Hard to believe! The Health Insurance Portability and Accountability Act (HIPAA) is more than 20 years old. But it packs just as much punch and serious implication as it did when first enacted in 1996 and became law in 2001. Are you as “HIPAA Aware” as you need to be?
While HIPAA addresses many areas in healthcare, such as the availability and renewability of health coverage, fraud and abuse, medical liability, tax considerations, health savings accounts, and data standards, the single most important aspect of HIPAA pertains to security of protected health information (PHI).
Be “HIPAA Aware” about PHI – Now!
Patient diagnosis and treatment information of all types, including payment information. Remove any doubt about what’s covered; treat all patient information as protected. The U.S. Department of Health and Human Services (HHS) National Institutes of Health (NIH) provides more detail here about what health information is protected by the HIPAA Privacy Rule.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA. Typically, any healthcare provider, including support staff, with whom the patient interacts on a professional basis is bound by HIPAA. And so is any business associate [individual or organization] that assists in the covered entity’s activities and functions. All must keep all PHI from deliberate or accidental disclosure. The Centers for Medicare & Medicaid Services (CMS) has a decision tool to help determine whether someone, or an institution, is a “covered entity.”
Who’s the enforcer?
The Office for Civil Rights (OCR) in HHS enforces the HIPAA Privacy Rule and the HIPAA Security Rule. Punishment for violation, especially willful or the result of gross negligence, can be severe. For example, the Feinstein Institute for Medical Research recently agreed to pay $3.9 million to the OCR, the culmination of a laptop being stolen from an employee’s car.
Got you thinking?
I know. That last figure – an almost $4 million fine to OCR – for a single infringement, kind of takes your breath away! Please take one hour, anytime, to learn what your HIPAA security risks really are and how to handle them in this NextGen Healthcare webinar – “Security Risk Analysis for MU and HIPAA.”
- Doctors, hospitals, clinics participating in the patient’s treatment
- Family, relatives, friends, or others the patient specifies
- Police, in special cases such as gunshot wounds
- Government agencies that report on the incidence of various illnesses
- Any insurance carrier with which the patient has relevant coverage
- Support organizations or individuals with a properly executed and current HIPAA Business Associate Agreement (BAA) in place that helps the provider render services to the patient
Can a patient disclose his/her PHI to anyone else?
Yes. A patient has intrinsic and lawful rights to his/her own health information. However, some states require a written release signed by the patient, if the health information is to be used for commercial purposes. And there are “gray areas!”
But be careful. Health information collected by health clubs, gyms, weight-loss centers, and spas are not bound by HIPAA regulations. Also not constrained by HIPAA regulations: The social media universe! Any social media or other commercial websites that collect, accumulate, and analyze, at the request or direction of the consumer, exercise or biometric information from personal monitoring devices, e.g. Fitbit®. Free and clear from HIPAA rules!
Ever Heard of “HIPAA Analyzer?”
Yes, another NextGen Healthcare tool, but important in the context of this blog. Because “being careful” with your HIPAA transactions shouldn’t automatically mean that you make less money. Learn how the HIPAA Analyzer makes submitting data easier, faster, better!
Coming Soon…Part Two of “HIPAA Aware” Blog: Demystifying De-identified PHI