Confidentiality regarding healthcare information concerns trust, the all-important link between patient and doctor. It is private, personal knowledge and intelligence, just like financial data. A breach in healthcare privacy can result in stigma, embarrassment, and discrimination, not to mention cyberattacks targeting data healthcare files that typically include data with monetary value.
The purpose of HIPAA is to protect your institution and patients from disclosing sensitive health information without the patient's consent.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, a federal law that establishes national standards for safeguarding health information. HIPAA 2023 updates and modifies its Privacy and Security Rules and the penalties for violations.
The Privacy Rule regulates the use and disclosure of individuals' health information, called protected health information (PHI), by covered entities (CEs) subject to the Privacy Rule. The Security Rule specifies safety measures to protect the confidentiality, integrity, and availability of electronically Protected Health Information (ePHI).
HIPAA Violations
Five of the most commonly recurring violations are:
- A stolen or lost cell phone or tablet contains a significant amount of sensitive personal health information without encryption to protect confidentiality.
- Lack of regular employee training in HIPAA compliance.
- Database breaches and withholding details of a violation from those affected.
- Denying or delaying patients' access to health records for over 15 days. This time limit, reduced from 30 to 15 days, is one of the recent changes in HIPAA rulings.
- Carelessly discussing patient information.
The HIPAA Journal spells out the most common infractions with examples of settlements for several hundred thousand or millions of dollars.
HIPAA Changes in 2022 and 2023
Although HIPAA updates keep coming, and it may seem overwhelming, it is well worth the while to thoroughly study and comply with the HIPAA regulations slated for 2023. Your organization will avoid violations and ease some processes, especially medical record retrieval.
Key Changes
The Privacy and Security Rule updates defend the individuals' rights to access their PHI, balanced with new specifications to safeguard privacy.
More Direct and Timely Patient Access to Electronic Health Records (EHRs) or PHI
A new and vital section of the Privacy Rule clearly gives the individual the right to inspect, take notes or photographs of their PHI, or direct their health information in an electronic format to a third party and orders a reasonable, cost-based fee for the copy. The section is particularly critical to obtaining health records for legal proceedings or for attention at other healthcare centers in a timely manner. The new rule reduces a healthcare provider's time to respond to a maximum of 15 days.
A written request may be required to access PHI. Still, the healthcare provider cannot impose unreasonable proceedings, such as notarization or only accepting in-person requests, that delay access to PHI.
Specifications for Protection from Disclosure
The patients now have easier access to their own PHI, but the new regulations still protect the patient and healthcare provider from unauthorized disclosure by:
- Restricting certain kinds of disclosures of PHI to health plans;
- Requiring business associates of HIPAA-covered organizations to follow most of the same rules as the covered entities;
- Establishing further limitations on the use and disclosure of PHI for marketing and fundraising;
- Outlawing the sale of PHI without the patient's consent, and
- Raising security standards of electronic communications.
Increased Penalties for Civil Violations
Although many violations of HIPAA law and rules are resolved by guidance, technical assistance, and/or a corrective action plan, if not, the penalties can be famously high.
HIPAA stipulates four tiers of violations that reflect increasing levels of culpability, with minimum and maximum penalty amounts within each tier for each violation:
- Tier 1—lack of knowledge: Penalty from $127 up to $63,973.
- Tier 2—reasonable cause and not willful neglect: Penalty from $1,280 to $63,973.
- Tier 3—willful neglect, corrected within 30 days: Penalty from $12,794 to $63,973.
- Tier 4—willful neglect, not corrected within 30 days: Penalty from $63,973 to $1,919,173.
These fines can add up to crippling amounts for an organization, and directors or officers of the CE may also face 1 – 10 years in prison.
How to Avoid HIPAA Violations and Penalties or Criminal Liability?
Here are a few do's and don'ts to ensure your organization is HIPAA compliant.
Do's
- Conduct regular internal HIPAA audits. Spot and correct any potential violations before any penalties occur. The longer a problem exists, the higher the fine.
- Provide regular HIPAA training to employees, so they are fully alert to PHI use and disclosure regulations.
- Create a clear set of HIPAA policies and procedures and ensure they are available to all employees, including a HIPAA compliance checklist.
- Establish a Privacy Officer in your human resources department to process complaints and provide information on data privacy procedures.
Don'ts
- Disclose passwords or share login credentials.
- Leave portable devices or documents unattended.
- Access patient records out of curiosity.
- Dispose of paper PHI into the general trash.
- Share ePHI on any social media.
Training, Vital to HIPAA Compliance
With such complex, ongoing, and legally binding modifications, regular training for all healthcare personnel is crucial to HIPAA compliance. HIPAA is for hospitals, clinics, nursing homes, pharmacies, and all healthcare centers. Many well-known, reliable options are available. A few of these are:
- HIPAA Academy targets large-scale healthcare organizations,
- HIPAA Exams training program,
- HIPAA Associates program for team training and plans,
- HIPAATraining.com specializes in training for individuals and small to mid-sized businesses,
- Compliance Junction offers free training.
The Nursa Team is concerned with the challenges of HIPAA compliance in 2023 and will continue to keep you updated.
