Understanding The Privacy Provisions Of The HIPAA Laws

Friday, February 6th, 2015

Back in 1996, Congress passed the Health Insurance Portability and Accountability Act, known more commonly as HIPAA. This act did many things for health insurance coverage, including protecting insurance for workers transitioning between jobs, providing basic standards for computerized healthcare records, and creating federal identifiers for health providers and plans. Despite the wide ranging scope of HIPAA, the most common part noted by both patients and providers is the security provisions for protecting patient privacy. Healthcare providers must understand this privacy provision and how it applies to managing patient care and records.

Who is covered by the HIPAA privacy rules?

Just about any entity which handles patient records is covered by the HIPAA privacy rules. These entities include healthcare plans, providers, clearinghouses, and their business associates.

Healthcare plans can include individual and group insurance, health maintenance organizations (HMOs), Medicare, Medicaid and long-term health insurers, among many others.

Healthcare providers include physicians, dentists, nurse practitioners, chiropractors, hospitals, labs and testing facilities. Healthcare clearinghouses include any entity that processes patient information, such as billing services, value-added networks and repricing companies.

Why were the HIPAA privacy rules needed?

Before the passage of HIPAA, there were no standards protecting patient healthcare information. A variety of federal and state laws provided some protection. However, these laws were not consistent and allowed personal healthcare information to be distributed to almost anyone who requested it.

What information is protected by HIPAA?

HIPAA’s privacy provision covers any individually identifiable healthcare information for a patient. This healthcare information means any record or part of a record that can tie personal information to a specific patient.

This information includes the patient’s past, present and future health, any provisioning for healthcare or any payments associated with care. Any records that contain the patient’s name, birth date, address or social security number are also included.

The HIPAA privacy rules extend to the medical information of deceased patients as well.

What are the penalties for violating the HIPAA privacy rules?

Violation of HIPAA may result in civil monetary penalties and criminal penalties. The penalties vary based on the knowledge and intent of the violator.

The maximum civil monetary penalty is $50,000 per violation. Penalties for identical violations are capped at $1.5 million per year. This is not the maximum penalty, however. For example, in 2014 New York and Presbyterian Hospital paid $3.3 million to settle claims brought by the Office for Civil Rights. The hospital had failed to adopt security measures required by HIPAA and had inappropriately disclosed the protected healthcare information of 6,800 persons.

In some cases, criminal charges may be imposed if someone knowingly obtains or distributes information. Each person could end up in jail for a year and face up to $50,000 in fines. For someone who obtains records under false pretenses, the penalties can go up to 5 years in prison and $100,000 in fines. If someone obtains information to sell, transfer or use with the intention of making money or doing harm, the penalties go up to 10 years in prison and $250,000 in financial penalties.

How can medical records be shared or obtained?

HIPAA permits certain uses and disclosures of a patient’s health information. If a use or disclosure is not expressly permitted by HIPAA, then a covered healthcare entity must obtain the patient’s written authorization to share or distribute the patient’s information. HIPAA requires that this authorization contain certain information. For example, the authorization must indicate what records can be transmitted and how long the authorization is valid.

What are some of the most common HIPAA violations?

Family members or coworkers snooping in a patient’s healthcare records is a common problem.

Releasing unauthorized information is another common violation. The patient may have authorized the release of lab results, for example. Instead of just sending the lab results, the healthcare provider may have sent the entire medical record instead. Another common violation results from the loss or theft of portable electronic devices, like iPads, iPhones, and jump drives, that contain unsecure patient information.

Managing HIPAA

The complexities of the HIPAA rules means that healthcare providers need to tread carefully. While this act has been around since 1996, there is on-going clarification and updates on the rules. These updates make compliance a moving target at times.

Contact us here at Brown & Fortunato Our Healthcare Group can help you navigate the complexities of HIPAA. You can call us at (806) 345-6320. Send us an email on our Contact Us page. You can also stop by our office at 905 S. Fillmore, Suite 400, in Amarillo, Texas. Our website gives a good overview of the services we offer and the practice areas we cover. Let us help you stay ahead of the complexities of healthcare.

This information is subject to change. Please check for updates that are more recent than the published date of this article.