What is HIPAA and Why is it Important?
In today’s times, we rely heavily on the transmission of patient information via Electronic Medical Records (EMR). EMR are digital files of paper charts containing patient medical information. EMR was invented in the 1970's and has been around for about 50 years. As occupational therapists and most medical professionals/healthcare workers, we have heavily transitioned from paper documents to electronic documents within the last 20-25 years. Practically all medical files are now electronically transmitted. This is primarily for the purpose of improving means of effective communication. Electronic exchange of medical information allows medical professionals to access quick means of authorizations, medical history, and many other forms of necessary information to provide high-quality care. But with the convenience and access at our fingertips, comes the need to protect patient information and adhere to protecting the privacy of health information. There can be a lot of confusion about what is considered “HIPAA compliant”. We will discuss what exactly HIPAA entails. HIPAA stands for The Health Insurance Portability and Accountability Act of 1996. As clearly stated, this act came into effect in 1996 to uphold covered entities to standards to ensure confidentiality of medical information. HIPAA allows for the fast exchange of patient health information while ensuring the integrity of maintaining patient privacy. Another common term you may see while referring to HIPAA, is PHI. PHI stands of Protected Health Information which refers to any information regarding a patient that can be individually identifiable or linked to a specific individual.
An Example of PHI:
Case: Kerry Lowe is a 29-year-old patient with a diagnosis of stage 3 breast cancer at St. James skilled nursing facility.
Contains PHI: There is a 29-year-old woman with stage 3 breast cancer at St. James skilled nursing facility.
Does not Contain PHI: There are 3 people of various ages at St. James nursing facility with stage 3 breast cancer.
Who is to Abide by HIPAA?
HIPAA states that all covered entities must comply with privacy and security regulations. These covered entities include healthcare professionals (doctors, nurses, dentists, pharmacies, dieticians, nursing homes, any medical staff in administration/billing that has access to patient information) any third parties that withhold access to this information for administrative work and/or financial purposes, insurance companies, engineering for home modifications, housekeeping and many more. But anyone that has access to medical documents that contain information pertaining to a person’s condition, personal information such as name, address, SSN, DOB, medical record #, insurance #, photograph, admission/discharge date, phone number, fingerprints, email, is expected to remain HIPAA compliant. Anything that can be traced back to a single individual is an example of PHI and an example of information that should be securely shared. PHI can be provided if the patient gives you consent. An example of this would be, friends or family, visiting a patient in a hospital. In order to be HIPAA compliant, if family or friends are present in the room, you must ask the patient for authorization to share any information regarding their diagnosis, health status, or prognosis in front of other individuals besides the patient. This should also be done discretely; in case the patient does not want this information shared and the family/friends are present while they are asked. The best way to go about this is to ask the visitors to step outside for a moment, while you discuss this with your patient and understand where their consent lies. The only exception to this is: PHI is allowed to be distributed without necessary verbal/written consent from the individual if it is a necessary aspect of treatment, payment, or healthcare operations. HIPAA has several subsections within the act that work to uphold standards for specific criteria. As mentioned in our E-book, it is important to only access the information that is necessary to provide service for the job you are doing. This falls under the Minimum Necessary Standard Rule. The Privacy Rule is a clause that protects patient PHI. Individuals are provided the right to access their information in their medical records at any given time. They are granted the right to have medical records amended if it pertains to information that is inaccurate or incorrect. They also must all receive a Notice of Privacy Practices by the healthcare organization. And lastly, the Security Rule consists of creating nationwide standards that protect information that is transferred electronically. This ensures that PHI remains confidential. The federal Department of Justice and the U.S. Office of Civil Rights are responsible for enforcing the Security Rule and ensuring that criminal penalties/fines are provided for HIPAA violations in regard to PHI.
How HIPAA Violations Can Occur:
HIPAA violations can occur more easily than we think. That’s why it is important to be educated on the manner to avoid these accidental slips! PHI confidentially can be compromised with face to face conversations with other clinicians (if it’s not medically necessary to talk about it, DON’T!, classified as inappropriate access) phone calls, unprotected computer hard drives, via fax machines (always use a cover sheet!), mobile devices, text messages, emails, social media, throwing away documents in the trash (ALWAYS shred them), unsecured networks, no data encryption on documents, unlocked file cabinets, etc. These are just a few of the ways this information can be shared inappropriately. Be mindful of the environment when you are discussing PHI, it should be in a confidential area, spoken about quietly, avoid discussing information in front of family/visitors without permission prior, close your computer screens when not actively documenting, password-protect documents that contain PHI, and avoid sending PHI by email if possible.
A HIPAA violation is classified as disclosure of PHI in a way that defies a person’s right to privacy or security. Under the HIPAA Breach Notification Rule, it states that responsible parties are required to notify the affected person and Secretary of Health and Human Services of loss/theft and unauthorized use of PHI immediately. If you are aware that HIPAA violations are occurring, it is your responsibility as a healthcare professional to address this with your supervisor promptly. Unfortunately, negligence and being unaware of behaviors that violate PHI confidentiality are not exempt from potential fines and criminal penalties. Accidental violations do occur, and it is our job to learn from them and move on when they do! But it is also our responsibility to really understand HIPAA and protect our client’s privacy so we can avoid these situations as best as we can. It is our license on the line, not your place of work, not your coworker’s, YOURS. You worked so hard to get that license, let’s keep it!
Here is a chart of what HIPAA violations look like, courtesy of www.HIPAAjournal.com:
Prophecy Health. 2020. HIPAA Health Insurance Portability And Accountability Act. [online] Available at: <https://nt.prophecyhealth.com/Docs/manuals/HIPAA_Study_Manual_2015.pdf>