10/4/19

HIPAA - Not a Semi-Aquatic Mammal


It was the year 2003. What do you remember about that year? In Da Club by 50 cent topped the charts. Women spent all day pulling up their super low-rise jeans. George W. Bush was literally on the warpath. Sound familiar? The Health Insurance Portability and Accountability Act (HIPAA) of 1996 came to be enforced as a federal law that year, but I doubt that is a memory etched in your brain. Almost 2 decades later, many healthcare providers still don’t understand the law and/or take the law seriously.

Photo Getty Images mtv.com

     

Photo Rex Features telegraph.co.uk





What is
 HIPAA
? As alluded to in the title, it’s not an zoo animal, but a law protecting a patient's right to access & privacy with regard to their protected health information (PHI). It sets rules/regs for covered entities & providers to prevent & mitigate ePHI breaches or "secure" ePHI. See video below:





PATIENTS: Arm yourselves with knowledge on your rights under HIPAA. Hold providers
 accountable. You can file a complaint with the Office of Civil Rights, Health and Human Services (OCR HHS) on-line, by phone, or by mail if your rights are violated. Civil litigation is only an option in some states under state laws. Some cases are referred from the OCR to the Department of Justice for criminal conviction

COVERED ENTITIES: Provide adequate, ongoing training to employees & business associates responsible for handling PHI. Have policies and procedures aimed to prevent  and mitigate data breaches

PROVIDERS: Doctors, mid-levels, nurses, allied health professionals, and ancillary staff: You are responsible for knowing how to do your job legally. Pleading ignorance after an unauthorized disclosure, etc. is NOT acceptable. If you’re unclear on HIPAA rules and regulations, reach out to your employer to request information and/or additional training or peruse the OCR HHS website. Any disclosure of a patient's PHI by a healthcare provider must be for the purpose of treatment, & at least 1 of the 3 circumstances permit PHI disclosure for "treatment purposes" (45 CFR § 164.506):

  1. provision, coordination or management of healthcare & related services
  2. consultation between healthcare providers
  3. referral of a patient from 1 healthcare provider to another
It should also be noted that a provider does NOT have the right to access a patient's PHI except for these specific purposes.

BOTTOM LINE: We have had nearly 2 decades to get familiar with HIPAA at this point. There’s no excuse for the lack of accountability that still goes on in healthcare, & being careless with PHI may have consequences that are detrimental to the well-being of the patient, provider,& pertinent organizations. I personally think that, if civil litigation is not an option at the federal level, then the penalties/fines collected by by the OCR HHS for violations should be partially reallocated to the victims, particularly if damages are clearly present as a consequence. This would motivate patients to hold covered entities accountable and increase compliance in the long run.

Like the HIPPO, the HIPAA rules and regulations can pose danger if not properly understood and respected. Don’t find yourself ignorant to the threat it may pose to patients whose rights are NOT respected and covered entities who face penalties and additional requirements when HIPAA must be enforced
Image result for hipaa