Quiz: The HIPAA Privacy Rule which protects the privacy of patients’ medical and health records does NOT apply to:

a) Medicare

b) Hospitals

c) Media

d) Health insurance plans

e) It applies to all the above

There are few things as well known yet as poorly understood as The Health Insurance Portability and Accountability Act, commonly known as “HIPAA.” The portion that is most relevant to both practitioners and patients is HIPAA’s privacy rule establishing national standards to protect medical records and other personal health information. As a general rule, it prohibits release of a person’s medical records without the person’s written consent, and it creates penalties for the unauthorized release of such records by health care providers and medical plans.

Who Does HIPAA Apply To?

The privacy rule applies to most hospitals, many health care providers (including doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies), health care clearinghouses, and health plans, including many government health programs such as Medicare, Medicaid, and the Veterans Health Administration. These are referred to as “covered entities” by the Centers for Medicare & Medicaid Services (CMS). Determining who is a covered entity is so complicated that CMS has online guidance in the form of Covered Entity Charts available online.

It is important to note that HIPAA only applies to a specific list of medical professionals and entities, and does not apply to reporters, media, or others (although they could potentially be sued for other reasons for disclosing such information). HIPAA, and its enforcement, is limited only to the covered entities described by CMS.

What Information is Protected By HIPAA?

The privacy rule applies to protected health information (PHI) which the U.S. Department of Health & Human Services (HHS) defines as: “information, including demographic data, that relates to:

  1. The individual’s past, present or future physical or mental health or condition
  2. The provision of health care to the individual, or
  3. The past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.” This information can be in any form – electronic, paper or oral.

Criminal penalties, including up to 10 years of jail time, may result if PHI is knowingly obtained or disclosed, or when information is gained under false pretenses or with the intent to sell or use the information for personal gain. However, most enforcement actions are civil, and many are the result of accidental release of PHI. Civil penalties include monetary fines and corrective actions (such as changing a procedure, training, or instituting safeguards on personal information).

One example of a civil action involved a doctor’s office mistakenly faxing a patient’s medical records to his work, rather than his new physician. The records contained PHI about the patient – specifically, that he was HIV positive. After an investigation, the Office of Civil Rights (OCR) concluded that while the slip was not intentional, the physician’s office needed to revise their faxing policies, strengthen the privacy language in their fax cover sheets, and make all employees take HIPAA training to avoid similar mistakes in the future.

Enforcement of the Rule

In April 2003, HHS’s Office for Civil Rights (OCR) began enforcing the rule. According to OCR, as of the end of June 2015, the agency had received over 117,474 HIPAA complaints, and had resolved 109,772 of those cases (94%). The cases were resolved as follows:

  • In the bulk of the cases (65,780), OCR found that the complaint was lacking (for example, it was made against an entity not covered by HIPAA, or it was untimely or withdrawn by the filer.)
  • In 23,641 cases, OCR required changes in the privacy practices or corrective actions by HIPAA covered entities.
  • In 10,745 cases, OCR found that no HIPAA violation had occurred.
  • Finally, in 9,606 cases, OCR intervened early and provided technical assistance to HIPAA covered entities, without the need for an investigation.

So, what were the most common HIPAA violations alleged in the complaints? According to HHS, they are (in order of frequency):

  1. Impermissible uses and disclosures of protected health information;
  2. Lack of safeguards of protected health information;
  3. Lack of patient access to their protected health information;
  4. Lack of administrative safeguards of electronic protected health information; and
  5. Use or disclosure of more than the minimum necessary protected health information.

Private medical practices were most often required to take corrective action to achieve compliance, followed by general hospitals, outpatient facilities, pharmacies, and health plans.

Part 2 of this article will focus on how health care providers can avoid HIPAA violations.

Quiz Answer: c. The media is not a covered entity under the HIPAA rule and thus is not subject to it. This does not mean that the media cannot be sued for divulging personal health information; it simply means that the media is not governed by the HIPAA privacy rule, as are health plans and health providers.