Ensuring the security, privacy and protection of patient healthcare data is critical for all healthcare personnel and institutions. In this age of fast-evolving information technology, this is truer than ever before. In the past, healthcare workers often collected patient data for research and usually only omitted the patients' names. This is no longer permitted, now any protected health information (PHI) that can identify a patient or the patient's relatives, employers, or household members, must be omitted before being used for research. The Health Insurance Portability and Accountability Act (HIPAA) Public Law 104-191, was enacted into federal law to ensure that that patient medical data remains private and secure.,,,, There are two main sections of the law, the Privacy Rule which address the use and disclosure of individuals' health information and the Security Rule which sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule specifies 18 elements that constitute PHI. These identifiers include demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual.
HIPPA was enacted to encompass three areas of patient care:
The penalties for failing to comply with HIPAA can be severe.
HIPAA applies to all healthcare institutions and healthcare workers, who submit claims electronically. For example, if you are a healthcare worker and transmit or even discuss PHI with others who are not involved with that patient's care, then you violate HIPAA. However, there is a HIPAA rule that permits disclosure of PHI without prior obtained consent for healthcare operations, treatment, and payment. This includes consultation between providers regarding a patient, referring a patient and information required by law for public health safety and reporting. These exceptions cover the majority of clinical uses of PHI. Other disclosures demand explicit patient consent and apply to everyone in a healthcare facility, including:
The HIPAA policies also apply to any interns and volunteers who work under supervision at a health clinic or hospital, third-party contractors or business associates, including:
HIPAA broadly defines PHI as any health information that is transmitted or maintained in electronic media. It is also important to know that PHI is not only restricted to electronic transmission of media, but also any oral communications of individually identifiable health information constitutes PHI. For example, if a surgery resident speaks about a surgical procedure in an elevator full of people, that can be a HIPAA violation if any PHI is mentioned. The majority of medical records in healthcare institutions and clinics meet the definition of PHI, some of which include:
Hence all healthcare institutions and clinics must satisfy HIPAA standards for security and privacy.
Where is the HIPAA Privacy Rule Applicable?
The HIPAA Privacy Rule applies to almost every department in a medical facility, even when walking to the parking lot with a colleague or on your home internet, confidentiality of PHI must be preserved. Only the bare minimum health information that is necessary should be disclosed during any health care service, and this also includes human resources or ancillary services. For example, when a pharmacist is about to dispense medication to a patient, he or she should only ask the patient if they know how to take the pill, when to take the pill, and to follow up with their healthcare provider. No in-depth discussion with the patient in full view of other people is permitted. This rule also applies to other healthcare providers who may be exchanging information with other healthcare workers who are also actively involved in patient care. For example, it is permitted for a radiologist to ask the ordering medical resident a few questions about why the patient is having the test to ensure that the procedure is necessary and the best choice for the situation, but he or she is not at liberty to discuss this with a third party who is not actively treating the patient. In all such matters, one must first obtain consent from the patient to determine if he or she is willing to permit the doctor to divulge medical information to others. This rule not only applies to verbal communication but all written and electronic text. ,,
In addition to HIPAA, many states have their own restrictive rules on privacy of PHI, which may be far more stringent than HIPAA, particularly when the information concerns patients with infectious diseases like HIV, mental health problems, certain genetic disorders, and substance abuse. Further, there are also federal rules that are more stringent than HIPAA, such as those pertaining to substance abuse and drug addiction records. Finally, there is also a federal rule that governs how and when Medicaid or Medicare information can be used. However, this does not mean that HIPAA is void when other more stringent rules are in place. In situations where a more stringent rule regarding privacy is in place, the more stringent rule will take precidence over HIPAA for that jurisdiction. All healthcare workers must be aware of both HIPAA and the state and federal rules that govern PHI.
Contents and Authorizations
When a patient is admitted to a healthcare institution, he or she must be provided with the information on rights to privacy, what type of PHI will be shared and for what reason. This Notice of Privacy Practice is now a requirement of HIPAA for all patients, regardless of age or gender. The patient must sign this document, and one copy must be kept in the hospital files. This also indicates that the patient did receive the privacy notice. If for any reason, the patient cannot sign, the reason must be documented and witnessed. If another person signs the document, the reason why the individual is signing must be documented. Once a notice of privacy practices is signed, the healthcare institution does not need to ask the patient repeatedly for disclosure of PHI in the course of normal care. If the patient’s health situation changes or the patient has additional privacy concerns, this should be documented in the note. The patient may ask that no family member or friend is permitted to pick up his or her medications or that none of the medical staff discuss the health condition with family or friends
Security with Flexibility
The HIPAA security rule does provide all healthcare institutions with a practical and flexible format for implementing security measures. Some of these are mandatory requirements but others are flexible and allow the institution to implement security and privacy measures that are consistent with the organization’s resources, infrastructure, and functionality.
What are Some Exclusions to a Patient’s PHI?
There are several scenarios where disclosure of PHI may be violating HIPAA, and they include the following:
When Can PHI be Disclosed Without Consent?
Images and Videos
It is important to understand that HIPAA violations not only occur after vocal or written disclosure of PHI but even after posting images. For example, cosmetic surgeons who routinely post preoperative and post-operative photos of patients, or surgeons who videotape surgical procedures must obtain consent from the patient. In addition, when not necessary, the face should be blanked. Professionals are also prohibited from using names of patients in case reports. Anything that can identify a patient is not permitted.
Specific HIPAA Rules That Pertain to PHI Security
The HIPAA security requirements place significant emphasis on risk analysis, especially now that electronic healthcare technology is the norm. All hospitals not only have to work with their healthcare workers, but also third-party contractors, vendors, and solo practitioners; and they must identify and address the appropriate security options to ensure the security of data. The use of the internet is perhaps the biggest threat to the data leak. When transmitting data over the internet, the hospital IT must encrypt the data to ensure that it remains private. For example, a doctor who is an independent contractor and has a patient admitted to the hospital will transmit over the internet the patient's medical history to the hospital. However, this information must be encrypted to prevent leak and eavesdropping. Today, encryption of healthcare records is standard, and there are many software programs that one may use. ,,,,,
Use of Wireless Networks
These days many healthcare workers use wireless networks to access medical records. However, if many computers connect through a wireless network, then the encryption function of the wireless network must be activated. Furthermore, healthcare workers must be asked to stop using the unencrypted wireless network for communication because of the risk of interception.
Storage of PHI Data
Another area of great concern is the storage of PHI on hard drives, especially portable devices like laptop computers and flash drives. Over the years, many privacy breaches have occurred as a result of stolen laptops and flash drives. To address this problem, healthcare workers should refrain from storing any patient data on their laptop, flash drives, or CDs. If the data is stored, it must be encrypted. Another option is to use the laptop only to view the data, but never to store the information. This has become possible with cloud technology and storage systems.
All healthcare workers who use the computer to access patient records must have a secure password. The password should be unique and changed every 3 to 4 months. No one should share their password with other individuals. The information technology (IT) department must determine the quality of the password before access is granted to the system. The password must be sufficiently strong so that it cannot be guessed or even predicted with the available computer programs. The password must contain a combination of numerical and alpha characters with symbols to increase their complexity. Further, no worker should paste the password anywhere near the PC or leave a sticker with the password on a desk, as this defeats the purpose of security. However, passwords alone are not adequate for security measures and offer a very weak method of protection.
Unique User Identification
There have been many instances when both the healthcare worker and non-healthcare workers who were not involved in the care of the patient have accessed the medical records of celebrities and other important people. The purpose was to pass the documents to the tabloid magazines. Thus, HIPAA enhancements under the Health Information Technology for Economic and Clinical Health Act now require a system that will track all users the moment they sign on and off. The tracking system will show who signed on, when, what data they accessed, and if they downloaded any information. Thus the importance of assigning unique names and passwords that are never shared with anyone, otherwise tracking is not possible in the event of a data breach.
Today many healthcare institutions have started to implement stronger authentication requirements. Besides the password, some systems also require a specific biometric feature to enter the system. Some hospitals have started to use fingerprints to identify the individual entering the system and others have started to incorporate facial recognition.
To ensure privacy and authenticate the computer used, some organizations have started to limit access to individuals based on their role in healthcare. For example, a laboratory technologist would only need access to the patient’s laboratory record, so there is no need to provide that worker access to the patient’s medical history. Similarly, a pharmacist may only have access to the patient medications or pertinent parts of the medical history regarding drug reactions; whereas, an internist would have access to most of the medical information. Customized access is the new wave of the future, and so far, limited studies do show that it works in maintaining the security of patient data.
Electronic Health Records
HITECH was enacted to promote the widespread adoption and meaningful use of electronic health records (EHRs) and related technologies. Among other things, HITECH requires covered entities that implement an EHR to provide an audit trail accounting for all disclosures of information. When a patient asks for an electronic copy of their records, HITECH also stipulates that healthcare organizations provide the PHI maintained in an EHR. Therefore, an EHR is very broadly defined in the proposed rule as "any electronic data." Furthermore, healthcare entities must acknowledge and fulfill a patient's request that the healthcare provider not share PHI with a health insurance plan if the individual pays for the care out of pocket and in full.
Audits and Risk Assessment
Once a security system is in place, risk management should audit the system to look for any flaws and identify any gaps in maintaining the integrity, confidentiality, and security of PHI. All risks identified must go through a HIPAA compliant risk management process and the flaws rectified. Risk analysis is not a one-shot deal but must be conducted regularly because new technology is constantly introduced. This is also repeated whenever there is a change in clinical practice.
Dedicated IT Staff
All healthcare institutions should employ a person(s) who are dedicated to maintaining the security and privacy of PHI. In most cases, a team of IT professionals should ensure that everyone follows the established procedures and policies. Moreover, this team must ensure that all healthcare workers use the system appropriately. It is the job of the IT staff to conduct audits to ensure that everyone is HIPAA compliant regularly.
While HIPAA does permit the use of PHI for many hospital-based services like treatments, pharmacy operations, rehabilitation and outpatient care, any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed. For example, there are protocols to follow when a patient is enrolled in a clinical trial. Plus, when patients want their medical records transferred to another unrelated physician or out of state, then a written consent must be obtained from the patient.
Ensure third-party business agreements are in place. Sometime a third party may need access to PHI to perform a service on behalf of the hospital. For example, the patient may be entering an outpatient rehabilitation unit, and the therapist requires medical records or the patient may be going for radiation therapy at another center. The rehabilitation center and the radiation clinic also need to comply with HIPAA rules. These third party entities must provide the hospital with an business associate agreement that the requirements of HIPAA are understood and are being followed.
In the past, it was routine for healthcare workers to share patient information between family and friends sometimes out of concern or an attempt to help. Now, this is not acceptable, and a provider can violate the law. HIPAA does not permit deliberate or accidental disclosure of PHI for any reason. For example, a disgruntled healthcare worker can be held liable if he or she steals PHI and then shares the data for monetary gain or revenge purposes. Sometime the PHI disclosure may occur accidentally when the patient’s chart is left unattended in the lobby or the radiology suite. When a patient’s chart is taken along with the patient on the trolley, it is important to make sure that the transporter knows not to leave the chart lying where the information may be inadvertently or purposefully looked at by persons not directly involved in that patient's care.
Under HIPAA, all patients are legally permitted to obtain copies of their PHI which includes billing and medical records over the past 6 years. Some exclusions cover legal documents, mental health notes or laboratory results. The healthcare provider may deny access to PHI if he or she believes that such access may harm the patient or others. A patient has to request, in writing, to obtain his or her medical chart.
Inform Patients of Privacy Practices
All healthcare facilities that are covered by HIPAA must document their private practice and share that information with patients. When patients ask for HIPAA information, they should be provided with the information and asked to sign a form to ensure that they have received the booklet.
Patient Rights under HIPAA
HIPAA rules give patients rights, some of which they may not be not aware. The most important rights of patients under HIPAA include the following:
HIPAA and Communication with Patients
HIPAA recommends disclosing the minimal amount of information to ensure the privacy of patients. When speaking to a patient in a room with other patients, it is important not to divulge specific information other than greetings. If one has to communicate the results of a biopsy or surgery, then one may ask the patient to come to a private room for discussion. Even then, only disclose what is relevant. If the healthcare provider is faced with a situation where there are other patients, for example, in the recovery room or intensive care unit (ICU), the discussion should be broad and not detail any specific procedure or diagnosis. Similarly, in outpatient clinics, one should never discuss PHI in the hallway but wait until the patient is seated in a private room.
HIPAA permits disclosure of PHI to a spouse, parents, legal guardians, and other caregivers who are involved in the patient’s care without having a formal agreement from the patients. If there is ever a need to discuss something specific regarding the patient when other individuals are present, ask the patient if he or she has any objections.
When Can Information Be Shared?
Healthcare workers need to be aware that all PHI for clinical purposes is covered under HIPAA and includes the following:
As long healthcare providers are offering treatment, they are not restricted by HIPAA, as long as the patient has not made a request not to disclose data to any particular healthcare provider. However, caution must still be used. For example, when asking a phlebotomist to start an intravenous line on a patient needing chemotherapy medication, a physician does not have to divulge why the patient needs an intravenous line to the technologist.
All healthcare institutions should establish specific guidelines on email communication from patients. Some of the recommendations include the following:
Like emails, there should be specific policies and guideline regarding the use of faxes to transmit medical information. Some of the recommendations include the following:
Today, computers play a critical role in healthcare and store a vast amount of PHI. Hence, these devices must be secure. Some of the recommendations for computer use include the following:
Clergy and Other Religious Figures
The HIPAA Privacy Rule permits religious figures and clergy to be informed of individuals belonging to their denomination that are in a hospital, as long as the patient has first been informed and has no objection. Patients should be asked about these preferences when they are first admitted to the hospital and asked to sign a paper regarding who they want as a visitor and who should be notified.
During an emergency, or when the patient is incapacitated, and has not been able to provide consent, disclosures can still occur. However, the disclosure has to be consistent with the individual's best interest in mind. One has to use not only good judgment but also involve administration and risk management in decision making. Everything should be documented as to why a particular course of action was undertaken.
Disposing of PHI
When disposing of the medical records, labels, prescription labels, the documents should be shredded or incinerated so that there is no chance that they will be reconstructed. Any PHI on a computer must be completely erased before disposing of the PC. The same applies to any CD or zip drive. The people who are in charge of shredding or disposing of the PHI must be properly selected to make sure that the records are destroyed and not just taken home.
During a visit or medical encounter, pharmacies and hospitals may get signed authorization from patients before service, allowing that entity to access to the patient's PHI during care. However, this form has to contain the initiation and expiration date for the disclosure. The authorization only remains valid until the expiration date and can be renewed. So if a patient has signed an authorization for release of his medical records to a psychiatrist, then one can send the records during that time. But one is not allowed to send PHI to other healthcare entities without additional consent nor can PHI be sent continuously outside of the specified time frame. If the patient is not available or is not able, then the risk analysis committee may disclose PHI without authorization, if it is a matter of life or death. Other cases where PHI may be disclosed are in cases of child abuse, elderly neglect, public health law or where there appears to be fraudulent activity.
It is imperative that the entire staff know about HIPAA. Thus, regular education seminars must be conducted. The teaching not only applies to regular staff but all interns and volunteers who come into contact with PHI. The staff must be fully trained, updated regularly, and made aware of HIPAA rules that apply to them.
Reporting HIPAA Violations
In general, HIPAA violations must be self-reported to the Department of Health and Human Services (HHS). If a violation has affected more than 500 patients, the Department must be notified in writing within 60 days. If less than 500 patients have been affected than HHS has to be notified no later than 60 days after the calendar year ends. Penalties may increase if self-reporting is not done and the violation is discovered through the media.
Who Monitors Hospitals and Healthcare Workers for HIPAA Compliance?
The Office for Civil Rights (OCR) under Health and Human Services (HHS) is the entity responsible for enforcing HIPAA privacy and security rules. The agency enforces rules in the following ways:
The Investigation Protocol
Once OCR receives a complaint of HIPAA violation, it gathers the information and tries to determine if the privacy and security rules were violated. If the problem is a minor case of noncompliance, OCR will initially try and resolve the matter with the respective institution in the following ways:
For those institutions who fail to comply with HIPAA, there may be criminal and civil penalties. If the complaint received indicates a violation of the criminal provision of HIPAA, then the matter may be referred to the Department of Justice (DOJ) for further investigation.
Civil and Criminal Violations
When the healthcare institution fails to comply with the matter satisfactorily, OCR may impose civil monetary penalties that are based on the seriousness of the non-compliance. The amount of monetary fine is usually up to the discretion of the secretary of HHS and depends on the extent and nature of the harm that occurred as a result of the violation. In almost all cases, the secretary is not permitted to impose any civil penalty for a violation that is corrected within 4 to 6 weeks. All criminal violations of HIPAA are handled by the DOJ, who in addition to civil penalties may add other fines depending on the severity of the violation.
Criminal Violation of HIPAA Rules
Criminal penalties for HIPAA violations apply to the following entities:
Besides institutions, individuals can also be charged with criminal violations of HIPAA and this includes employees, directors, officers, nurses, secretaries and telephone operators. Even individuals not directly liable under HIPAA may be charged with abetting or conspiring. Finally, the HHS has the authority to exclude any individual or healthcare institution form participation in Medicare as either temporary or permanent.
Recent HIPAA Fines
It is critical to understand that no matter how big or small the institution or how many or few healthcare workers work in a clinic, each entity can be penalized for HIPAA violations. While the monetary penalties can be dramatic, all such violations are published on cyberspace and this can quickly ruin the reputation of the facility or the healthcare provider.
Can Patients Sue a Healthcare Facility or a Healthcare Worker for Violating HIPAA?
For example, a pharmacist calls up the home of a patient, but no one answers the phone. Then he leaves a message asking when you will be coming up to pick up your HIV medications. The patient can claim that no one in the home knew about his HIV status and now the pharmacist has disclosed his private health condition to everyone in the home. Can the patient sue the pharmacist?
When a healthcare worker or the facility has violated HIPAA rules, patients generally have no recourse except to report the matter to the OCR. In fact, HIPAA has created a right to privacy and does not allow for most patients to file lawsuits. However, if the HIPAA violation is due to gross negligence and professional malpractice, then such case may be brought to court.
Avoiding HIPAA Violations
Preventing HIPAA violations is not difficult. First, get professional help from a HIPAA expert.
Violation Amount/Violations of an Identical Provision in a Calendar Year
Did not know: $100 to $50,000; $1.5 million
Reasonable cause: $1,000 to $50,000; $1.5 million
Willful neglect (corrected): $10,000 to $50,000; $1.5 million
Willful Neglect (uncorrected): $50,000; $1.5 million
|||Butler PW,Middleman AB, Protecting Adolescent Confidentiality: A Response to One State's [PubMed PMID: 30077547]|
|||Hunt M,Pal NE,Schwartz L,O'Mathúna D, Ethical Challenges in the Provision of Mental Health Services for Children and Families During Disasters. Current psychiatry reports. 2018 Jul 23 [PubMed PMID: 30039282]|
|||Cramer R,Loosier PS,Krasner A,Kawatu J, State Laws Related to Billing Third Parties for Health Care Services at Public Sexually Transmitted Disease Clinics in the United States. Sexually transmitted diseases. 2018 Aug [PubMed PMID: 30001297]|
|||Minen MT,Stieglitz EJ,Sciortino R,Torous J, Privacy Issues in Smartphone Applications: An Analysis of Headache/Migraine Applications. Headache. 2018 Jul 4 [PubMed PMID: 29974470]|
|||Berwick DM,Gaines ME, How HIPAA Harms Care, and How to Stop It. JAMA. 2018 Jul 17 [PubMed PMID: 29926093]|
|||Shay DF, The HIPAA Security Rule: Are You in Compliance? Family practice management. 2017 Mar/Apr [PubMed PMID: 28291311]|
|||Drolet BC, Text Messaging and Protected Health Information: What Is Permitted? JAMA. 2017 Jun 20 [PubMed PMID: 28492922]|
|||Freundlich RE,Freundlich KL,Drolet BC, Pagers, Smartphones, and HIPAA: Finding the Best Solution for Electronic Communication of Protected Health Information. Journal of medical systems. 2017 Nov 25 [PubMed PMID: 29177600]|
|||McKnight R,Franko O, HIPAA Compliance with Mobile Devices Among ACGME Programs. Journal of medical systems. 2016 May [PubMed PMID: 27079578]|
|||Gostin LO,Halabi SF,Wilson K, Health Data and Privacy in the Digital Era. JAMA. 2018 Jul 17 [PubMed PMID: 29926092]|
|||Klann JG,Joss M,Shirali R,Natter M,Schneeweiss S,Mandl KD,Murphy SN, The Ad-Hoc Uncertainty Principle of Patient Privacy. AMIA Joint Summits on Translational Science proceedings. AMIA Joint Summits on Translational Science. 2018 [PubMed PMID: 29888058]|
|||Cohen IG,Mello MM, HIPAA and Protecting Health Information in the 21st Century. JAMA. 2018 Jul 17 [PubMed PMID: 29800120]|
|||Sengupta S,Calman NS,Hripcsak G, A model for expanded public health reporting in the context of HIPAA. Journal of the American Medical Informatics Association : JAMIA. 2008 Sep-Oct [PubMed PMID: 18579843]|
|||Edemekong PF,Haydel MJ, Health Insurance Portability and Accountability Act (HIPAA) null. 2018 Jan [PubMed PMID: 29763195]|
|||Marting R, HIPAA: Answers to Your Frequently Asked Questions. Family practice management. 2018 Mar/Apr [PubMed PMID: 29537247]|
|||Wiles LL,Park EHE,Kim JJ, To Tell or Not to Tell: Nursing Students' Attitudes Toward Disclosing Patients' Protected Health Information. Computers, informatics, nursing : CIN. 2018 Mar [PubMed PMID: 29521710]|
|||Zargaran A,Ash J,Kerry G,Rasasingam D,Gokani S,Mittal A,Zargaran D, Ethics of Smartphone Usage for Medical Image Sharing. The Indian journal of surgery. 2018 Jun [PubMed PMID: 29973771]|
|||Lamas E,Coquedano C,Bousquet C,Ferrer M,Chekroun M,Zorrilla S,Salinas R, Patients' Perception of Privacy of Personal Data, Shared in Online Communities: Are We in the Presence of a Paradox? Studies in health technology and informatics. 2018 [PubMed PMID: 29968647]|