It was the year 2003. What do you remember about that year? In Da Club by 50 cent topped the charts. Women spent all day pulling up their super low-rise jeans. George W. Bush was literally on the warpath. Sound familiar? The Health Insurance Portability and Accountability Act (HIPAA) of 1996 came to be enforced as a federal law that year, but I doubt that is a memory etched in your brain. Almost 2 decades later, many healthcare providers still don’t understand the law and/or take the law seriously.
 |
| Photo Getty Images mtv.com |
 |
Photo Rex Features telegraph.co.uk |
What is HIPAA? As alluded to in the title, it’s not an zoo animal, but a law protecting a patient's right to access & privacy with regard to their protected health information (PHI). It sets rules/regs for covered entities & providers to prevent & mitigate ePHI breaches or "secure" ePHI. See video below:
PATIENTS: Arm yourselves with knowledge on your
rights under HIPAA. Hold providers
accountable. You can file a complaint with
the Office of Civil Rights, Health and Human Services (OCR HHS) on-line, by phone, or by
mail if your rights are violated. Civil litigation is only an option in some
states under state laws. Some cases are referred from the OCR to the Department of Justice for criminal conviction
COVERED ENTITIES:
Provide adequate, ongoing training to employees & business associates responsible for handling PHI.
Have policies and procedures aimed to prevent and mitigate data breaches
PROVIDERS: Doctors, mid-levels, nurses, allied health professionals, and ancillary staff: You are responsible for knowing how to do your job legally. Pleading ignorance after an unauthorized disclosure, etc. is NOT acceptable. If you’re unclear on HIPAA rules and regulations, reach out to your employer to request information and/or additional training or peruse the OCR HHS website. Any disclosure of a patient's PHI by a healthcare provider must be for the purpose of treatment, & at least 1 of the 3 circumstances permit PHI disclosure for "treatment purposes" (45 CFR § 164.506):
- provision, coordination or management of healthcare & related services
- consultation between healthcare providers
- referral of a patient from 1 healthcare provider to another
BOTTOM LINE: We have
had nearly 2 decades to get familiar with HIPAA at this point. There’s no excuse for
the lack of accountability that still goes on in healthcare, & being careless with PHI may have consequences that are detrimental to the well-being of the patient, provider,& pertinent organizations. I personally think
that, if civil litigation is not an option at the federal level, then the penalties/fines
collected by by the OCR HHS for violations should be partially reallocated to
the victims, particularly if damages are clearly present as a consequence. This
would motivate patients to hold covered entities accountable and increase
compliance in the long run.
Like the HIPPO, the
HIPAA rules and regulations can pose danger if not properly understood and respected. Don’t find yourself ignorant to the threat it may pose
to patients whose rights are NOT respected and covered entities who face
penalties and additional requirements when HIPAA must be enforced.
