October 11, 2019
Some may think that what they do to protect patient information may be a bit extreme. Others in specialty medical fields and research understand its importance a little more. Most of that importance lies in the information being protected. Every patient has a unique set of health information that must be shared with healthcare providers who are bound to comply with HIPAA. The people who handle this information must know how it should be protected, both when communicating with the patient and when exchanging information with other healthcare entities. There are several definitions associated with HIPAA that must be understood in order to comply with HIPAA.
Privacy describes how the information is used, stored, or collected from the individual. This information must be obtained under approval of the patient or individual. Security runs parallel to privacy; it deals with the collection, storage, and modification of protected information with respect to electronic use. Privacy applies to information of any kind, including spoken, written, or electronic, information, whereas security pertains only to what is done electronically. Confidentiality is a related term that stresses keeping the information private and ensuring that it is kept that way by the people authorized to access it.
There are a couple of reasons why we need to make privacy one of our highest priorities in healthcare. One of those being respect. When information is taken from someone, there is a level of trust associated with it. Some patients or individuals may be reluctant to provide this information or may give a limited amount due to distrust. The persons involved must have total confidence in each other that the information exchanged is truthful and accurate. If privacy is of high priority then there will be more effective relationship or trust. Autonomy is another benefit of HIPAA privacy. Individuals must feel that their medical rights and decisions are being honored. Finally, the consequences for covered entities that violate HIPAA are severe and include serious fines that max out at $1.5 million per year, per violation.
The Centers for Medicare and Medicaid Services (CMS) can enforce the Security Rule of HIPAA to protect their patients from harm. Unfortunately, the only people that this pertains to are covered entities - those who work with the patient directly to obtain their information. This excludes anyone working with the information on behalf of the covered entities, like an IT company or a vendor of electronic health record (EHR) systems.
For the covered entity, protecting HIPAA-covered information should be a number one priority. To do this effectively, there are steps that must be taken by the entity to minimize the possibility of even the smallest errors. The entity must choose a responsible person to act as their privacy and security officer. This person can act as both privacy officer and IT security officer, or the roles can be split between one person acting as privacy officer and another as the IT security officer. Each must accept accountability for protecting the information by performing various tasks.
The privacy officer oversees investigations, complaints, and sometimes disciplinary actions. The security officer ensures that electronically stored information is secure and being reviewed for any vulnerabilities. There must be a breach policy in place that clearly specifies the steps to be taken in the event of the protected information being compromised ("breached"). Constant monitoring and review along with detailed documentation are crucial in storing or using patient records. All healthcare workers play a role in the protection of health records and should understand the importance of HIPAA.
Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin, LO, editors Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009.
This Week's Audit Tip Written By:
Kelly D. Ogle,
BS, MS, CMPM®, CHOP®,
Kelly is the Director of OSHA and HIPAA Services for DoctorsManagement.