The Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into law and its purpose states, “to improve the efficiency and effectiveness of the health care system. This included administrative provisions that required Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security”. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted and its purpose states, “to promote the adoption and meaningful use of health information technology”. The HITECH Act modified the Privacy and Security rules and was the first notable change to the HIPAA Privacy and Security rules since its origin. These modifications include breach notification requirements, increases the civil monetary penalties for HIPAA violations, and strengthens certain privacy rights. In 2013, the Omnibus Rule went into effect which implemented statutory amendments under HITECH. The Omnibus Rule made several modifications, and some are listed below:
- Expanded the Business Associate Agreement (BAA)
- Enacted a standard notification of privacy breaches and specifications on assessing a breach
- Prohibited the sale of Protected Health Information (PHI) without authorization
- Specific requirements and language to be included in the Privacy Practice notifications
- Individual rights to access PHI in electronic records
- Increases civil penalties for willful neglect
Who is responsible for ensuring the privacy and security of PHI? All health care providers are. Protecting patient information has always been a part of our ethical obligations as a health care provider. PHI is individual identifiable health information that is/was created, accumulated, or saved by health care providers and maintained in any form (electronic; written). This information includes past, present, or future health, conditions, care, treatment, and even payment for care and treatment. Sometimes we think that the information shared may not state a patient’s name, social security number, date of birth, etc. but we must keep in mind that if the information can be used to identify the individual, you may be in violation of HIPAA.
Below are a few tips to avoid a HIPAA Breach.
- If providing documentation to other health care providers or individuals asking for their records, be sure to review the documents prior to providing to the receiving entity. Check to be sure another patient’s information wasn’t inadvertently included; Make sure you only include the documentation for the person who should receive it.
- Passwords are your friend. Even though they can be an inconvenience, they will protect PHI and ultimately protect you as a provider. Use a combination of different characters to make your password difficult to hack. Eleven or more characters as your password is a best practice
- When walking away from your electronic documentation device, such as a laptop or tablet, lock the device to avoid unauthorized access.
- When discussing patient care, look at your surroundings. Check to see who is there and might hear your verbal communications.
- Never allow anyone who doesn’t need to have the PHI obtain access to the PHI
What do you do if you receive PHI that doesn’t belong to you or you shouldn’t have? Contact the sender immediately informing them that you received PHI that you should not have. Shred the documents immediately. If you receive them electronically (email; electronic fax), inform the sender immediately, delete the email from your inbox, and then delete the email again in your ‘deleted/trash folder’