Will HIPAA put Doctor's in the (Big) House?

It's a real safe bet a few pooh-poohing scofflaw doctors and hospital staffers will be heading to court, or worse, now that the HIPAA (the Health Insurance Portability and Accountability Act) opens its Tyrannosaurus - sized denture for enforcement.

Medical industry players who now ignore the law become subject to both civil and criminal penalties for breaching patient security and privacy.

What that means is this. Hospital administrators, physicians, nurses, pharmacists, and dozens of other med-folks can be given all expense paid trips to the big house in extreme cases, or minimally, a prolonged excursion to the poor house if foolish enough to believe that HIPAA isn't actually the Trial Attorneys' Relief Act.

What's a breach of privacy under HIPAA? Well for one, it's no longer confined to traditional medical conditions like pregnancy, disease or injury. In fact, just about anything, it seems, is now considered private.

Try in the extreme, name n' address on for size. No kidding. It doesn't matter that the same information can be found in dozens of public records, like telephone directories and county recorder's offices. Release it as part of a medical record, and you are in violation. Where's the first place to look to see if your healthcare provider is in compliance? Sign-in sheets at the front desk will soon be as rare as silver dollars.

Try birth dates . That's right. Birthdays. Can you remember back in mid-2003 when your kindly orthodontist used to mail birthday greetings on postcards to the kiddies? Not anymore, that is, if Doc Smiley is HIPAA-smart. The improper release of birth dates can be interpreted as a privacy violation by both regulators, and more alarmingly, by opportunistic members of America 's many litigious persuasions.

Try photographs? The long-cherished practice of obstetricians building and posting the photographic chronicles of newborns in their office lobbies is soon subject to interpretation as an illegal act. No longer can we witness Babe Ruth grow up to become, uh, Babe Ruth.

Ridiculous? Of course it is, but it's also true. Basically, any individually identifiable information released (verbally, in writing or transmitted, and oh yes voice mail and answering machine messages are prohibited, too) without the patient's consent is prohibited and considered a breach of privacy. This includes, but is not limited to, work status, employer's name, relatives' names, FAX numbers, social security numbers, vehicles, health plan IDs, email addresses, and license numbers.

Now that we've covered the easy part of the Actprivacylet's examine the thorny issue of security. The fluff-o-meter soars off the scale with this example of regulatory obfuscation as clarified by one expert on your legal obligations: reasonable and appropriate administrative, technical, and physical safeguards. E-gad! Who do we see about narrowing down those infinitely nonspecific requirements?

Here're a few exemplary translations:

When your computer system is hacked because you failed to upgrade your firewall (from ver.9.04dbc to ver.9.04dbd), and 3,000 patient records are accessed, is that a problem? Yes. Big time. You didn't safeguard.

And when some eagle-eyed snooper peers over the counter and sees patient records on an unattended monitor, is that a problem? You bet. How about if the monitor is attended? Worse. Failure to safeguard squared.

Or, when someone in the practice or hospital decides to recycle old medical records instead of destroying them because it saves money? Yes, you have a problem, and potentially, one of the most damaging if sensitive information is released.

Here's why. Think attorneys, and their business of suing anyone without an alibi, which in this case, an alibi is defined as possessing a Certificate of Destruction. Because the medical community shares so much common information, if one party mishandles medical documents, everyone identified with the chain of possession without an alibi potentially becomes a suspect. The Certificate of Destruction is your garlic, your Dracula-neutralizing silver bullet.

Secondly, it's not only a violation of the law to improperly release individually identifiable information, but healthcare professionals are also required to anticipate and protect against potential risks to the records. In fact, failure to reasonably anticipate risks itself can be interpreted as a violation of the law.

Under this standard, even though it's not prohibited, recycling to save money is a de facto violation of HIPAA because the act of recycling creates an inherent risk to patient privacy, since unauthorized parties (recycle center paper sorters and paper mill workers) unavoidably access or view individually identifiable records.

Recycling sensitive medical documents in lieu of shredding is the prosecutorial equivalent of unprotected casual sex, that is, slow-motion suicide.

13 Common Misconceptions Regarding HIPAA.

• State laws always supercede contrary provisions in HIPAA. Fact: State laws only supercede HIPAA when a state's statutes are stiffer.
• Hospitals and insurance companies are exempt from HIPAA . Fact: With extremely few exceptions, all hospitals, health plan administrators, clearinghouses, service providers, and all medical professionals are subject to HIPAA .
• HIPAA regulates only electronically transmitted data. Fact: HIPAA applies to all forms of communication: written, verbal and any form of electronic transmission
• Under HIPAA, the unintentional or accidental release of data cannot be treated as a criminal act. Fact: Like any accident, the degree of negligence assigned to the act, as well as the defendant's intent determine whether criminal or civil penalties apply.
• Information stored in archives by third parties is exempt. Fact: The use of third party bailment agents does not relieve or exempt the responsible parties from their HIPAA duties and obligations.
• Not all practicing physicians are subject to HIPPA . Fact: All practicing physicians are subject to some degree to HIPAA oversight.
• Dentists, optometrists, nurses, and pharmacists are exempted from HIPAA regulation. Fact: All healthcare professionals who handle or create patient records are subject to HIPAA and other privacy statutes.
• Recycling is an acceptable form of disposal under HIPAA. Fact: The practice of recycling medical records creates an anticipatable risk to both patient privacy and security, and is therefore a potential violation of HIPAA.
• In-house shredding programs prevent HIPAA related compliance issues from arising. Fact. In-house shredding programs potentially create more HIPAA concerns than they resolve, because document destruction cannot be independently certified, and because proper security protocol is rarely practiced.
• HIPAA rules do not pertain to healthcare clearinghouses. Fact: All such non-medical institutions serving the medical industry are subject to HIPAA.
• Verbal release of patient information is not a HIPAA violation. Fact: Unless authorized, verbal communication of medical information is subject to HIPAA, as is all written and transmitted data.
• If improperly released information is not exploited, there is no violation of the law. Fact: Improper release is in itself a violation of HIPAA. The act of failing to take reasonable care in protecting individually identifiable health information is likewise a violation.


• The release of individually identifiable information already in the public domain is not a HIPAA violation. Fact: The release of a patient's most innocuous and publicly available individually identifiable information by a medical professional such as a license number or address can be interpreted as a violation of HIPAA.

Okay, Doctors et al, so maybe you're still not convinced. Consider experiencing the following legal colonoscopy, sans anesthetic:

The maximum fines and penalties for failure to comply with the law is $250,000 and 10 years imprisonment. This of course doesn't take into consideration the additional civil judgments and penalties that surely follow a criminal conviction.

What's the best way to avoid a problem with the HIPAA police? Release nothing without a release, employ a certified contractor and shred everything as soon as permitted, get incontrovertible proof, and make sure the world knows it.

Prescription: Take two aspirin, and call your shredder tomorrow morning.