What every doctor should know about avoiding HIPAA violations

Being a physician requires dedicated attendance to many aspects of healthcare, including evidence-based practice, compassionate service, and respect for patient privacy. With respect to privacy, HIPAA regulations guide the sharing and utilization of patient health information.

The regulations set out by HIPAA—the Health Insurance Portability and Accountability Act—are “permissive” in that they permit but don’t require the sharing of patient information, as described by the AMA. After all, patient information must be shared during treatment and payment, and it is untenable to guarantee patient permission with every move if workflow is to be maintained and patient care to be facilitated.

Nevertheless, HIPAA regulations are violated, sometimes in unexpected ways. Such violations can result in fines ranging from $150 for an “unknowing” violation to $1.5 million for “willful neglect.”

Let’s take a look at five main violations that physicians and administrators should keep on their radar.

Disclosure

The unacceptable use or disclosure of protected health information (PHI) that undermines patient privacy is known as a breach. A breach is assumed unless the healthcare entity can prove that there is a low probability of the protected data being compromised via a process of risk assessment.

The US Department of Health and Human Services (HHS) Office for Civil Rights is responsible for enforcing compliance with HIPAA privacy rules. According to HHS, the risk assessment includes aspects of the following:

• If the information was taken or just viewed

• Nature of information, including identifiers and chance of re-identification

• Safeguards taken to keep the information confidential

• The identity of the person who committed the breach

There are three exceptions to a breach being deemed a violation: 1) A breach made in good faith and under the authority of a covered entity and involving a workforce member or authority of a covered stakeholder; 2) An inadvertent disclosure made among people authorized to access protected information; 3) Information disclosed under the good-faith belief that the unauthorized party receiving the information would not be able to retain it on his or her own.

Patient access

With few exceptions, patients must be allowed to access their protected health information. A covered stakeholder, may, for example, deny access to the individual if the information is not part of a designated record kept by the covered entity, such as psychotherapy notes or information to be used in anticipated litigation.

The covered entity can also deny access to information that could cause the patient to hurt themselves, such as with suicidal patients.

Minimum necessary standard

With regard to HIPAA, less is more. PHI should not be disclosed unless absolutely necessary to fulfill a specific purpose.

“The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information,” per the HHS website. “The Privacy Rule’s requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.”

Of note, the HIPAA Privacy Rule entails standards to protect patients and medical records in the context of healthcare providers, healthcare clearinghouses, and so forth. It requires information safeguards and governs disclosures.

Administrative safeguards

In a white paper, HHS describes in detail the necessity to maintain administrative safeguards as part of HIPAA.

These refer to administrative actions and policies to mediate security measures to ensure the safety of protected health information. Additionally, the workforce must be directed to uphold these standards by the covered entity.

The first standard, for instance, is the Security Management Process, which advises that the covered entity enact policies/processes to prevent, monitor, and correct any security violation.

Other safeguards

Institutions must maintain adequate physical and electronic safeguards with regard to PHI.

In 2018, Fresenius Medical Care North America committed all five HIPAA violations on this list. Investigators found that there were risk-analysis failures, unacceptable disclosures of electronic PHI, lack of encryption, and more. The organization was fined $3.5 million.

Bottom line

Although much HIPAA guidance involves common sense, physicians should remain vigilant to avoid lapses. Such HIPAA violations not only can result in large fines but also compromise the sanctity of patient care and the patient-physician relationship.