I had some good feedback on my last post on Malpractice Insurance. Today we’re talking about HIPAA. All medical personnel are aware of HIPAA. They all have to watch a video or two before they start work. Then there’s the mandatory refresher MCQ test and then, you magically now know everything about HIPAA and are HIPAA compliant.
The thing is most people don’t know anything about The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act). They have some vague ideas about it. Did you know that even mentioning the county a patient is from is an identifier for patient health information (PHI) that could land you in hot water?
What is HIPAA?
Health Insurance Portability and Accountability Act (HIPAA) was established to create confidentiality systems within and beyond healthcare facilities. The main goal was to keep PHI private.
Who does it apply to?
All staff working in a healthcare facility or private office, students, non-patient care employees, insurance companies, billing companies, and electronic medical record companies.
Which PHI is protected?
The health information that has an identifier that links a specific patient to that information must be protected. Simply saying, patient x from y town is a HIPAA violation. There are 18 such identifiers that you should be aware of and are listed below:
Name
Address (all geographic subdivisions smaller than the state, including street address, city county, and zip code)
All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
Telephone numbers
Fax number
Email address
Social Security Number
Medical record number
Health plan beneficiary number
Account number
Certificate or license number
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web URL
Internet Protocol (IP) Address
Finger or voice print
Photographic image – Photographic images are not limited to images of the face.
Any other characteristic that could uniquely identify the individual
Breaching confidentiality
You can only breach confidentiality if there’s a gunshot wound, stab wound, injuries sustained in a crime, child/elderly abuse or an infectious, communicable, or reportable diseases
Which Data is HIPAA protected?
All data be that written, paper, spoken, or electronic data is covered by HIPAA. So before you choose to announce the positive Strep test outside the door of a patient, remember that could get your practice sued. Software and hardware must be secured and protected.
How to protect the data?
- Secure all the printers, fax machines, and computers: These must be password protected or not within reach of patients. Ideally, printers and fax machines should not be located in patient traffic areas.
- Locks on computers and record rooms: All computers must need to be locked so that waiting patients cannot access them.
- Destroy sensitive information: Ensure that no staff takes any patient-related document home. All PHI-containing documents must be shredded at the end of the day. Any documents must be stored in folders.
- Do not talk about patients or PHI in public locations: Corridors, restrooms, breakrooms, elevators, and anywhere outside the health institution are all public areas that should not be a place to have a conversation about the patient.
- Do not share PHI with any other family member even if their also medical staff.
- Point computer screens away from the public: Make sure that the computers that receptionists and other staff are working on are not facing the public in any way.
- Use privacy sliding doors at the reception desk: To ensure there is no access, cordon off the area of the reception.
- Never leave PHI unattended: No PHI must be unattended. The laptop must be logged off and all documents secured before you leave your desk.
- Log off workstations when leaving an area: Log off workstations every time you leave the desk. This is really annoying if you have to print somewhere else and hand over a referral or the lab or imaging order. But it must be done.
- Don’t share passwords. Let each staff member have their own password.
- Have music and TV playing in waiting areas and patient rooms, so information is not heard via thin walls.
- Audit regularly to make sure that the staff is HIPAA compliant and that they understand what that really means. Don’t simply leave them to watch a video.
- All medical discussions should take place behind closed doors.
- Penalize HIPPAA infractions.
What would a violation cost?
A HIPAA complaint from a patient triggers a process by the regulator agency to call you, and file a report against you. Thereafter, they will send an officer to find out what happened and this verification is done in person which could happen during a surprise visit. If your practice is found to be guilty of the violation, the medical doctor could have to pay anywhere between $100 -$50,000 per individual. The maximum penalty could be about 1.5 million. The penalty varies depending on the culpability and the extent of the violation.
Why do medical staff need to be careful?
In a busy practice with an army of patients, it is going to be challenging to protect PHI. Simple things like a student referring a case, a medical assistant giving the results of a urine dipstick, attaching the wrong report to the wrong patient, and a random exposed result that is seen by the cleaning staff are all HIPAA violations that should not be happening. It could cost a lot of money if these were all penalized. You hear doctors discussing a difficult case, or sharing information on social media to encourage learning but be careful because there’s a very thin line when it comes to HIPAA and your license and money are really on the line.
What steps do you take to prevent HIPAA violations?