Protected Health Information – A Privacy Issue
A cardiac monitoring vendor had to pay a $2.5 million settlement after a laptop containing hundreds of medical records was stolen from a parked car. A Texas hospital employee got an 18-month jail term for wrongful disclosure of private patient medical information. An employee at an Oregon hospital inappropriately viewed the electronic medical records of nearly 2,500 patients out of curiosity. A member of a cleaning crew at a Minneapolis healthcare center accidentally disposed of documents which contained sensitive patient health information in the regular trash.
Protected Health Information (PHI) has become one of the most important administrative issues facing the medical sector since the implementation of the Health Insurance Portability and Accountability Act (HIPAA) of 1996—and violations of this law continue to cost facilities millions of dollars in claims and fines. The penalties for violations of the law can vary from $100 to $50,000 or more per violation—which means that many facilities can, and have, faced fines of millions of dollars for even accidental breaches.
It is vital for staff to understand clearly the requirements for preserving patient confidentially, and, just as importantly, the mechanics of preserving such data.
In order to fulfill the HIPAA requirements, the Department of Health & Human Services (HHS) published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
The Privacy Rule applies to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the so-called “covered entities,” which include all private and public health insurance, and all providers who submit electronic claims or hold electronic files).
The Privacy Rule specifically protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
This “individually identifiable health information” includes demographic data that relates to an individual’s past, present, or future physical or mental health or condition, the provision of healthcare to the individual, or the past, present, or future payment for the provision of healthcare to the individual, or that in any way allows for the identification of an individual.
The Privacy Rule lists in detail under which circumstances limited access to data may be provided—usually only with the subject’s specific permission—but more importantly, it also demands of all “covered entities” that they develop and implement written privacy policies and procedures that are consistent with the Privacy Rule. This includes the creation of a specific structure devoted exclusively to ensuring compliance with the law. It is the failure to follow this rule that is most often the single greatest mistake a facility or an individual employee can make—and why it is so important to have all these structures in place from the very beginning.
The Security Rule addresses the technical and non-technical safeguards that covered entities must put in place to secure individuals’ “electronic protected health information.” This is due to the rise in privacy breaches which resulted from the digitization of patient records, and their vulnerability to hacking, accidental loss, and deliberate breaches.