Will HIPAA put Doctor's in the (Big) House?
It's a real safe bet a few pooh-poohing scofflaw doctors and hospital staffers will be heading to court, or worse, now that the HIPAA (the Health Insurance Portability and Accountability Act) opens its Tyrannosaurus - sized denture for enforcement.
Medical industry players who now ignore the law become subject to both civil and criminal penalties for breaching patient security and privacy.
What that means is this. Hospital administrators, physicians, nurses, pharmacists, and dozens of other med-folks can be given all expense paid trips to the big house in extreme cases, or minimally, a prolonged excursion to the poor house if foolish enough to believe that HIPAA isn't actually the Trial Attorneys' Relief Act.
What's a breach of privacy under HIPAA? Well for one, it's no longer confined to traditional medical conditions like pregnancy, disease or injury. In fact, just about anything, it seems, is now considered private.
Try in the extreme, name n' address on for size. No kidding. It doesn't matter that the same information can be found in dozens of public records, like telephone directories and county recorder's offices. Release it as part of a medical record, and you are in violation. Where's the first place to look to see if your healthcare provider is in compliance? Sign-in sheets at the front desk will soon be as rare as silver dollars.
Try birth dates . That's right. Birthdays. Can you remember back in mid-2003 when your kindly orthodontist used to mail birthday greetings on postcards to the kiddies? Not anymore, that is, if Doc Smiley is HIPAA-smart. The improper release of birth dates can be interpreted as a privacy violation by both regulators, and more alarmingly, by opportunistic members of America 's many litigious persuasions.
Try photographs? The long-cherished practice of obstetricians building and posting the photographic chronicles of newborns in their office lobbies is soon subject to interpretation as an illegal act. No longer can we witness Babe Ruth grow up to become, uh, Babe Ruth.
Ridiculous? Of course it is, but it's also true. Basically, any individually identifiable information released (verbally, in writing or transmitted, and oh yes voice mail and answering machine messages are prohibited, too) without the patient's consent is prohibited and considered a breach of privacy. This includes, but is not limited to, work status, employer's name, relatives' names, FAX numbers, social security numbers, vehicles, health plan IDs, email addresses, and license numbers.
Now that we've covered the easy part of the Actprivacylet's examine the thorny issue of security. The fluff-o-meter soars off the scale with this example of regulatory obfuscation as clarified by one expert on your legal obligations: reasonable and appropriate administrative, technical, and physical safeguards. E-gad! Who do we see about narrowing down those infinitely nonspecific requirements?
Here're a few exemplary translations:
When your computer system is hacked because you failed to upgrade your firewall (from ver.9.04dbc to ver.9.04dbd), and 3,000 patient records are accessed, is that a problem? Yes. Big time. You didn't safeguard.
And when some eagle-eyed snooper peers over the counter and sees patient records on an unattended monitor, is that a problem? You bet. How about if the monitor is attended? Worse. Failure to safeguard squared.
Or, when someone in the practice or hospital decides to recycle old medical records instead of destroying them because it saves money? Yes, you have a problem, and potentially, one of the most damaging if sensitive information is released.
Here's why. Think attorneys, and their business of suing anyone without an alibi, which in this case, an alibi is defined as possessing a Certificate of Destruction. Because the medical community shares so much common information, if one party mishandles medical documents, everyone identified with the chain of possession without an alibi potentially becomes a suspect. The Certificate of Destruction is your garlic, your Dracula-neutralizing silver bullet.
Secondly, it's not only a violation of the law to improperly release individually identifiable information, but healthcare professionals are also required to anticipate and protect against potential risks to the records. In fact, failure to reasonably anticipate risks itself can be interpreted as a violation of the law.
Under this standard, even though it's not prohibited, recycling to save money is a de facto violation of HIPAA because the act of recycling creates an inherent risk to patient privacy, since unauthorized parties (recycle center paper sorters and paper mill workers) unavoidably access or view individually identifiable records.
Recycling sensitive medical documents in lieu of shredding is the prosecutorial equivalent of unprotected casual sex, that is, slow-motion suicide.
13 Common Misconceptions Regarding HIPAA.
Okay, Doctors et al, so maybe you're still not convinced. Consider experiencing the following legal colonoscopy, sans anesthetic:
The maximum fines and penalties for failure to comply with the law is $250,000 and 10 years imprisonment. This of course doesn't take into consideration the additional civil judgments and penalties that surely follow a criminal conviction.
What's the best way to avoid a problem with the HIPAA police? Release nothing without a release, employ a certified contractor and shred everything as soon as permitted, get incontrovertible proof, and make sure the world knows it.
Prescription: Take two aspirin, and call your shredder tomorrow morning.