Article by Ryan King, Esq.
Each year, health systems and individual health providers incur millions of dollars in fines for violating the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA is perhaps the most well-known privacy law in the United States, it is not well-understood even within healthcare circles, and health systems and providers routinely make mistakes that violate the law.
But, ignorance is not an excuse—federal agencies and judges have made this clear. As a result, health systems and individual health providers need to prioritize compliance. This article provides a brief introduction to HIPAA compliance and the risks of failing to adequately safeguard patients’ protected health information (PHI).
What is HIPAA?
HIPAA is a federal law that provides a framework for ensuring the privacy and security of patients’ PHI. The privacy provisions of HIPAA establish patients’ rights, while the security provisions operationalize these rights by establishing obligations for health systems and providers.
Recognizing that patients have no choice but to trust their providers with their PHI, HIPAA is both strict and comprehensive. It also establishes substantial penalties for non-compliance—and these penalties can be imposed on both employers and employees.
HIPAA’s Protections for PHI
As a baseline, HIPAA only authorizes the use of PHI as necessary to accomplish an intended purpose. It also requires that health systems and providers restrict access to PHI on a “need-to-know” basis. Permissible uses of PHI under HIPAA include patient treatment, customer service, audits, training, and quality improvement. Permissible disclosures of PHI include disclosures (to the extent necessary) for:
- Treatment
- Billing
- Reporting
- Accreditation
For example, it is permissible to disclose a patient’s PHI to a caregiver for purposes of continuing the patient’s treatment after discharge. Health systems and providers can also disclose relevant PHI to insurance companies and family members who need to pay patients’ bills. However, nurses generally should not share (or have access to) information unrelated to their patients, and billing personnel should only have access to the information they need for billing purposes.
What about sharing a patient’s PHI with their family? If the patient is present and can make healthcare decisions, a provider may discuss the patient’s health information with family members if the patient agrees or, when given the opportunity, does not object. However, the provider may only share or discuss information that family members need to know about the patient’s care or payment for the patient’s care.
Complying with HIPAA’s Privacy and Security Requirements
To comply with HIPAA, health systems and providers must use reasonable efforts to ensure that PHI is only accessible by those who need access for authorized purposes. What does this mean?
Complying with HIPAA requires various operational, physical, and logical safeguards. For example, practices that may be necessary to protect PHI include (among others):
- Establishing and enforcing written policies regarding internal sharing of PHI
- Establishing and enforcing written policies regarding external disclosure of PHI
- Talking quietly or discussing patient matters behind closed doors
- Drawing the curtains in shared areas
- Avoiding discussions that involve PHI in common areas
- Covering documents that contain PHI
- Logging out of computers and tablets when not in use
- Addressing the disclosure of PHI in health systems’ and providers’ social media policies
As noted above, health systems and providers that fail to implement adequate PHI safeguards can face substantial penalties. For organizations, these penalties include fines of $58,490 per incident, up to $1.711 million per year (per tier). If accused of intentionally violating HIPAA, individual providers can face fines of $50,000 to $250,000 and one to 10 years in prison.