The practicing doctor (presumably) knows that he or she is (likely) subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Less certain is whether said practitioner knows just what that means. HIPAA – particularly the provisions of HIPAA commonly known as the Privacy Rule, the Security Rule, and the HIPAA Breach Notification Rule – is a wide-reaching law with major consequences for noncompliance. From the patient’s perspective, the law deals with the privacy and security of very sensitive information. The doctor, on the other hand, faces potentially crippling monetary penalties for failure to comply with the standards and requirements established under HIPAA for the handling of protected health information (“PHI”). As a result, the risks posed by improper uses and disclosures of PHI underscore the importance of fully understanding obligations and pitfalls posed by the law.
Understanding begins with the basic premise and purpose of the law, which is to provide the applicable framework of rules for the appropriate use and disclosure of a patient’s PHI, while simultaneously protecting the privacy of that patient. This concept can be further narrowed to two categories of uses and disclosures of PHI: (1) required disclosures and (2) permitted uses and disclosures. Required disclosures are minimal, generally limited to disclosing pertinent information to the patient upon request or as required by law and to the US Department of Health and Human Services (“HHS”) during an investigation, review, or action by said agency. The scope of permitted uses and disclosures is much broader, as it necessarily should be so that doctors can properly practice their profession and get paid for that practice; but, with that expanded range of allowable uses and disclosures comes an expanded risk and liability aspect.
And make no mistake, the risks and liabilities are significant. The HHS has conducted thousands and thousands of investigations and reviews regarding alleged and actual HIPAA violations, including impermissible uses and disclosures, lack of safeguards, and lack of patient access of or to PHI. Many thousands of these have led to corrective actions, settlements, and fines. The fines that may be imposed can be substantial, depending on the nature of the breach, the number of records exposed in a breach, the risk posed by the exposure of that data, and the level of negligence involved.
The purpose of this article is not to present a HIPAA compliance guide, audit or assessment tips, or guidelines for future action. Instead, the aim is to highlight, from the perspective of the practitioner, the importance and impact of the law, which, if the typical doctor were to honestly reflect upon, is largely underappreciated and underrated.
- What type of information is included within the definition of PHI?
- What constitutes a permitted use or disclosure of PHI?
- When is patient authorization required for the use and disclosure of PHI?
- Policies and procedures within the practice and around the workplace
- Identifying internal risk: potential breaches within the practice
- Identifying external risk: third parties, PHI, and the business associate agreement
- HIPAA breach notification: what is required and is there a policy in place?
- Technical, physical, and administrative safeguards for PHI
Routinely and periodically considering these and other issues and questions would be a worthwhile endeavor to identify risks, and potential ways to mitigate these risks, posed by HIPAA. Don’t underestimate the impact of HIPAA or assume compliance. Properly handling PHI is a day-to-day challenge, involving the doctor, partners, employees, agents, vendors, and others. Work to understand and appreciate the risks involved and you will be in a better position to avoid breaches in your practice.
