HIPAA Violations
Small Business

Top HIPAA Violations Every Physician Should Keep on Their Radar

Here we cover several common yet costly HIPAA violations.

It’s not easy being a physician. People in this profession need to be driven and have an astounding amount of focus to attend to the numerous aspects of healthcare, like compassionate service and excessive administrative work.

Patient privacy is also something that all physicians are dedicated to. It’s the foundation of medical care, as evidenced by the Hippocratic Oath and the Health Insurance Portability and Accountability Act (HIPAA).

Doctors and medical professionals are entrusted with a patient’s most personal information. The trust their patients’ place in them is sacrosanct, which is why the HIPAA established strict guidelines on sharing and using Protected Health Information (PHI).

Ironically, hospitals are the top violators of HIPAA’s privacy rules. According to the American Medical Association, outpatient facilities, private practices, health plan groups, and pharmacies are also on the list.

HIPAA violations can have severe consequences on healthcare organizations and their personnel. Infractions can result in financial penalties ranging from $150 for a “non-malicious” violation to $3.1 million for “willful neglect.”

HIPAA violations by doctors are unacceptable, so healthcare personnel should work to understand their obligations to their patients and the HIPAA better. Any good physician should keep these violations on their radar and strive to avoid them.

Improper Use and Disclosure of Personal Health Information

Facilitating a breach of the patient’s privacy is one of the worst things a physician or healthcare organization can do. This data breach happens when PHI is used or disclosed in a way that undermines a patient’s privacy.

This PHI breach can happen in several ways. It can be due to unintentional carelessness, like a busy nurse leaving a patient’s chart exposed on a table. Sending patient information thru email or a messaging platform is also a security violation. So is throwing the patient chart in the trash instead of shredding it.

Hacking or losing a device where unencrypted PHI is stored is a serious HIPAA violation that can result in massive fines and even imprisonment.

The Office of Civil Rights (OCR) owns the task of enforcing HIPAA privacy compliance. The department will assume a breach did occur unless the healthcare organization can prove there’s a low-risk PHI that was compromised. A risk assessment will be conducted to prove otherwise. The assessment process would consider the following:

  • Whether the information was viewed or taken
  • Type of information, including identifying details
  • Safeguards implemented to keep data confidential
  • Identity of the person who committed the violation

Denying Patients Access to Their PHI

HIPAA Privacy Rule clearly states patients have the right to access their healthcare records and request copies. It lets patients check their medical records for mistakes and share them with other individuals. A physician or any healthcare agency will be penalized if their patients are denied access to their records, which is one of the common HIPAA violations.

There are also penalties if patients are over-charged for the copies. Failure to provide those records within 30 days after request is a HIPAA violation.

Penalties for denying patients access to their records are costly. Cignet Health of Prince George’s County was fined $4,300,000 for blocking patients from accessing their records. The Riverside Psychiatric Medical Group received a $25,000 penalty for their delayed action to a patient’s request for a copy of their records.

There are a few situations where physicians can deny a patient access to their records. One is if the patient is in danger of harming themselves. Another exemption is when the requested information is not part of the records kept by a covered entity, like therapy notes.

Minimal Administrative Safeguards for PHI

HIPAA Security Rule mandates all physicians to safeguard the electronically stored PHI of their patients. It’s done through the use of the relevant administrative, physical, and technical safeguards. HIPAA has laid out the protections it considers necessary to ensure the integrity, confidentiality, and security of ePHI.

Administrative safeguards refer to the policies, procedures, and administrative actions the organization implements. Their entire workforce must go through training and agree to uphold these policies regardless of their level of access to PHI.

Physical safeguards are the electronic equipment and physical structures a company uses to protect patient health information. Aside from physically securing computers and equipment used to access and transmit PHI, companies must abide by the expectation that they will also use electronic security systems. Putting the appropriate safeguards in place is important to avoid any sort of HIPAA violations.

Technical safeguards complement their physical counterpart. It refers to the technology that protects and controls access to ePHI. It also encompasses the policies and procedures for using said technology.

Physicians are not exempt from HIPAA compliance. They have the bigger burden of ensuring every security compliance measure is used. Failure to do so could lead to the patient’s lack of trust and sanctions from the HIPAA.

0 comments on “Top HIPAA Violations Every Physician Should Keep on Their Radar

Leave a Reply

%d bloggers like this: