The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect an employee's health insurance coverage when they lose or change jobs. It also has provisions to ensure the privacy and confidentiality of Protected Health Information (PHI). Discover some common HIPAA violations examples and scenarios.
Not all health-related information about a person falls under HIPAA. In order to understand what constitutes a HIPAA violation, it's important to be aware of exactly what constitutes PHI in the context of HIPAA regulations.
"Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations."
- HIPAA Journal
Protected Health Information (PHI) specifically refers to information regarding patients of a healthcare provider or medical facility, as well as to members of a health insurance plan.
The privacy provisions of HIPAA apply to healthcare providers, health insurance companies and employers. They exist to protect the rights of individuals to limit access to their PHI. HIPAA violations occur intentionally or unintentionally. Either way, they are unlawful and can result in significant penalties.
There are many ways nurses or other medical personnel can commit HIPAA violations. From not being careful about where confidential conversations are held to making social media posts in which patients may be identifiable, anyone who works with patients or in medical facilities must be extremely careful.
- An emergency room employee who snaps a photo and posts it to social media to show how busy it is would represent a HIPAA violation, as people in the photo may be recognizable.
- A nurse shares patient information with a radiology technician who is authorized to receive the information. That is fine in and of itself. However, if the discussion takes place in a common area where non-authorized personnel could easily overhear. That would be a HIPAA violation.
- It's not unusual for family members to pressure nurses or doctors to share information with them about a loved one's medical condition or treatment options. Unless the patient has specifically authorized PHI to be shared with that person (in writing), this is not allowed.
- If a nurse or other medical professional releases PHI about a patient to a party that is not formally authorized to receive the data, this would be a violation. It's important to check authorization documentation, as patients have the ability to authorize the release of only certain kinds of information to specific parties.
- Releasing the wrong patient's information is a common unintentional HIPAA violation. This could occur through a careless mistake in a situation where two patients have the same or similar names. This is one reason why medical offices often verify additional information beyond a person's name, such as date of birth or address.
- Releasing information to an undesignated party is a HIPPA violation scenario. Only the exact person listed on the authorization form may receive patient information. If a patient authorizes his or her mother to receive medical information, she is the only person the information can be shared with.
- Releasing unauthorized health information is also a violation. This refers to releasing the wrong document that has not been approved for release. A patient has the right to release only parts of their medical record.
Security of medical records is serious business. HIPAA violations can easily occur as a result of failing to properly secure or store medical records.
- Failure to follow proper data security protocols for PHI is a serious breach of HIPAA regulations. Sending PHI via a public fax line or through unencrypted emails is an example of ways this type of HIPAA violation could occur.
- An administrative employee is tasked with destroying patient records or employee files that contain PHI. Such records must be properly shredded or otherwise disposed of in a manner consistent with the HIPAA Security Rule in order to prevent a violation.
- Incomplete or outdated paperwork can also be problematic. For example, any HIPAA form a patient signs needs to have a Right to Revoke clause. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations.
- Unprotected storage of private health information can be an issue. A good example of this is a laptop that is stolen. Private information stored electronically needs to be stored on a secure device. This applies to a laptop, thumbnail drive or any other mobile device.
- Leaving PHI visible on a computer screen while others can see it is a HIPAA violation. This is true in-person, as well as during video conferencing meetings or other sessions.
- An employee who works with medical records could inadvertently snap a selfie or work area photo that is actually displaying PHI, then post the image on social media or otherwise share it.
While employers don't provide healthcare, they do handle documentation related to group health insurance and medical records employees authorize their doctors to provide to the company for specific purposes (excused abscesses, Family Medical Leave (FML) documentation or disability accommodation requests).
- A manager mentions to HR that an employee called in with a cold. This is not a HIPAA violation. The benefits administrator replies by telling the manager information about the employee's recent filings on the company's health insurance plan. That is a HIPAA violation.
- A team member asks the boss why one of their peers is out so much. The manager tells the employee to go ask HR. The HR representative shares information that was included in records the absent employee authorized his or her doctor to provide to the employer for FML purposes.
- If a benefits administrator uses a cell phone or tablet to access employee records with PHI and the device is stolen without being properly protected against unauthorized access, the result would be a HIPAA violation.
- Having an HR system that allows employees who have no legitimate reason to see health information related to health insurance claims or other PHI the company has on employees is a HIPAA breach. Only those with a legitimate need to know should be able to see such information.
Many different circumstances can breach HIPAA requirements for protected health information.
- telling friends or relatives about patients in the hospital, doctors office or treatment facility when you work
- discussing patients or PHI in public areas of the hospital, including the lobby of a hospital, an elevator or the cafeteria
- discussing patients or PHI over the phone in a public area
- not logging off your computer or a computer system that contains PHI
- allowing members of the media to interview a patient in a substance abuse facility
- posting images to social media that could potentially include patient likenesses without specific written permission to do so
- sharing images to social media in which PHI is in any way visible
PHI isn't an all or none scenario. Certain personnel may need to know some information about patients, but that doesn't mean they should have access to all patient data.
- HIPAA regulations for "need to know" include: The security guard in a healthcare institution needs to know the name and room number of patients to guide visitors. This is allowed; but, any other information, such as diagnosis or treatment, is not to be disclosed.
- HIPAA regulations for "need to know" include: A nurse needs access to private health information for the patients in his/her unit but not for any patients that are not in that unit.
- HIPAA regulations for "minimum necessary" include: A health insurance company will need information about the number of visits the customer had; but, isn’t allowed to view the entire patient history.
If you ever experience a HIPAA violation, you can file a complaint online with the Office of Civil Rights of the Department of Health and Human Services. It is also a good idea to contact the organization where a violation may have occurred to file a complaint via their official policy.
The HIPAA Privacy Rule provides important protections related to personally identifiable information with regards to medical scenarios. Now that you're aware of several common HIPAA violations and scenarios, you know the types of things to avoid if you work with this type of information, as well as a general overview of your rights regarding your own PHI. Next, you may find it interesting to explore the difference between data and information. After all, both can be examples of PHI.