The Health Insurance Portability and Accountability Act (HIPAA) applies to sensitive patient health information. Medical practitioners are wise to understand how this federal law impacts their practice. Three important facts about this law include:
#1: Not everyone is aware of HIPAA’s rules.
The rules apply to hospitals and private practices as well as chiropractors, dentists and schools. It is important to note that not everyone is aware of the intricacies of this law. Office personnel, nursing assistants and even some physicians may be unclear on the rules.
There are limits to what those who have sensitive healthcare information can disclose without the patient’s consent. It is important to make sure everyone within the group is familiar with, and abides by, these rules. One common violation involves inappropriate discussions within the office. HIPAA generally allows medical providers to discuss the care of a patient they are both treating. An investigation could result in allegations of a violation if the discussion is not focused on patient care.
#2: HIPAA has requirements about the methods of communication.
HIPAA allows the use of some platforms for communication and forbids others. This is because certain platforms are not secure. Sending patient information to another treating physician over a text message, for example, could be a violation. This is because a hacker or other outside party could get this information. Instead, it is important to use approved, encrypted programs to share this information.
#3: Violations are expensive.
2020 has already seen multiple million-dollar HIPAA settlements. In a recent example, an email phishing attack in 2014 resulted in the installation of malware that left the group’s data open to attack from the hackers. The group failed to detect the breach for nine months. It resulted in the exposure of over 10 million files on protected health information.
After an investigation, the Department of Health and Human Services (HHS) Office for Civil Rights fined the group, Premera Blue Cross, $6.85 million for the violation. The agency stated the penalty was appropriate, pointing to repeated noncompliance with HIPAA rules and failure to implement audit controls to support the hefty fine. As such, it is likely groups can reduce the risk of a penalty by having regular internal audits and a compliance program.