10
Common HIPAA Myths and Misconceptions
Health Insurance Portability and
Accountability Act (HIPAA) compliance has become a top concern among doctors
practicing in the United States. According to the Department of Health and
Human Services (HHS), more than 36,000 HIPAA complaints have been investigated
from April 2003 to June 2017.
But not everything you hear about HIPAA is
true. Today, we're going to explore some of the most common HIPAA myths and
misconceptions
#1)
Written Authorization is Always Required When Disclosing PHI
Normally, doctors must obtain the
patient's consent via a written authorization form when disclosing his or her
Protected Health Information (PHI) to third-party entities, as per the HIPAA
Privacy Rule. However, there are certain exceptions to this requirement.
Doctors, for instance, can disclose PHI
without the patient's written authorization if the disclosure is used to
facilitate healthcare services, treatment or payment. Additionally, doctors are
allowed to disclose a patient's PHI to law enforcement without written
authorization if they believe the patient may cause harm to themselves or
others. For all other situations, however, written authorization is typically
required when disclosing PHI to third-party entities.
#2)
You Don't Have to Report Small Breaches
Just because a PHI breach is small doesn't
mean you can ignore it. The HHS requires doctors and covered entities to report
all PHI breaches affecting fewer than 500 individuals to the HHS Secretary
within 60 days of the end of the year in which the breach was initially
discovered.
For larger breaches affecting 500 or more
individuals, covered entities must notify the HHS Secretary without
unreasonable delay and no later than 60 days from when the breach was initially
discovered. All breach notifications -- those affecting fewer than 500
individuals and those affecting more than 500 individuals -- must be submitted
manually using the online portal on the official HHS.gov website.
#3)
Patient Sign-In Sheets Violate the Privacy Rule
If patient sign-in sheets were a violation
of the Privacy Rule, we would see significantly more fines levied against
doctors. From family-owned healthcare practices to large hospitals, countless
healthcare providers use sign-in sheets. They are typically located at the
front desk in the lobby, where patients sign their name to check in.
Keep in mind, however, that sign-in forms
are only acceptable when they contain a limited amount of information about the
patient. Requesting the patient's name, date and appointment time is perfectly
fine. But if the sign-in sheet requires the patient's reason for visiting, it
could be considered a violation of the Privacy Rule. Stick with basic
information on your practice's sign-in sheets to avoid a HIPAA violation.
#4)
Doctors Must Provide All Patients With a Copy of Their Medical Records
The Privacy Rule does not require doctors
to provide all patients with a copy of their medical records. It does, however,
give the patients the right to request a copy of their medical records.
Assuming the patient follows the required steps -- and the doctor does not
believe the medical records will harm the patient's health -- the doctor must
comply with the request.
If the doctor denies the patient's request
for medical records, the doctor must notify the patient in writing. If the
doctor does not comply, the patient may file a complaint with the Office for
Civil Rights (OCR).
#5)
Patients Can Sue Doctors for HIPAA Violations
Some doctors and covered entities
wrongfully assume that patients can sue them for violating HIPAA. While
patients can file a complaint with the OCR -- and the OCR may follow up by
investing the incident to determine if fines or corrective action is required
-- patients can not sue for HIPAA
noncompliance.
With that said, some state laws allow
patients to sue doctors for other reasons, such as breach of doctor-patient
confidentiality or invasion of privacy.
#6)
Doctors Cannot Disclose PHI to Friends
Family members aren't the only ones who
can receive updates on the status of a patient's healthcare; friends can
receive updates as well. This goes back to the Privacy Rule, which allows
doctors and covered entities to disclose a patient's PHI without written
authorization if the disclosure is used to facilitate healthcare treatment,
services or payment.
A doctor, for instance, may inform a
patient's roommate about the patient's medicine dosage. However, a doctor may
decline to disclose PHI to a patient's friend if the doctor believes the
patient objects to this disclosure.
#7)
Password Protection is Sufficient for Electronic Devices Containing ePHI
Conventional passwords are becoming
increasingly less effective at securing electronic devices. According to a 2016
Verizon Data Breach Investigations report, an overwhelming majority (63%) of
data breaches are caused by weak or stolen passwords. Therefore, password
protection alone isn't sufficient for protecting electronic devices on which
Electronic Protected Health Information (ePHI) is stored.
The HIPAA Security Rule requires covered
entities to protect ePHI using "reasonable and appropriate"
administrative, physical and technical safeguards.
Technical safeguards are technologies like
unique user identification, emergency access, automatic logoff, encryption,
authentication and password protection. Physical safeguards, on the other hand,
are physical measures like maintenance records, locked doors, video
surveillance, facility security plans, and media disposal. Administrative
safeguards are policies and procedures designed to protect ePHI from
disclosure.
#8)
Encryption is a Required Specification of the Security Rule
Encryption is one of the most effective
ways to secure data, leading many doctors to believe it's a required
specification of the Security Rule. The HHS debunks this myth on the frequently
asked questions section of its HIPAA website, stating that encryption is
actually an addressable specification.
So, what does this mean exactly?
Addressable specifications, including encryption, are only required under the
Security Rule when the specification is deemed reasonable and appropriate in
securing ePHI following a risk assessment. If a doctor conducts a risk
assessment and determines that encryption is beneficial, he or she must then
implement encryption as a safeguard.
#9)
Covered Entities are Liable for Business Associates
Another HIPAA myth believed by doctors is
that covered entities can be held liable for the actions of a business
associate. If a business associate fails to implement the necessary safeguards
to protect ePHI from disclosure, for instance, the doctor may assume that he or
she is at fault. As a result, some doctors invest countless time and resources
into monitoring their business associations, checking to ensure they comply
with HIPAA.
But HIPAA does not require covered
entities to monitor the compliance or noncompliance of their business
associates, nor can covered entities be held liable for such violations. The
only requirement is for doctors to create a business associates agreement (BAA)
when giving third-party entities access to PHI.
#10)
Hackers Only Target Financial Data
Finally, some doctors believe hackers
won't target their medical practice simply because they don't have valuable
data, so they place HIPAA compliance on the back burner.
According to Forbes contributor Mariya
Yao, the average cost of stolen credit card numbers on the black market is just
$0.25, while social security numbers are even cheaper at $0.10. Electronic
health records (EHR), however, can fetch hundreds or thousands of dollars.
Besides, HIPAA violations can occur regardless of whether data was stolen.
As you can see, there are plenty of myths
and misconceptions surrounding HIPAA. By understanding the nuances of HIPAA,
doctors can improve the privacy for their patients while also minimizing the
risk of fines and corrective action plans stemming from violations.
For help with implementing security or other technology solutions contact:
For help with implementing security or other technology solutions contact:
Robert Blake
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012
Direct 817.505.1257
Mobile 972.365.7010
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012
Direct 817.505.1257
Mobile 972.365.7010
No comments:
Post a Comment