HIPAA Privacy Standard

The HIPAA privacy standard establishes requirements for disclosing what the HIPAA privacy law calls Protected Health Information (PHI). PHI is any information on a patient about the status of their health, treatment, or payments. It can include name, social security number, address, birth date, insurance ID, telephone number, etc. This information is pretty broad and can be just about anything related to a patient’s medical history.

Authorization for Disclosure
Most protected information is necessary for providers and insurance companies to process a claim. Anyone requiring PHI is required to obtain the patients authorization prior to disclosing any of this information. However the HIPAA privacy standard does not require health care providers to get authorization to use patient information for submitting claims to insurance. Most providers play it safe and have patients sign an authorization to use this information for processing insurance claims, and letting them know what their rights are regarding release of their health information.

Rights to Limit Disclosure
People have the right under HIPAA privacy laws to keep their information from being disclosed to others. When this individual information is disclosed, it must be treated confidentially by all who view or use this information. Patients have a right to request their information be corrected if they feel it is inaccurate.

For individuals who do restrict access to their PHI, it’s a good idea to get their signature on a consent saying they accept financial responsibility. This way if an insurance claim is not paid because the payer cannot access the patients information, the patient bears financial responsibility.

Penalties for Violation
Violating the HIPAA privacy standard can result in costly penalties. The penalties are:

  • $100 per violation on the person who commits the violation. This cannot exceed $25,000 per person per year for violation of one standard.
  • $50,000 and/or a maximum of one year in prison for anyone who knowingly obtain and release protected information.
  • $100,000 and/or a maximum of 5 years in prison for anyone who deceitfully obtains information under false pretenses and releases this information.
  • $250,000 and a maximum of 10 years in prison for anyone who tries to sell protected information for profit or gain or for malicious intent.

What constitutes a violation? The Department of Health and Human Services says the health care provider must use appropriate administrative, technical, and security measures to protect health information. This could be interpreted in any number of ways however I think the intent is that the health care provider use common sense and make a concerted defensible effort to protect a patients information.

How does this affect communications with patients such as sending out reminder postcards and leaving messages for a patients?

Examples of HIPAA Privacy Violations
Here’s some typical examples of HIPAA privacy standard breach where patient information is compromised:

  • A patient sign-in sheet listing “reason for visit” visible to everyone.
  • Leaving a patient chart facing the hallway where it can be easily read when passing by.
  • The receptionist or office employees discussing the patients information where other patients can hear, such as in the waiting room.
  • Leaving patient information in the open where it can be viewed by other patients or visitors passing through.
  • A computer screen with patient health information in an open unsecured area of the doctors office where passers by can easily view.
  • Giving out a patient’s health (or other personal) information out to anyone without the consent of the patient. This does not apply to a physician consulting with another health care provider to administer health care in the interest of the patient.
  • Releasing patient information for marketing purposes.
  • Providing information to your employer without your authorization.

When Your Information Can Be Shared
Your health information can only be shared in a way that does not interfere with your health:

  • For payment of physicians, hospitals, and clinics for their services.
  • With your relatives, family, friends, or anyone else you identify that is involved with or paying for your health care – unless you specifically exclude them.
  • To protect public health such as outbreaks of epidemics or flu in your locality.
  • To insure providers are administering adequate care in a clean environment such as a nursing home.
  • In support of law enforcement investigations.

Complaints of Violation
If someone believes HIPAA law privacy is not being followed, they can complain to the Department of Health and Human Services (DHHS) office for Civil Rights. There are reports that DHHS has quite a backlog of complaints, and resolution may not be very expedient. Most complaints are reportedly resolved because no violations were found or the agency provided guidance to resolve the problem.

In summary the HIPAA privacy law allows individuals more access to their medical records and how this information is disclosed. The HIPAA privacy standard also establishes the responsibilities of providers and insurance companies when using PHI for treatment and payment of health care.

Return to HIPAA Laws from HIPAA Privacy Standard