Law 101: The HIPAA Privacy Rule, Part 2: Avoiding Violations

In this installment, we'll look at what types of actions or failures result in violations, and how to avoid them.

Quiz: Which of the following would constitute violations of the HIPAA Privacy Rule?

a) A pharmacy disposes of records in an open trash receptacle.

b) A cancer clinic employee leaves a company laptop, containing patient information, in her car where it is stolen.

c) A health insurance company returns leased photocopiers to the rental company, without erasing saved patient data

d) a and c

e) all of the above

In the first part of this series on HIPAA, we looked at what information the HIPAA privacy rule protects, who it applies to, and who is enforcing it. In this installment, we’ll look at what types of actions or failures result in violations, and how to avoid them.

Protected Health Information (PHI)

The HIPAA privacy rule applies to protected health information (PHI), which includes information about physical or mental health or conditions (past or present), the provision of health care, payment for such health care, and information that can be used to identify an individual. Most important, this information can be in any form – electronic (as in health records, billing statements, prescriptions, etc), paper (faxes, paper records), or oral.

Most HIPAA enforcement actions are civil, and many are the result of an accidental disclosure of PHI – faxing patient records to a patient’s work rather than his new physician, for example, or using labels on the outside of patient records which indicate that the patient has HIV, and which can be seen by other patients in the waiting room. Even talking about a patient within earshot of other people can be a HIPAA violation. Civil penalties generally include fines and corrective actions – such as requiring a doctor’s office to change the way it labels files, or ensuring that electronic health record security is up to date.

Criminal actions and penalties, which can include up to 10 years of jail, may result if PHI is knowingly obtained or disclosed, or when information is gained under false pretenses or with the intent to sell or use the information for personal gain.  However, the vast majority of HIPAA violations are a result of carelessness, poor recordkeeping, or lack of policies instituted by practices and health care centers designed to keep data safe.

Tips for Staying Compliant

So, how can you minimize your chances of being in violation of the HIPAA privacy rule?

1. Never access a patient’s records unless you are treating that patient and need to access the record for those purposes. [Numerous HIPAA violations have taken place where health care practitioners accessed records of relatives, friends, or, in at least one case, an ex-husband, in order to get information. Even if you are the health care proxy for that person, it is not acceptable to access records in that way – and likely violates your employer’s internal policies.]

2. Use discretion when talking about a patient. HIPAA violations can arise when healthcare practitioners discuss a patient’s health status in public areas, such as a waiting room, in front of other people.

3. Ensure that protected health information is safeguarded. The Office of Civil Rights (OCR) (which enforces HIPAA) has held that even insurance cards, presented at a pharmacy, are considered PHI and must be treated as such. Obviously patient medical records, test results and diagnostic information are all PHI.

4. Properly dispose of documents containing PHI. In one recent case, a health system had to pay an $800,000 settlement after employees left boxes with thousands of patient records from a retiring physician on the physician’s driveway while aware that the physician was not home. Essentially, the PHI was sitting near the curb, for anyone to look at. Aside from the fine, the health system had to take corrective action and was required to revise its policies and procedures, train staff, and report to OCR. Another HIPAA violation involved a pharmacy which disposed of documents containing PHI of over a thousand pharmacy patients into an unlocked, open container. The pharmacy could have avoided the violation (and $125,000 fine) by shredding or otherwise destroying the documents.

5. Do provide health information where it is authorized. HIPAA violations can also occur when a practitioner or other entity withholds PHI from those who are entitled to such information. For example, a doctor’s office violated HIPAA by refusing to provide a minor patient’s mother with his health records. In another case, a medical practice hired by an insurance company to conduct an independent medical exam on an injured individual refused to provide the medical records to that individual. OCR held that the individual had a right to the information regardless of who was paying for the exam.

6. Use care in labeling files. One practitioner’s office was fined for using large red stickers with the word “AIDS” on the outside of files of patients who were HIV positive. Since the stickers were visible to everyone in the waiting room, as well as the office staff, this was a violation.

The bottom line is this – PHI must be treated with great care in all its forms, whether paper records, faxes, computer records, pharmacy logbooks, or oral discussions. Physician offices, pharmacies, health systems, and the like, must have policies in place to protect both paper and electronic information, and must educate staff as to what PHI is, and how it should be protected. Being aware of what information is protected will help you avoid HIPAA snafus.

Quiz Answer: e. Even if disclosure of PHI is accidental (as in the case of the stolen laptop), it is still a HIPAA privacy violation and is generally (as in this case) a reflection of poorly communicated policies (or lack of policies protecting electronic patient data) on the part of the employer.