You can go to jail for violating HIPAA laws. It’s happened before and it’ll happen again.
In one recent case, a former autism treatment center employee was convicted of stealing the protected health information (PHI) of 300 current and former patients.
He pled guilty and received a 30-day jail sentence followed by 3 years of supervised release. He was also required to pay $14,941.36 in restitution.
The employee’s access to PHI was revoked upon his termination. But it appears he gained access to a shared Google Drive. With that access he downloaded the information to his personal Gmail account.
Evidence was found that he’d researched how to hack into the shared drive prior to the theft. All in all, it would seem the punishment fit the crime.
The Curious Case of “Dr. H”
But then there’s the case of “Dr. H”, a disgruntled cardiothoracic surgeon stuck in a research position at a major metropolitan hospital.
He struggled to learn English and fit in with co-workers after emigrating from China. His bad attitude and poor performance reviews led to his termination.
While appealing his firing, he spent his last work days entertaining himself by looking at the PHI of various patients. Among them were movie stars, TV personalities, and elected officials.
He kept what he saw to himself and never considered selling the information. He assumed, by doing so, he wasn’t breaking any laws.
He was mistaken.
Following “Dr. H’s” official termination, he was charged with violating HIPAA. The charge was a misdemeanor for accessing individuals’ private health information without a valid reason.
His sentence was four months in prison, a year of supervised release, and a $2000 fine.
HIPAA: A Brief History
How did we arrive at healthcare professionals serving jail time for viewing PHI?
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The primary goal was to “improve the portability and accountability of health insurance coverage” as employees transitioned between jobs.
HIPAA also sought to end waste, fraud, and abuse while simplifying health insurance administration.
After HIPAA’s passage, the Department of Health and Human Services (HHS) started creating what we now call the Privacy and Security Rules. The HIPAA Privacy Rule went into effect in 2003, followed by the Security Rule in 2005.
To give HHS the power to enforce violations of the Privacy and Security Rules, the Enforcement Rule was enacted in 2006.
The goal all along had been to move the healthcare industry towards storing PHI electronically. But it wasn’t until the passage of The American Recovery and Reinvestment Act of 2008 that HHS had the power to move the conversion to Electronic Health Records (EHR) forward.
The result was the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. Now healthcare entities would receive incentives for maintaining EHR’s versus paper files.
With the incentives also came the Breach Notification Rule. Mandatory reporting became necessary for all breaches of electronic PHI affecting over 500 individuals.
The Final Omnibus Rule passed in 2013 to fill in gaps and better define the provisions found in HIPAA’s 5 established rules.
HIPAA Guidelines for the Medical Office: The Basics
With that brief HIPAA overview behind us, let’s answer the question, “What is HIPAA law”. We’ll begin this medical compliance lesson with the 5 Rules.
HIPAA’s 5 Rules are:
Privacy Rule – mandates privacy and protection of health information and sets requirements for PHI handling in all forms
Security Rule – sets requirements for protecting EMR’s in the administrative, physical, and technical areas
Transactions and Codesets Rule – covers transaction standards and code sets, like Standards 5010 and ICT-10
Unique Identifiers Rule – promotes standardization and efficiency in HIPAA transactions
Enforcement Rule – expands the Privacy and Security Rules and increases penalties for HIPAA violations
The bottom line is healthcare providers must exercise the highest degree of care in 3 areas – handling PHI, interacting with each other, and dealing with the public. Here are some practical things you should know so you can be in compliance at all times:
Sharing is Not Always Caring
Conversations about patients near those who shouldn’t hear PHI are violations waiting to happen. This includes sharing patient information with friends and family.
In tight-knit communities, it’s easy to slip up and answer a question from a well-meaning neighbor. It’s also a big no-no.
Medical Charts Are Not for Public Viewing
Something innocuous, like leaving a patient’s chart hanging in their room, is a recipe for disaster. All printed medical records must stay out of public view. Lock this information away after every use.
One Lost Laptop Can Ruin Lives
Laptops, and other devices, get lost or stolen all the time. A massive violation can result from unsecured PHI on your device. Use encryption and password protection to access PHI on all devices.
Even Your Home Computer Isn’t Safe
It’s common for providers to access PHI on their home computers for work purposes. A mistake as simple as leaving the screen on when you walk away can become a HIPAA violation. Keep PHI safe by password protecting home computers and keeping mobile devices hidden.
Unsafe Texting Goes Viral
Texting is quick and easy, no doubt. It’s also a potential HIPAA violation if both sender and receiver lack the proper safeguards. Install encryption software on your smartphone. Only text PHI to phones you know have it installed, too.
Ignorance of HIPAA is Never Bliss
“Dr. H” didn’t think he was doing anything wrong. That’s why all persons with access to PHI must receive HIPAA compliance training. This means volunteers and interns as well as staff, administration, and management.
A Solution for All Things HIPAA
You know HIPAA guidelines for your medical office are a big deal if a researcher’s idle amusement lands him in jail for four months. We’re sure you don’t want that for yourself or any of your employees.
HIPAA compliance is complicated. There are so many moving parts with technology woven through most of them.
But there’s one solution that brings all things HIPAA together. Assess and mitigate risk, document compliance and train your entire staff – all in one place. Learn more about this comprehensive HIPAA solution today.