does not need to ask the patient repeatedly for disclosure of PHI in the course of normal care. If the patient’s health situation changes or the patient has additional privacy concerns, this should be documented in the note. The patient may ask that no family member or friend is permitted to pick up his or her medications or that none of the medical staff discuss the health condition with family or friends.
Security With Flexibility
The HIPAA security rule does provide all healthcare institutions with a practical and flexible format for implementing security measures. Some of these are mandatory requirements but others are flexible and allow the institution to implement security and privacy measures that are consistent with the organization’s resources, infrastructure, and functionality.
What are Some Exclusions to a Patient’s PHI?
There are several scenarios where disclosure of PHI may be violating HIPAA, and they include the following:
- Mental health notes, which under HIPAA are not allowed to be shared even for purposes of treatment, without explicit authorization
- Any legal document that pertains to medical records
- Laboratory results, especially the results of sexually transmitted diseases
When Can PHI be Disclosed Without Consent?
- If the patient cannot provide consent or is unavailable when disclosure is necessary for public health, by law, or regarding child abuse
- Anytime there is an investigation of fraud by the US department of health and human services
- When a healthcare worker is trying to obtain consent over the phone when the patient is not able to provide one
Images and Videos
It is important to understand that HIPAA violations not only occur after vocal or written disclosure of PHI but even after posting images. For example, cosmetic surgeons who routinely post preoperative and post-operative photos of patients, or surgeons who videotape surgical procedures must obtain consent from the patient. In addition, when not necessary, the face should be blanked. Professionals are also prohibited from using the names of patients in case reports. Anything that can identify a patient is not permitted.
Specific HIPAA Rules That Pertain to PHI Security
- Ensure that there is integrity, confidentiality, and security of all electronic PHI that the healthcare institution creates, maintains, receives, or transmits
- Develop protection against any reasonably anticipated hazards or threats to the integrity of the security of such data
- Protect against any reasonably anticipated use or disclosure of information that is not permitted or required
- Ensure compliance among the workforce
- Have flexibility in the system, so patient care is not compromised
- Covered entities may use any security that meets the minimal standards
- The type of security depends on the size, complexity, and capabilities of the covered entity
Issues of Concern
The HIPAA security requirements place significant emphasis on risk analysis, especially now that electronic healthcare technology is the norm. All hospitals not only have to work with their healthcare workers, but also third-party contractors, vendors, and solo practitioners; and they must identify and address the appropriate security options to ensure the security of data. The use of the internet is perhaps the biggest threat to data leaks. When transmitting data over the internet, the hospital IT must encrypt the data to ensure that it remains private. For example, a provider who is an independent contractor and has a patient admitted to the hospital will transmit over the internet the patient's medical history to the hospital. However, this information must be encrypted to prevent leaks and eavesdropping. Today, encryption of healthcare records is standard, and there are many software programs that one may use.
Use of Wireless Networks
These days many healthcare workers use wireless networks to access medical records. However, if many computers connect through a wireless network, then the encryption function of the wireless network must be activated. Furthermore, healthcare workers must be asked to stop using the unencrypted wireless network for communication because of the risk of interception.
Storage of PHI Data
Another area of great concern is the storage of PHI on hard drives, especially portable devices like laptop computers and flash drives. Over the years, many privacy breaches have occurred as a result of stolen laptops and flash drives. To address this problem, healthcare workers should refrain from storing any patient data on their laptops, flash drives, or CDs. If the data is stored, it must be encrypted. Another option is to use the laptop only to view the data, but never to store the information. This has become possible with cloud technology and storage systems.
All healthcare workers who use the computer to access patient records must have a secure password. The password should be unique and changed every 3 to 4 months. No one should share their password with other individuals. The information technology (IT) department must determine the quality of the password before access is granted to the system. The password must be sufficiently strong so that it cannot be guessed or even predicted with the available computer programs. The password must contain a combination of numerical and alpha characters with symbols to increase their complexity. Further, no worker should paste the password anywhere near the PC or leave a sticker with the password on a desk, as this defeats the purpose of security. However, passwords alone are not adequate for security measures and offer a very weak method of protection.
Unique User Identification
There have been many instances when both the healthcare worker and non-healthcare workers who were not involved in the care of the patient have accessed the medical records of celebrities and other important people. The purpose was to pass the documents to the tabloid magazines. Thus, HIPAA enhancements under the health information technology for economic and clinical health (HITECH) act now require a system that will track all users the moment they sign on and off. The tracking system will show who signed on, when, what data they accessed, and if they downloaded any information. Thus the importance of assigning unique names and passwords that are never shared with anyone, otherwise tracking is not possible in the event of a data breach.
Today many healthcare institutions have started to implement stronger authentication requirements. Besides the password, some systems also require a specific biometric feature to enter the system. Some hospitals have started to use fingerprints to identify the individual entering the system and others have started to incorporate facial recognition.
To ensure privacy and authenticate the computer used, some organizations have started to limit access to individuals based on their role in healthcare. For example, a laboratory technologist would only need access to the patient’s laboratory record, so there is no need to provide that worker access to the patient’s medical history. Similarly, a pharmacist may only have access to the patient's medications or pertinent parts of the medical history regarding drug reactions; whereas, an internist would have access to most of the medical information. Customized access is the new wave of the future, and so far, limited studies do show that it works in maintaining the security of patient data.
Electronic Health Records
HITECH was enacted to promote the widespread adoption and meaningful use of electronic health records (EHRs) and related technologies. Among other things, HITECH requires covered entities that implement an EHR to provide an audit trail accounting for all disclosures of information. When a patient asks for an electronic copy of their records, HITECH also stipulates that healthcare organizations provide the PHI maintained in an EHR. Therefore, an EHR is very broadly defined in the proposed rule as "any electronic data." Furthermore, healthcare entities must acknowledge and fulfill a patient's request that the healthcare provider not share PHI with a health insurance plan if the individual pays for the care out of pocket and in full.
Audits and Risk Assessment
Once a security system is in place, risk management should audit the system to look for any flaws and identify any gaps in maintaining the integrity, confidentiality, and security of PHI. All risks identified must go through a HIPAA-compliant risk management process and the flaws rectified. Risk analysis is not a one-shot deal but must be conducted regularly because new technology is constantly introduced. This is also repeated whenever there is a change in clinical practice.
Dedicated IT Staff
All healthcare institutions should employ persons who are dedicated to maintaining the security and privacy of PHI. In most cases, a team of IT professionals should ensure that everyone follows the established procedures and policies. Moreover, this team must ensure that all healthcare workers use the system appropriately. It is the job of the IT staff to conduct audits to ensure that everyone is HIPAA compliant regularly.
While HIPAA does permit the use of PHI for many hospital-based services like treatments, pharmacy operations, rehabilitation and outpatient care, any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed. For example, there are protocols to follow when a patient is enrolled in a clinical trial. Plus, when patients want their medical records transferred to another unrelated provider or out of state, then written consent must be obtained from the patient.
Ensure third-party business agreements are in place. Sometimes a third party may need access to PHI to perform a service on behalf of the hospital. For example, the patient may be entering an outpatient rehabilitation unit, and the therapist requires medical records or the patient may be going for radiation therapy at another center. The rehabilitation center and the radiation clinic also need to comply with HIPAA rules. These third-party entities must provide the hospital with a business associate agreement that the requirements of HIPAA are understood and are being followed.
In the past, it was routine for healthcare workers to share patient information between family and friends sometimes out of concern or in an attempt to help. Now, this is not acceptable, and a provider can violate the law. HIPAA does not permit deliberate or accidental disclosure of PHI for any reason. For example, a disgruntled healthcare worker can be held liable if he or she steals PHI and then shares the data for monetary gain or revenge purposes. Sometimes the PHI disclosure may occur accidentally when the patient’s chart is left unattended in the lobby or the radiology suite. When a patient’s chart is taken along with the patient on the trolley, it is important to make sure that the transporter knows not to leave the chart lying where the information may be inadvertently or purposefully looked at by persons not directly involved in that patient's care.
Under HIPAA, all patients are legally permitted to obtain copies of their PHI which includes billing and medical records over the past 6 years. Some exclusions cover legal documents, mental health notes, or laboratory results. The healthcare provider may deny access to PHI if he or she believes that such access may harm the patient or others. A patient has to request, in writing, to obtain his or her medical chart.
Inform Patients of Privacy Practices
All healthcare facilities that are covered by HIPAA must document their private practice and share that information with patients. When patients ask for HIPAA information, they should be provided with the information and asked to sign a form to ensure that they have received the booklet.
Patient Rights under HIPAA
HIPAA rules give patients rights, some of which they may not be not aware of. The most important rights of patients under HIPAA include the following:
- Right to receive a notice of privacy practices
- Right to restrict PHI disclosures
- Right to state how they want PHI to be handled and communicated to others. For example, the patient may want any message from the pharmacist or the hospital to be sent by mail to his private home and not left on his home phone number
- Right to inspect and review their PHI. If the patient perceives there to be anything erroneous in the PHI, they do have the right to request a change. The provider may accept or deny this request. For example, a nurse may have been diagnosed with bipolar disorder and after treatment may want this diagnosis to be deleted from the medical chart. This is not a request that can be accepted.
- Right to obtain a copy of their PHI
- Right to receive an accounting of where PHI disclosures have been made
- The right to report to the office of civil rights if the patient believes there has been any violation of disclosure
HIPAA and Communication With Patients
HIPAA recommends disclosing a minimal amount of information to ensure the privacy of patients. When speaking to a patient in a room with other patients, it is important not to divulge specific information other than greetings. If one has to communicate the results of a biopsy or surgery, then one may ask the patient to come to a private room for discussion. Even then, only disclose what is relevant. If the healthcare provider is faced with a situation where there are other patients, for example, in the recovery room or intensive care unit (ICU), the discussion should be broad and not detail any specific procedure or diagnosis. Similarly, in outpatient clinics, one should never discuss PHI in the hallway but wait until the patient is seated in a private room.
HIPAA permits disclosure of PHI to a spouse, parents, legal guardians, and other caregivers who are involved in the patient’s care without having a formal agreement from the patients. If there is ever a need to discuss something specific regarding the patient when other individuals are present, ask the patient if he or she has any objections.
When Can Information Be Shared?
Healthcare workers need to be aware that all PHI for clinical purposes is covered under HIPAA and includes the following:
- Discussing diagnosis, workup, and treatment with other healthcare providers
- Performing imaging and laboratory test and disclosing this information to other providers
- Providing results of imaging test, or discuss the patient history when submitting surgical samples to those who perform further diagnostic tests
- When referring a patient to another facility or obtaining a consult
- When calling the pharmacist over the phone to dispense medication to a patient
As long healthcare providers are offering treatment, they are not restricted by HIPAA, as long as the patient has not made a request not to disclose data to any particular healthcare provider. However, caution must still be used. For example, when asking a phlebotomist to start an intravenous line on a patient needing chemotherapy medication, a provider does not have to divulge why the patient needs an intravenous line to the technologist.
- Similarly, when healthcare providers consult with other providers, the HIPAA privacy rule does not prohibit them from engaging in such conversations. However, these conversations should be held away from the public and in private rooms. One should not obtain a telephone consult from a phone line in the cafeteria where others can hear the conversation.
- Healthcare staff may communicate verbally at the nurse desk to coordinate activities.
- Also, a healthcare provider may discuss a patient's medical status over the phone with a provider, patient, or other family members.
- Healthcare workers may discuss a patient's medical condition in an academic institution, or during rounds.
- In emergency situations, the law does permit entities to engage in communication as required to ensure the proper delivery of healthcare.
All healthcare institutions should establish specific guidelines on email communication from patients. Some of the recommendations include the following:
- The patient name should not be inserted in the subject guideline
- Make sure that the patient email is correct
- Only transmit the bare minimal information in an email
- Have a standard disclaimer at the end of every email
- All emails must be encrypted
- Do not use your non-work email to communicate with a patient. For example, you should never use commercial email accounts, but use the email system set up by the institution
Like emails, there should be specific policies and guidelines regarding the use of faxes to transmit medical information. Some of the recommendations include the following:
- All fax machines must be located in a secure area away from the public, patients, and most healthcare workers
- The first page of the fax should always be a disclaimer indicating what to do if the fax is sent to a wrong number
- Unless an emergency, faxes should only be sent during working hours. The reason is that if any faxes arrive, they can be picked up and not left lying on the fax machine container
- When sending faxes, it is important to correspond to the other party to ensure that they have picked up the fax
Today, computers play a critical role in healthcare and store a vast amount of PHI. Hence, these devices must be secure. Some of the recommendations for computer use include the following:
- The computers should be kept in a place where they are not accessible to the public or patients
- The screen should not be visible to the patients or public
- Each time, a healthcare provider should log in and log off, even if they are only gone for a few minutes
- All healthcare workers should have a unique password
- The password should never be shared with anyone else
Clergy and Other Religious Figures
The HIPAA privacy rule permits religious figures and clergy to be informed of individuals belonging to their denomination that are in a hospital, as long as the patient has first been informed and has no objection. Patients should be asked about these preferences when they are first admitted to the hospital and asked to sign a paper regarding who they want as a visitor and who should be notified.
During an emergency, or when the patient is incapacitated and has not been able to provide consent, disclosures can still occur. However, the disclosure has to be consistent with the individual's best interest in mind. One has to use not only good judgment but also involve administration and risk management in decision making. Everything should be documented as to why a particular course of action was undertaken.
Disposing of PHI
When disposing of the medical records, labels, prescription labels, the documents should be shredded or incinerated so that there is no chance that they will be reconstructed. Any PHI on a computer must be completely erased before disposing of the PC. The same applies to any CD or zip drive. The people who are in charge of shredding or disposing of the PHI must be properly selected to make sure that the records are destroyed and not just taken home.
During a visit or medical encounter, pharmacies and hospitals may get signed authorization from patients before service, allowing that entity to access the patient's PHI during care. However, this form has to contain the initiation and expiration date for the disclosure. The authorization only remains valid until the expiration date and can be renewed. So if a patient has signed an authorization for the release of his medical records to a psychiatrist, then one can send the records during that time. But one is not allowed to send PHI to other healthcare entities without additional consent nor can PHI be sent continuously outside of the specified time frame. If the patient is not available or is not able, then the risk analysis committee may disclose PHI without authorization, if it is a matter of life or death. Other cases where PHI may be disclosed are in cases of child abuse, elderly neglect, public health law, or where there appears to be fraudulent activity.
It is imperative that the entire staff know about HIPAA. Thus, regular education seminars must be conducted. The teaching not only applies to regular staff but all interns and volunteers who come into contact with PHI. The staff must be fully trained, updated regularly, and made aware of HIPAA rules that apply to them.
Reporting HIPAA Violations
In general, HIPAA violations must be self-reported to the department of health and human services (HHS). If a violation has affected more than 500 patients, the department must be notified in writing within 60 days. If less than 500 patients have been affected then HHS has to be notified no later than 60 days after the calendar year ends. Penalties may increase if self-reporting is not done and the violation is discovered through the media.
Who Monitors Hospitals and Healthcare Workers for HIPAA Compliance?
The office for civil rights (OCR) under health and human services (HHS) is the entity responsible for enforcing HIPAA privacy and security rules. The agency enforces rules in the following ways:
- Performs an investigation after receiving complaints from patients
- Will perform an audit to ensure compliance is maintained. OCR may select an institution at random for an audit
- Conduct education seminars and outreach to boost compliances. During these sessions, they may also perform an audit and catch everyone by surprise
- May have read or heard in the media about PHI being discovered or disposed of improperly
The Investigation Protocol
Once OCR receives a complaint of HIPAA violation, it gathers the information and tries to determine if the privacy and security rules were violated. If the problem is a minor case of noncompliance, OCR will initially try and resolve the matter with the respective institution in the following ways:
- Recommend voluntary compliance
- Recommend some type of corrective action
- Resolution agreement
For those institutions that fail to comply with HIPAA, there may be criminal and civil penalties. If the complaint received indicates a violation of the criminal provision of HIPAA, then the matter may be referred to the department of justice (DOJ) for further investigation.
Civil and Criminal Violations
When the healthcare institution fails to comply with the matter satisfactorily, OCR may impose civil monetary penalties that are based on the seriousness of the non-compliance. The amount of monetary fine is usually up to the discretion of the secretary of HHS and depends on the extent and nature of the harm that occurred as a result of the violation. In almost all cases, the secretary is not permitted to impose any civil penalty for a violation that is corrected within 4 to 6 weeks. All criminal violations of HIPAA are handled by the DOJ, who in addition to civil penalties may add other fines depending on the severity of the violation.
Criminal Violation of HIPAA Rules
Criminal penalties for HIPAA violations apply to the following entities:
- All health coverage plans
- Health care clearinghouses
- All health care providers who transmit claims electronically
- Medicare prescription drug card sponsors
Besides institutions, individuals can also be charged with criminal violations of HIPAA and this includes employees, directors, officers, nurses, secretaries, and telephone operators. Even individuals not directly liable under HIPAA may be charged with abetting or conspiring. Finally, the HHS has the authority to exclude any individual or healthcare institution from participation in medicare as either temporary or permanent.
It is critical to understand that no matter how big or small the institution or how many or few healthcare workers work in a clinic, each entity can be penalized for HIPAA violations. While the monetary penalties can be dramatic, all such violations are published in cyberspace and this can quickly ruin the reputation of the facility or the healthcare provider.
Can Patients Sue a Healthcare Facility or a Healthcare Worker for Violating HIPAA?
For example, a pharmacist calls up the home of a patient, but no one answers the phone. Then he leaves a message asking when you will be coming up to pick up your HIV medications. The patient can claim that no one in the home knew about his HIV status and now the pharmacist has disclosed his private health condition to everyone in the home. Can the patient sue the pharmacist?
When a healthcare worker or the facility has violated HIPAA rules, patients generally have no recourse except to report the matter to the OCR. In fact, HIPAA has created a right to privacy and does not allow for most patients to file lawsuits. However, if the HIPAA violation is due to gross negligence and professional malpractice, then such a case may be brought to court.
Avoiding HIPAA Violations
Preventing HIPAA violations is not difficult. First, get professional help from a HIPAA expert.
- Develop a code of conduct booklet and write down all the policies and procedures that everyone must follow.
- Do not let anyone get away with violations of policies because, in the end, it is the healthcare provider who will have to face the legal system.
- If healthcare providers or institutions already have HIPAA policies in effect and have suffered a HIPAA violation, consult with a HIPAA specialist to determine any deficiencies and corrective solutions. These individuals provide comprehensive education, tips, and offer seminars to the staff about HIPAA rules and regulations. It is money worth spent because violation of HIPAA is a very expensive ordeal.
Violation Amount/Violations of an Identical Provision in a Calendar Year
Did not know: $100 to $50,000; $1.5 million
Reasonable cause: $1,000 to $50,000; $1.5 million
Willful neglect (corrected): $10,000 to $50,000; $1.5 million
Willful Neglect (uncorrected): $50,000; $1.5 million
- HIPAA has been enacted to ensure the privacy and security of PHI.
- Each healthcare institution may set up unique policies and procedures, but they must conform to HIPAA guidelines.
- With evolving technology, one must keep updated with HIPAA and ensure that PHI remains protected.
- Ensure that all the workers in the organization know the HIPAA policies and procedures.
- Be stringent with workers who break HIPAA rules because eventually, there will be a cost.