The Privacy Rule and Security Rule, both provisions of HIPAA (Health Insurance Portability and Accountability Act), mandate that health institutions and professionals protect patients’ personal and medical information. This data is valuable and can be used inappropriately by institutions such as insurance companies and credit checking agencies.
HIPAA sets the minimum standard for covered entities (including hospitals, healthcare clearinghouses, employer-sponsored health plans, health insurers and medical service providers) for maintaining privacy and enforcing the security of patients’ health information. Institutions and health professionals must avoid carelessly disseminating any and all patients’ health information.
Are you adhering to HIPAA regulations? The following warning signs mean you could be putting patient information at risk.
You’ve been giving law firms access to health information.
HIPAA states that covered entities may disclose health information for law enforcement purposes. However, law firms are not considered law enforcement agencies. Sharing health information without a court order is a violation of HIPAA regulations.
Law firms can only be given access to health information with a patient’s consent or with an existing court order. Even if these conditions are met, law firms can only access information specifically stated in the consent or court order.
Your institution keeps health information in electronic form with one password. And it doesn’t have a continuous risk analysis and management security program in place.
The absence of a risk analysis program for management of health information is a violation of the HIPAA Security Rule. HIPAA specifically states that entities must have a risk analysis and management program to determine which security measures are reasonable and appropriate. The risk analysis must be continuously implemented.
At minimum, HIPAA states that risk management must:
- Evaluate the likelihood and impact of potential risks to electronic health info.
- Implement reasonable security measures in response to risks identified in the required risk analysis.
- Document these security measures and their rationale where required.
- Continuously maintain and review these security measures.
You’ve been temporarily storing hard copies of individuals’ psychotherapy session notes in the stockroom.
HIPAA states that notes on patients’ psychotherapy treatment must have extra protection. Paper records are security risks because there is no inherent means of limiting access to the information, and one look discloses everything to intruders. That’s why storing psychotherapy notes in an unsecured stockroom (even temporarily) in paper form is a clear violation of HIPAA rules.
You’ve been allowing immediate access to health information strictly for research purposes.
HIPAA states that any health data containing a patient’s personal information cannot be used for research purposes unless the individual gives consent.
However, health information can be used for research purposes without individual consent in the following instances:
- The patient signed a waiver for the use or disclosure of protected health information for research purposes, with review and approval of the Privacy Board.
- Researchers made representations that the disclosure of protected health information is for the preparation of a research protocol, and that protected health information for which access is sought is necessary for that research.
Without the necessary consent, covered entities are only allowed to provide a limited data set of protected health information for research. But giving immediate access to health information, even for research purposes, is a violation of HIPAA regulations.
You haven’t been responding to patients’ requests for guidelines about the use and disclosure of personal health information.
HIPAA states that patients have the right to know how and why their personal health information is accessed. Covered entities must allow patients to see the accounting of their personal health information disclosures, and allow patients access to guidelines and protocols regarding the use and security of health information.
Not responding to patient requests for accounting and security guidelines of health information, whether through phone, email or mail, is a violation of HIPAA.
All personnel in your institution have physical and electronic access to health information.
This is a clear violation of the HIPAA Security Rule, which states that there must be physical, technical and administrative safeguards to protect electronic health information. This means that there must be restricted access to protected health information in order to maintain confidentiality and integrity.
Unrestricted access by employees to health records is a violation of HIPAA.