HIPAA and Patient Privacy

Patient privacy is an essential part of any healthcare business. But understanding the many laws involved and figuring out how to comply with them can be a monumental task. This article outlines some of the basic principles.

The Health Insurance Portability and Accountability Act (HIPAA) was created to accomplish many things, but this document will limit discussion to its function protecting patient privacy.

HIPAA safeguards what is known as “Protected Health Information” (PHI). This means elements of patients’ private information for which they should have a reasonable expectation of privacy. HIPAA defines PHI as having the following three elements:

  1. Information transmitted to or from a licensed medical or mental health provider;
  2. Reasonably identifying a patient; and
  3. Containing a past, present, or future medical or mental health condition.

Without all three of these elements, the information does not qualify as PHI. However, the federal government defines these elements very broadly. For example, even if a patient’s name and insurance carrier was accidentally released to the public, the federal government would consider this a breach of PHI. 

Also, identifying a patient does not require the patient’s name if an average person could reasonably discover who the patient is from other information. For example, a nurse tells her husband that a celebrity came into the hospital that day, but she refuses to give the patient’s name. When the husband presses to know who it was, the nurse says, “I can’t tell you his name, but he was married to Jennifer Garner and played Batman.” An average person would be able to surmise that the patient was Ben Affleck, and the nurse committed a breach of HIPAA.

Authorized Exceptions

To facilitate the proper and efficient administration of healthcare, HIPAA allows for some exceptions to disclosing PHI outside of the provider, entity, or patient. The following situations permit access to relevant PHI:

  • Oversight of the healthcare system 
  • Informing next of kin
  • Medical examiner
  • Facility Directories
  • For Notification and Other Purposes
  • Required by Law
  • Public Health Activities
  • Victims of Abuse, Neglect, or Domestic Violence
  • Health Oversight Activities
  • Judicial and Administrative Proceedings
  • Law Enforcement Purposes
  • Identification of the deceased person or investigation
  • Cadaveric Organ, Eye, or Tissue Donation
  • Research
  • Serious Threat to Health or Safety
  • Essential Government Functions
  • Workers’ Compensation 

Waiving HIPAA Rights

While HIPAA is a federal law that safeguards patient privacy, the ultimate right lies with the patient. Therefore, patients can voluntarily waive part or all of these rights. This waiver action allows a covered entity to use PHI any way it chooses – within the parameters of what the patient has agreed to. A medical provider or healthcare entity should always get a patient to sign a written waiver. And that waiver should provide specific details about what is being waived and how the PHI will be used. 

Examples of HIPPA Violations

The following are just some of the activities that are illegal under HIPAA:

  • Discussing a patient’s PHI with unauthorized personnel
  • Leaving patient records in the open for non-staff to accidentally view
  • Leaving patient records in an unlocked file cabinet or room when not in use
  • Giving out PHI over the phone when the identity of the other person is not confirmed
  • Allowing third parties access to PHI without a signed Business Associate Agreement (BAA) in place 

Failing to implement proper safeguards to protect PHI is not always a per se violation. However, if PHI is breached, a provider or entity faces much more serious consequences for not having safeguards in place.

Minimum Necessary Standard

Even when a person is authorized to access PHI – including a business associate, a medical provider, a staff member of a covered entity, etc. – that person must follow the “minimum necessary” standard. This means that the person or company must only use or share the minimum amount of PHI necessary to accomplish the needed task. For example, a receptionist may access a patient’s chart to set an appointment with the last provider seen. But the receptionist cannot look through the chart and view the complete medical history or find out who the patient’s ex-husband is. The receptionist certainly cannot share gossip from the chart with other members of the staff. Similarly, a third-party accountant cannot view specific patient names and conditions in order to perform a financial audit. 

Storage of Medical Records

Secure storage of medical records is an absolute legal requirement. And while HIPAA has no set standards for accomplishing this, records must be at least stored in a controlled environment. This means that only authorized personnel may have access to them, and only for appropriate purposes. The following are some firm recommendations and guidelines:

  • Medical records should be in locked cabinets, not left in hallways or otherwise in the open when not in use.
  • Medical records should never be left in areas where patients or other non-employees have access or could accidentally view the records.
  • Electronic records should be housed on and transmitted through a secure server or other platform; access to electronic records must be secure and given only to essential personnel. 

Breaches

HIPAA requires that any breach of medical records or other PHI must be reported to the physician or other covered entity, then to the patient, and finally to the federal Secretary of Health and Human Services. The exact method for doing this is found in the Breach Notification Rule at: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Business Associate Agreement

A Business Associate Agreement (BAA) creates a legally binding relationship between a HIPAA covered entity and a third party, where that third party (business associate) will or could have access to patients’ PHI. Business Associates are most often companies hired by the covered entity to perform a needed service but are not automatically bound by HIPAA. Examples of business associates include:  

  • Third-party claims processors
  • Contract management services
  • Data storage companies
  • Independent auditors and consultants
  • Accountants
  • Medical transcriptionists

The HIPAA Privacy Rule requires a covered entity to sign a BAA with a business associate to legally allow that third party to perform the required services. The BAA essentially states that the business associate agrees to safeguard PHI with the same standards the covered entity does. Without a proper BAA in place, the activity and relationship between a covered entity and its business associate is illegal.

State Law

In addition to HIPAA, states have their own individual patient privacy laws. Some are extremely restrictive, while others are general and come nowhere near the limits of HIPAA. Healthcare companies need to understand and be compliant with their particular state privacy laws to ensure complete compliance.

Let KAP help you navigate the maze of patient privacy and keep you safe.

Intake Form

Please click the SUBMIT button below when you have finished answering all questions.
REMINDER: A link to schedule your Discovery Call with a Care Team member will be sent to your email after submitting this form.
We have helped hundreds and hundreds of healthcare industry clients build their dream. We look forward to working with you to grow your success!