Introduction
Ensuring the security, privacy, and protection of patients' healthcare data is critical for all healthcare personnel and institutions. This is truer than ever in this age of fast-evolving information technology. In the past, healthcare workers often collected patient data for research and usually only omitted the patients' names. This is no longer permitted; any protected health information (PHI) that can identify a patient or the patient's relatives, employers, or household members must be omitted before being used for research. The Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191, was enacted into federal law to ensure that patient medical data remains private and secure.[1][2][3][4][5] There are 2 main sections of the law: the privacy rule, which addresses the use and disclosure of individuals' health information, and the security rule, which sets national standards for protecting the confidentiality, integrity, and availability of electronic PHI.[6] The privacy rule specifies 18 elements that constitute PHI.[7] These identifiers include demographic and other information relating to an individual's past, present, or future physical or mental health or condition or the provision or payment of health care to an individual.
HIPAA was enacted to encompass 3 areas of patient care:
- Portability of insurance or the ability of a patient/worker to move to another place of work and be certain that insurance coverage is not denied
- Detection and enforcement of fraud and accountability
- Simplify administrative procedures in health care and other professions (this is an area where communication and transmission of records are done electronically). With improved technology, the role of wearable technology and androids in disclosing PHI is now under scrutiny.[8][9]
The penalties for failing to comply with HIPAA can be severe.
HIPAA applies to all healthcare institutions and healthcare workers who submit claims electronically. For example, if you are a healthcare worker and transmit or even discuss PHI with others not involved with that patient's care, you violate HIPAA. However, a HIPAA rule permits disclosure of PHI without prior obtained consent for healthcare operations, treatment, and payment. This includes consultation between providers regarding a patient, referring a patient, and information required by law for public health safety and reporting. These exceptions cover the majority of clinical uses of PHI. Other disclosures demand explicit patient consent and apply to everyone in a healthcare facility, including:
- Providers
- Nurses
- Pharmacists
- Administrative personnel
- Foodservice
- Clerical
- Janitorial service
- All other healthcare professionals
The HIPAA policies also apply to any interns and volunteers who work under supervision at a health clinic or hospital, third-party contractors, or business associates, including:
- External laboratories
- External imaging services
- Outside computer repairman
- Accredited agencies that conduct patient surveys
- Medical equipment companies
- Pharmaceutical salespeople
HIPAA broadly defines PHI as any health information transmitted or maintained in electronic media. It is also important to know that PHI is restricted to transmission not only on electronic media but also in any oral communications of identifiable health information that constitutes PHI. For example, if a surgery resident speaks about a surgical procedure in an elevator full of people, that can be a HIPAA violation if any PHI is mentioned. The majority of medical records in healthcare institutions and clinics meet the definition of PHI, some of which include:
- Admission profile
- Billing records
- Patient profile
- Prescription records
- Referrals
- Discharge and follow-up appointments
Hence, all healthcare institutions and clinics must comply with HIPAA standards for security and privacy.
Function
Where is the HIPAA Privacy Rule Applicable?
The HIPAA privacy rule applies to almost every department in a medical facility; even when walking to the parking lot with a colleague or on your home internet, the confidentiality of PHI must be preserved. Only the bare minimum necessary health information should be disclosed during any health care service, including human resources or ancillary services. For example, when a pharmacist is about to dispense medication to a patient, he or she should only ask the patient if they know how to take the pill when to take it and follow up with their healthcare provider. No in-depth discussion with the patient in full view of others is permitted. This rule also applies to other healthcare providers exchanging information with other healthcare workers involved in patient care. For example, it is permitted for a radiologist to ask the ordering medical resident a few questions about why the patient is having the test to ensure that the procedure is necessary and the best choice for the situation. Still, he or she is not free to discuss this with a third party who is not actively treating the patient. In all such matters, one must first obtain consent from the patient to determine if he or she is willing to permit the doctor to divulge medical information to others. This rule applies not only to verbal communication but also to all written and electronic text.[10][11][12]
In addition to HIPAA, many states have their own restrictive rules on the privacy of PHI, which may be far more stringent than HIPAA, particularly when the information concerns patients with infectious diseases like HIV, mental health problems, certain genetic disorders, and substance abuse. Further, there are also federal rules that are more stringent than HIPAA, such as those pertaining to substance abuse and drug addiction records. However, this does not mean that HIPAA is void when other, more stringent rules are in place. In situations where a more stringent rule regarding privacy is in place, the more stringent rule takes precedence over HIPAA for that jurisdiction. All healthcare workers must be aware of HIPAA and the state and federal rules governing PHI.
Contents and Authorizations
When a patient is admitted to a healthcare institution, he or she must be provided with information on rights to privacy, what type of PHI should be shared, and for what reason. This notice of privacy practice is now a requirement of HIPAA for all patients, regardless of age or gender. The patient must sign this document, and 1 copy must be kept in the hospital files. This also indicates that the patient did receive the privacy notice. If the patient cannot sign for any reason, the reason must be documented and witnessed. If another person signs the document, the reason why the individual is signing must be documented. Once a notice of privacy practices is signed, the healthcare institution does not need to ask the patient repeatedly to disclose PHI during normal care. If the patient’s health situation changes or has additional privacy concerns, this should be documented in the note. The patient may ask that no family member or friend be permitted to pick up his or her medications or that no medical staff discuss the health condition with family or friends.
Security With Flexibility
The HIPAA security rule provides all healthcare institutions with a practical and flexible format for implementing security measures. Some of these are mandatory requirements, but others are flexible and allow the institution to implement security and privacy measures that are consistent with the organization’s resources, infrastructure, and functionality.
What are some of the exclusions to a patient’s PHI?
There are several scenarios where disclosure of PHI may be violating HIPAA, and they include the following:
- Mental health notes, which under HIPAA are not allowed to be shared even for purposes of treatment, without explicit authorization
- Any legal document that pertains to medical records
- Laboratory results, especially the results of sexually transmitted diseases
When can PHI be disclosed without consent?
- If the patient cannot provide consent or is unavailable when disclosure is necessary for public health, by law, or regarding child abuse[13]
- Anytime there is an investigation of fraud by the US Department of Health and Human Services
- When a healthcare worker is trying to obtain consent over the phone when the patient is not able to provide one
Images and Videos
It is important to understand that HIPAA violations occur not only after vocal or written disclosure of PHI but even after posting images. For example, cosmetic surgeons who routinely post preoperative and post-operative photos of patients or surgeons who videotape surgical procedures must obtain consent from the patient. In addition, when not necessary, the face should be blanked. Professionals are also prohibited from using the names of patients in case reports. Anything that can identify a patient is not permitted.
Specific HIPAA Rules That Pertain to PHI Security
- Ensure that there is integrity, confidentiality, and security of all electronic PHI that the healthcare institution creates, maintains, receives, or transmits
- Develop protection against any reasonably anticipated hazards or threats to the integrity and security of such data.
- Protect against any reasonably anticipated use or disclosure of information that is not permitted or required.
- Ensure compliance among the workforce
- Have flexibility in the system so patient care is not compromised
- Covered entities may use any security that meets the minimal standards
- The type of security depends on the size, complexity, and capabilities of the covered entity
Issues of Concern
Risk Analysis
The HIPAA security requirements emphasize risk analysis, especially now that electronic healthcare technology is the norm. All hospitals have to work with their healthcare workers and third-party contractors, vendors, and solo practitioners, and they must identify and address the appropriate security options to ensure data security. The use of the internet is perhaps the biggest threat to data leaks. When transmitting data over the internet, the hospital IT must encrypt it to ensure it remains private. For example, a provider who is an independent contractor with a patient admitted to the hospital transmits the patient's medical history to the hospital over the internet. However, this information must be encrypted to prevent leaks and eavesdropping. Today, encryption of healthcare records is standard, and one may use many software programs.[14][15][16][17][18][10]
Use of Wireless Networks
These days, many healthcare workers use wireless networks to access medical records. However, if many computers connect through a wireless network, then the encryption function of the wireless network must be activated. Furthermore, healthcare workers must be asked to stop using the unencrypted wireless network for communication because of the risk of interception.
Storage of PHI Data
Another area of great concern is the storage of PHI on hard drives, especially portable devices like laptop computers and flash drives. Over the years, many privacy breaches have occurred due to stolen laptops and flash drives. To address this problem, healthcare workers should refrain from storing patient data on their laptops, flash drives, or CDs. If the data is stored, it must be encrypted. Another option is to use the laptop only to view the data but never to store the information. This has become possible with cloud technology and storage systems.
Passwords
All healthcare workers who use the computer to access patient records must have a secure password. The password should be unique and changed every 3 to 4 months. No one should share their password with other individuals. The information technology (IT) department must determine the quality of the password before access is granted to the system. The password must be sufficiently strong, not to be guessed or even predicted by the available computer programs. The password must combine numerical and alpha characters with symbols to increase complexity. Further, no worker should paste the password anywhere near the PC or leave a sticker with the password on a desk, as this defeats the purpose of security. However, passwords alone are inadequate for security measures and offer a very weak protection method.
Unique User Identification
There have been many instances when healthcare workers and non-healthcare workers who were not involved in the patient's care have accessed the medical records of celebrities and other important people. The purpose was to pass the documents to the tabloid magazines. Thus, HIPAA enhancements under the Health Information Technology for Economic and Clinical Health (HITECH) Act now require a system that tracks all users the moment they sign on and off. The tracking system shows who signed on, when, what data they accessed, and if they downloaded any information. Thus the importance of assigning unique names and passwords that are never shared with anyone, otherwise tracking is not possible in the event of a data breach.
Stronger Authentication
Today, many healthcare institutions have started to implement stronger authentication requirements. Besides the password, some systems also require a specific biometric feature to enter. Some hospitals have started to use fingerprints to identify the individual entering the system, and others have started to incorporate facial recognition.
Selective Access
To ensure privacy and authenticate the computer used, some organizations have started to limit access to individuals based on their role in healthcare. For example, a laboratory technologist would only need access to the patient’s laboratory record, so there is no need to provide that worker access to the patient’s medical history. Similarly, a pharmacist may only have access to the patient's medications or pertinent parts of the medical history regarding drug reactions. In contrast, an internist would have access to most of the medical information. Customized access is the new wave of the future, and so far, limited studies show that it maintains patient data security.
Electronic Health Records
HITECH was enacted to promote the widespread adoption and meaningful use of electronic health records (EHR) and related technologies. Among other things, HITECH requires covered entities that implement an EHR to provide an audit trail accounting for all disclosures of information. When patients ask for an electronic copy of their records, HITECH stipulates that healthcare organizations provide the PHI maintained in an EHR. Therefore, an EHR is very broadly defined in the proposed rule as "any electronic data." Furthermore, healthcare entities must acknowledge and fulfill a patient's request that the healthcare provider not share PHI with a health insurance plan if the individual pays for the care out of pocket and in full.
Audits and Risk Assessment
Once a security system is in place, risk management should audit it to look for flaws and identify gaps in maintaining the integrity, confidentiality, and security of PHI. All risks identified must go through a HIPAA-compliant risk management process, and the flaws must be rectified. Risk analysis is not a one-shot deal but must be conducted regularly because new technology is constantly introduced. This is also repeated whenever there is a change in clinical practice.
Dedicated IT Staff
All healthcare institutions should employ persons dedicated to maintaining the security and privacy of PHI. In most cases, a team of IT professionals should ensure that everyone follows the established procedures and policies. This team must also ensure that all healthcare workers use the system appropriately. The IT staff should conduct audits to ensure that everyone is HIPAA compliant regularly.
Obtain Authorizations
While HIPAA permits the use of PHI for many hospital-based services like treatments, pharmacy operations, rehabilitation, and outpatient care, any other use or disclosure of PHI must be authorized by the patient in writing before any PHI is disclosed. For example, there are protocols to follow when a patient is enrolled in a clinical trial. Plus, when patients want their medical records transferred to another unrelated provider or out of state, then the patient must obtain written consent.
Third-Party Agreements
Ensure third-party business agreements are in place. Sometimes, a third party may need access to PHI to perform a service on behalf of the hospital. For example, the patient may be entering an outpatient rehabilitation unit, and the therapist requires medical records, or the patient may be going for radiation therapy at another center. The rehabilitation center and the radiation clinic must also comply with HIPAA rules. These third-party entities must provide the hospital with a business associate agreement that the requirements of HIPAA are understood and are being followed.
Inadvertent Disclosure
In the past, it was routine for healthcare workers to share patient information between family and friends, sometimes out of concern or in an attempt to help. This is unacceptable, and a provider can violate the law. HIPAA does not permit deliberate or accidental disclosure of PHI for any reason. For example, a disgruntled healthcare worker can be held liable if he or she steals PHI and then shares the data for monetary gain or revenge. Sometimes, the PHI disclosure may occur accidentally when the patient’s chart is left unattended in the lobby or the radiology suite. When a patient’s chart is taken along with the patient on the trolley, it is important to ensure that the transporter knows not to leave the chart where the information may be inadvertently or purposefully looked at by persons not directly involved in that patient's care.
Personal PHI
Under HIPAA, all patients are legally permitted to obtain copies of their PHI, including billing and medical records over the past 6 years. Some exclusions cover legal documents, mental health notes, or laboratory results. The healthcare provider may deny access to PHI if he or she believes such access may harm the patient or others. A patient must request, in writing, to obtain his or her medical chart.
Inform Patients of Privacy Practices
All healthcare facilities covered by HIPAA must document their private practice and share that information with patients. When patients ask for HIPAA information, they should be provided with it and asked to sign a form to ensure that they have received the booklet.
Clinical Significance
Patient Rights under HIPAA
HIPAA rules give patients rights, some of which they may not be aware. The most important rights of patients under HIPAA include the following:
- Right to receive a notice of privacy practices
- Right to restrict PHI disclosures
- Right to state how they want PHI handled and communicated to others. For example, the patient may want any message from the pharmacist or the hospital to be sent by mail to his private home and not left on his home phone number.
- The patient has the right to inspect and review their PHI. If the patient perceives anything erroneous in the PHI, they have the right to request a change. The provider may accept or deny this request. For example, a nurse may have been diagnosed with bipolar disorder and, after treatment, want this diagnosis deleted from the medical chart. This is not a request that can be accepted.
- Right to obtain a copy of their PHI
- Right to receive an accounting of where PHI disclosures have been made
- The right to report to the Office of Civil Rights (OCR) if the patient believes there has been any violation of disclosure
HIPAA and Communication With Patients
HIPAA recommends disclosing a minimal amount of information to ensure the privacy of patients. When speaking to a patient in a room with others, it is important not to divulge specific information other than greetings. If one has to communicate the results of a biopsy or surgery, they may ask the patient to come to a private room for discussion. Even then, only disclose what is relevant. Suppose the healthcare provider faces a situation where there are other patients, for example, in the recovery room or intensive care unit (ICU). In that case, the discussion should be broad and not detail any specific procedure or diagnosis. Similarly, in outpatient clinics, one should never discuss PHI in the hallway but wait until the patient is seated in a private room.
HIPAA permits the disclosure of PHI to a spouse, parents, legal guardians, and other caregivers involved in the patient’s care without a formal agreement from the patient. If something specific regarding the patient needs to be discussed when other individuals are present, ask the patient if he or she has any objections.
When Can Information Be Shared?
Healthcare workers need to be aware that all PHI for clinical purposes is covered under HIPAA and includes the following:
- Discussing diagnosis, workup, and treatment with other healthcare providers
- Performing imaging and laboratory tests and disclosing this information to other providers
- Providing imaging test results or discussing the patient history when submitting surgical samples to those who perform further diagnostic tests is recommended.
- When referring a patient to another facility or obtaining a consult
- When calling the pharmacist over the phone to dispense medication to a patient
Healthcare providers are not restricted by HIPAA as long as they are offering treatment, and the patient has not requested not to disclose data to any particular provider. However, caution must still be used. For example, when asking a phlebotomist to start an intravenous line on a patient needing chemotherapy medication, a provider does not have to divulge why the patient needs an intravenous line to the technologist.
- Similarly, when healthcare providers consult with other providers, the HIPAA privacy rule does not prohibit them from engaging in such conversations. However, these conversations should be held away from the public and in private rooms. One should not obtain a telephone consult from a phone line in the cafeteria where others can hear the conversation.
- Healthcare staff may communicate verbally at the nurse desk to coordinate activities.
- Also, a healthcare provider may discuss a patient's medical status over the phone with a provider, patient, or other family members.
- Healthcare workers may discuss a patient's medical condition in an academic institution or during rounds.
- The law permits entities to communicate as required in emergency situations to ensure the proper delivery of healthcare.
Email Communications
All healthcare institutions should establish specific guidelines on email communication from patients. Some of the recommendations include the following:
- The patient's name should not be inserted in the subject guideline
- Make sure that the patient's email is correct
- Only transmit the bare minimal information in an email
- Have a standard disclaimer at the end of every email
- All emails must be encrypted
- Do not use your non-work email to communicate with a patient. You should never use commercial email accounts; instead, you should use the email system set up by the institution.
Faxes
Like emails, there should be specific policies and guidelines regarding using faxes to transmit medical information. Some of the recommendations include the following:
- All fax machines must be located in a secure area away from the public, patients, and most healthcare workers
- The first page of the fax should always be a disclaimer indicating what to do if the fax is sent to the wrong number
- Unless there is an emergency, faxes should only be sent during working hours. The reason is that if any faxes arrive, they can be picked up and not left lying on the fax machine container
- When sending faxes, it is important to correspond with the other party to ensure that they have picked up the fax
Computers
Today, computers play a critical role in healthcare and store a vast amount of PHI. Hence, these devices must be secure. Some of the recommendations for computer use include the following:
- The computers should be kept in a place where they are not accessible to the public or patients
- The screen should not be visible to the patients or the public
- Each time, a healthcare provider should log in and log off, even if they are only gone for a few minutes
- All healthcare workers should have a unique password
- The password should never be shared with anyone else
Clergy and Other Religious Figures
The HIPAA privacy rule permits religious figures and clergy to be informed of individuals belonging to their denomination in a hospital as long as the patient has first been informed and has no objection. Patients should be asked about these preferences when they are first admitted to the hospital and asked to sign a paper regarding who they want as a visitor and who should be notified. Disclosures can still occur during an emergency or when the patient is incapacitated and has not been able to provide consent. However, the disclosure has to be consistent with the individual's best interest. One has to use not only good judgment but also involve administration and risk management in decision-making. Everything should be documented as to why a particular course of action was undertaken.
Other Issues
Disposing of PHI
When disposing of medical records and prescription labels, the documents should be shredded or incinerated so that there is no chance of reconstruction. Any PHI on a computer must be completely erased before disposing of the PC. The same applies to any CD or zip drive. The people who are in charge of shredding or disposing of the PHI must be properly selected to ensure that the records are destroyed and not just taken home.
Signed Consent
During a visit or medical encounter, pharmacies and hospitals may get signed authorization from patients before service, allowing that entity to access the patient's PHI during care. However, this form must contain the disclosure's initiation and expiration date. The authorization only remains valid until the expiration date and can be renewed. So, if a patient has signed an authorization to release his medical records to a psychiatrist, then one can send the records during that time. However, one cannot send PHI to other healthcare entities without additional consent, nor can PHI be sent continuously outside of the specified time frame. If the patient is unavailable or unable to do so, then the risk analysis committee may disclose PHI without authorization if it is a matter of life or death. Other cases where PHI may be disclosed are in cases of child abuse, elderly neglect, public health law, or where there appears to be fraudulent activity.
Training Employees
It is imperative that the entire staff knows about HIPAA. Thus, regular education seminars must be conducted. The teaching applies not only to regular staff but also to all interns and volunteers who come into contact with PHI. The staff must be fully trained, updated regularly, and made aware of HIPAA rules that apply to them.
Reporting HIPAA Violations
In general, HIPAA violations must be self-reported to the Department of Health and Human Services (HHS). If a violation has affected more than 500 patients, the department must be notified in writing within 60 days. If less than 500 patients have been affected, HHS must be notified no later than 60 days after the calendar year ends. Penalties may increase if self-reporting is not done and the violation is discovered through the media.
Who Monitors Hospitals and Healthcare Workers for HIPAA Compliance?
The OCR under HHS is the entity responsible for enforcing HIPAA privacy and security rules. The agency enforces rules in the following ways:
- Performs an investigation after receiving complaints from patients
- An audit must be performed to ensure compliance is maintained. OCR may select an institution at random for an audit
- Conduct education seminars and outreach to boost compliance. During these sessions, they may also perform an audit and catch everyone by surprise.
- May have read or heard in the media about PHI being discovered or disposed of improperly
The Investigation Protocol
Once OCR receives a complaint of HIPAA violation, it gathers the information and tries to determine if the privacy and security rules were violated. If the problem is a minor case of noncompliance, OCR initially tries to resolve the matter with the respective institution in the following ways:
- Recommend voluntary compliance
- Recommend some corrective action
- Resolution agreement
There may be criminal and civil penalties for institutions that fail to comply with HIPAA. If the complaint received indicates a violation of the criminal provision of HIPAA, the matter may be referred to the Department of Justice for further investigation.
Civil and Criminal Violations
When the healthcare institution fails to comply satisfactorily, OCR may impose civil monetary penalties based on the seriousness of the non-compliance. The amount of monetary fine is usually up to the discretion of the secretary of HHS. It depends on the extent and nature of the harm due to the violation. In almost all cases, the secretary is not permitted to impose any civil penalty for a violation that is corrected within 4 to 6 weeks. All criminal violations of HIPAA are handled by the Department of Justice, who, in addition to civil penalties, may add other fines depending on the severity of the violation.
Criminal Violation of HIPAA Rules
Criminal penalties for HIPAA violations apply to the following entities:
- All health coverage plans
- Health care clearinghouses
- All healthcare providers who transmit claims electronically
- Medicare prescription drug card sponsors
Besides institutions, individuals can also be charged with criminal violations of HIPAA, including employees, directors, officers, nurses, secretaries, and telephone operators. Even individuals not directly liable under HIPAA may be charged with abetting or conspiring. Finally, the HHS has the authority to exclude any individual or healthcare institution from participation in Medicare as either temporary or permanent. It is critical to understand that no matter how big or small the institution or how many or few healthcare workers work in a clinic, each entity can be penalized for HIPAA violations. While the monetary penalties can be dramatic, all such violations are published in cyberspace, which can quickly ruin the reputation of the facility or the healthcare provider.
Can Patients Sue a Healthcare Facility or a Healthcare Worker for Violating HIPAA?
For example, a pharmacist calls a patient's home, but no one answers. Then he leaves a message asking when you are coming up to pick up your HIV medications. The patient can claim that no one in the home knew about his HIV status, and now the pharmacist has disclosed his private health condition to everyone in the home. Can the patient sue the pharmacist? When a healthcare worker or facility violates HIPAA rules, patients generally have no recourse except to report the matter to the OCR. In fact, HIPAA has created a right to privacy and does not allow most patients to file lawsuits. However, if the HIPAA violation is due to gross negligence and professional malpractice, then such a case may be brought to court.
Avoiding HIPAA Violations
Preventing HIPAA violations is not difficult. First, get professional help from a HIPAA expert.
- Develop a code of conduct booklet and write down all the policies and procedures everyone must follow.
- Do not let anyone get away with violating policies because, in the end, it is the healthcare provider who has to face the legal system.
- If healthcare providers or institutions already have HIPAA policies in effect and have suffered a HIPAA violation, consult with a HIPAA specialist to determine any deficiencies and corrective solutions. These individuals provide comprehensive education, tips, and seminars to the staff about HIPAA rules and regulations. It is money well spent because a violation of HIPAA is a very expensive ordeal.
Violation Amount/Violations of an Identical Provision in a Calendar Year
Did not know: $100 to $50,000; $1.5 million
Reasonable cause: $1,000 to $50,000; $1.5 million
Willful neglect (corrected): $10,000 to $50,000; $1.5 million
Willful Neglect (uncorrected): $50,000; $1.5 million
Pearls
- HIPAA has been enacted to ensure the privacy and security of PHI.
- Each healthcare institution may set up unique policies and procedures but must conform to HIPAA guidelines.
- With evolving technology, one must keep updated with HIPAA and ensure that PHI remains protected.
- Ensure that all the workers in the organization know the HIPAA policies and procedures.
- Be stringent with workers who break HIPAA rules because, eventually, there will be a cost.