The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established nationwide standards for the confidentiality, security, and transmission of personal health information (PHI). PHI includes names, birthdates, phone numbers, emails, Social Security numbers, medical record numbers, health insurance, biometric identifiers, and any data created or collected by a covered entity (or a covered organization’s business associate) that can be associated with a specific individual.
The Department of Health and Human Services (HHS) defines covered entities as health care providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that offer some healthcare services, and government agencies.
The HIPAA Privacy Rule requires health care providers, including home health care and hospice organizations, to protect and keep any personal health information private. The rule also establishes limitations and restrictions for its use and dissemination without patient authorization. It grants patients access to their health information, including the ability to seek a copy of their medical data and request corrections.
What Are Permitted Disclosures of PHI for Home Health Care Providers?
The Privacy Rule allows disclosures of PHI in a variety of situations. For home health care providers, these conditions typically include disclosures to the individual, colleagues for treatment purposes, and public health or law enforcement officers when required by law.
In most other cases, home health care personnel must give the individual the opportunity to agree or disagree with the disclosure or sign a formal authorization. In these cases, an individual has the right to limit what information is revealed, who receives it, and withdraw consent or authorization at any time.
PHI Violations
According to the HIPAA Journal, PHI violations can range from providing more information than the minimum necessary to achieve the purpose of an allowable disclosure, to the hacking of an unencrypted database that exposes the PHI of thousands of patients.
A covered entity or business associate can also violate HIPAA by failing to train employees on policies and procedures, failing to document the training, and withholding information about a breach from individuals affected by the breach, the HHS’ Office for Civil Rights (OCR), and, in some cases, the media. In recent years, significant fines have been imposed for HIPAA law violations resulting from noncompliance with the Breach Notification Rule or failure to comply with the Rule within the time frame specified.
HIPAA violations can result in significant fines by the HHS’ Office for Civil Rights (OCR) – up to $1.5 million.
How Does the OCR Enforce HIPAA and Determine a Resolution?
The OCR is responsible for investigating all filed complaints, conducting reviews to ensure covered entities are in compliance, and performing education and outreach to encourage compliance. Once the OCR determines if it will investigate a complaint, it notifies both the person that filed the complaint and the organization named in it. Both parties are then asked for information about the incident described in the complaint.
By law, covered entities must cooperate with complaint investigations. Upon reviewing the information or evidence for each case, the OCR determines whether the organization violated the requirements of the HIPAA Privacy Rule. If it concludes that a violation was made, the OCR will ask that the organization voluntarily comply and suggest a corrective action, and/or resolution agreement. When an organization doesn’t comply, the OCR may fine the organization with civil money penalties. If the organization is fined, it can have an HHS administrative law judge decide if the fines are supported by the evidence in the case.
Common HIPAA Violation Citations
- Non-performance of an organization-wide risk analysis
- Lack of a risk management process
- Unauthorized access to PHI
- Inadequate access control for ePHI
- Failure to use encryption or its equivalent
- Reporting breaches past the 60-day deadline
- Failure to enter HIPAA-compliant business associate agreement
- Lack of employee training
- Improper disposal of PHI
- Reckless use of social media
Examples of violations include:
- Employees divulging patient information with unauthorized parties, including coworkers, acquaintances, family members, or external suppliers. Employees should only communicate such facts privately with authorized medical personnel.
- Mishandling patient records, especially in clinics still using paper-based systems. To avoid illegal access, patient documents should always be secured securely in locked areas and not left lying around the office.
- The loss or theft of devices storing PHI constitutes a major HIPAA violation. Proper security measures, such as password protection and timely device lockdown, should be adopted.
- Texting patient information may be quick and easy, but it exposes critical data to potential hackers. Sharing patient names or information via text can result in hefty fines ($5,000 per text) and legal implications.
- When discussing patient information on Skype, Zoom, or other comparable platforms, the dangers are similar o texting. Hackers can exploit flaws, jeopardizing the security of patient data. Choosing HIPAA-compliant video software is critical for protecting confidential communications.
- It is against HIPAA to share confidential information with a patient over the phone in a public setting. All phone talks must take place in a private environment.
- Sending PHI via email is a typical HIPAA violation since it exposes patient information to possible unauthorized access. To ensure the confidentiality and integrity of sensitive data, employ encryption applications and HIPAA-compliant communication channels.
- Even if there are no names or information accompanying the patient photographs, posting them on social media violates HIPAA requirements. Such acts may mistakenly reveal patient identities and health information. Strict standards and training should underscore the importance of not sharing patient-related content on personal or professional social media profiles.
- Using personal computers to view patient information after work hours is permitted, but caution must be exercised. Screens should be switched off and passwords used to prevent patient data from unwanted access by family members or others. These procedures should be reinforced on a regular basis through policy training.
- Another common breach is accessing patient information without proper authorization, whatever the cause. Employees must only access patient data when it is required for their assigned tasks.
Making privacy and security of patient information a priority is critical for the continued success of a home health care provider. Not only can the organization find itself in violation of HIPAA law, the exposed data can lead to nefarious use by cyber criminals exposing the provider to third-party lawsuits. All providers should ensure that their training materials are current and conduct annual HIPAA training to prevent potential violations. In addition, be sure your clients carry Cyber Liability insurance in the event of a breach, and Professional Liability insurance which can often be endorsed to cover the costs of HIPAA proceedings, fines and penalties.
About One80 Intermediaries/Manchester Specialty
Manchester Specialty, a division of One80 Intermediaries, is a national specialty underwriting and insurance program management firm, licensed to do business as a program administrator in all 50 states and D.C. Our agent/broker partners and their Allied Health clients look to us for our expertise, broad product capability, and commitment to the market and the quality and stability of our insurance programs for Home Care, Medical Staffing, Allied Health, and Human Services organizations. For more information, call us toll-free at 1-855-972-9399 or visit Allied Health Firms – One80 Intermediaries.