Patient confidentiality laws your practice needs to know

70 percent.

That’s how much healthcare data breaches increased from 2010 to 2017.

The news is full of stories about these breaches. There are enough to make you think it’s an epidemic, and unfortunately, it is. This epidemic is costing patients their personal information, such as their social security number, financial account numbers, and private health records.

If you deal with any form of healthcare data, you’re probably wondering how you can protect your clients’ personal health information. Let’s see how patient confidentiality laws can protect your client’s healthcare data and stop this epidemic in its tracks.

HIPAA and patient confidentiality laws

When people talk about patient confidentiality laws, they’re usually referring to the Health Insurance Portability and Accountability Act of 1996, better known by the acronym HIPAA. HIPAA is a federal law that regulates how people’s protected health information, or PHI, can be used and stored. Any business or agency that has access to healthcare data has to follow HIPAA guidelines.

These basic guidelines require you to

• Create privacy policies and procedures designed to help the business follow HIPAA standards.
• Routinely monitor how well your organization follows patient confidentiality laws.
• Have a HIPAA-friendly officer who investigates any confidentiality complaints.
• Train all employees on how to follow HIPAA standards during the course of their work.
• Install safeguards on any device containing PHI so that only authorized individuals can access it.
• Encrypt all PHI.
• Sign a HIPAA business associate agreement with any third party that can access or use your data.

In addition to these basic HIPAA guidelines, there are other federal and state laws that protect patient confidentiality. How important is it that you follow these guidelines to the letter?

Here are some lesser-known patient confidentiality related HIPAA security rules you need to know:

• Directory information rule. If a patient is admitted to a facility or an emergency room, you can relay the patient’s location and general health status to a person who calls and asks about that patient by name. However, it’s unacceptable to share any information with a caller if the patient just has a routine exam.
• Treating physician rule. If a person calls your office claiming to be treating your patient, no signed forms are needed. However, you’re only required to share information that you deem relevant to the other physician’s treatment of your patient. That leaves a little bit of a gray area. What exactly is considered relevant is up to your professional judgment.
• Social media rule. Many practices are so afraid of HIPAA violations that they overlook how to share health information legally on social media. Using health information, such as real patient experiences, on social media can be a very effective marketing tool for your practice. To use it, you’ll need a signed PHI release form from the patient that includes what information you will use, how you will use it, and for how long.  
• Business Associate Agreement (BAA) rule. A business associate is any third party that you grant access to protected health information for business purposes. Business associate agreements are legal contracts that define how your business associate maintains features that help with HIPAA compliance. If you authorize access to ePHI to anyone outside of your organization, you must have a signed BAA from that person.
• Departing doctor rule. Medical professionals who leave a practice may think their patient records go with them. In a multi-physician practice, that’s not always true. Protected health information belongs to the covered entity, the practice. If you choose to transfer the PHI to the departing physician, you’ll need to get a signed records custodian agreement from each patient and a BAA from the departing doctor.

What are the consequences of violating patient confidentiality laws?

A HIPAA breach can lead to serious consequences for your business. Depending on the kind of violation and how quickly you fix it, you could be fined or receive jail time.

HIPAA violations that fall in the civil category usually incur fines instead of jail time. These fines can be lighter if you are unaware that something violates HIPAA, only violate HIPAA once, or try to correct the violation as soon as possible. But willfully neglecting HIPAA standards or not correcting the problem could land you a fine of $50,000 or more per violation.

If the violation is in the criminal category, then jail time becomes a possibility. HIPAA violations are considered criminal when you knowingly breach HIPAA; use false pretenses; or sell, transfer, or use the information for personal gain. Criminal HIPAA violations can land you in jail for up to 10 years.

If violating patient confidentiality laws is such a big deal, then why, and how, are companies still breaching HIPAA so often?

The most common ways businesses break HIPAA and confidentiality laws

The most common patient confidentiality breaches fall into two categories: employee mistakes and unsecured access to PHI.

Employees can violate HIPAA by looking at patient records they don’t need to access for their job, posting patient information on social media, and not taking proper precautions to protect patient privacy. These breaches often happen because employees don’t understand that their actions violate HIPAA.

Unsecured access to PHI occurs for many reasons. The device storing the information might not be equipped with basic security measures, such as passwords and data encryption. Or the device could be misplaced, lost, or stolen. These breaches happen because people aren’t careful enough with their devices or forget that any device with PHI on it needs to be secure.

Now we know what HIPAA is, what the consequences of violating it are, and how most businesses breach it. How can your business follow HIPAA standards?

How can you follow HIPAA standards?

There are many things you need to do to follow HIPAA and patient confidentiality laws. Every business should look at the federal and state confidentiality laws that apply to them to ensure they are compliant. Here are some basic ways you can follow HIPAA standards:

• Appoint a HIPAA-friendly officer for your business.
• Create a privacy policy and HIPAA-friendly procedures.
• Have a lawyer look over your procedures to ensure they cover all laws.  
• Perform routine assessments of how well your business is following these procedures.
• Immediately correct any compliance issues you find.
• Train your employees on how to be HIPAA-friendly.
• Draw up a HIPAA business associate agreement for any business that interacts with or uses your healthcare data.
• Install strict security measures on any device that contains PHI.

Breaching patient confidentiality brings serious legal consequences. Following HIPAA standards and patient confidentiality laws protects your business from expensive fines. It also prevents the loss of patients’ personal information and builds their trust in your business.