The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, was enacted to protect health information, increase oversight of transaction standards for the exchange of health information, and improve standards for security and privacy.
Ultimately, HIPAA regulation protects "protected health information" (PHI). This information is defined as individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. The regulation applies to "covered entities," including health plans, clearinghouses, and healthcare providers who transmits any health information in electronic form.
HIPAA defines health information as any data, whether oral or recorded in any form or medium that is created or received by a provider or employer and relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual.
HIPAA's rules
As background, let's take a look at some of HIPAA's various rules.
The HIPAA Privacy Rule is that every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored, and shared orally, electronically, and on paper, so a lot has to be done to keep these records out of the wrong hands.
The HIPAA Security Rule relates directly to electronic patient files and states each covered entity -- which includes dentists -- must keep them safe from any unauthorized access during transit and storage.
The HIPAA Breach Notification Rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information.
The Patient Safety Rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.
Thus, if dentists don't comply with HIPAA rules, they will be audited and penalized.
Types of HIPAA violations
There are two types of HIPAA violation: negligent and intentional.
Examples of negligent violations include the following:
- Disposing of sensitive information without destroying it.
- Connecting unapproved devices like flash drives to the secure network.
- Forgetting to log out of the electronic patient record.
- Faxing documents containing protected health information to the wrong number in error.
The other types of violations are those that are intentional. These include the following:
Snooping (which is a violation of the minimum necessary standard), which dictates that protected health information should not be accessed or shared at all unless it is necessary to satisfy a particular function of care.
Accessing PHI of any kind and sharing it in any way unless it is necessary to satisfy a particular function of care. According to a report from American Sentinel University, some healthcare facilities take this standard so literally that they consider it grounds for dismissal if a staff member looks at their own records or that of their child.
Common HIPAA myths
The following are some of the most prevalent myths surround HIPAA, especially for smaller practices.
No one will ever check to see if I am HIPAA-compliant.
Not anymore. In the past, a covered entity was only investigated if there was a complaint. Now there is an increased focus and scrutiny on compliance. Practices will be checked.
However, there is some good news: According to a recent HIPAA survey of about 1,000 healthcare practices, many leaders are beginning to take HIPAA into consideration. Of the 66% of respondents who were unaware of HIPAA audits, 35% of respondents said their business has conducted a HIPAA-required risk analysis; 34% of owners, managers and practice administrators reported that they were "very confident" that their electronic devices that contain PHI were HIPAA-compliant; 24% of managers, owners, and practice administrators at medical practices reported that they've evaluated all of their business associate agreements; 56% of office staff and (nonowner) care providers at practices said they've received HIPAA training in the last year.
No one gets fines for HIPAA violations.
HIPAA now has teeth and violations are being punished primarily because of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The maximum penalty for HIPAA violations is now sitting at $1.5 million per incident. Penalties range from fines to employees being fired to closing an office and even potential jail time (in the event of knowingly losing 500 or more PHI records and failing to report the breach to HHS within 60 days).
Texting patient information is OK; I never lose my phone.
Each year in the U.S., 30 million mobile phones are lost or stolen. A study by IT security company Symantec found that 89% of those who found a smartphone attempted to violate the phone owner's privacy.
I don't need to be HIPAA-compliant because I have a very small practice.
A small physician's practice was issued a $100,000 fine in 2012 for not protecting health information. No matter the size of the practice, you will be held responsible for HIPAA violations.
Types of breaches
According to this page on HHS' website, the top three issues are impermissible uses and disclosures (known as a breach), safeguards, and access. The No. 1 type of breach is physical theft of the record, according to 2011 HHS data. Thus, it is important to ensure the devices used by the dental office uses, such as USB flash drives, mobile devices, and laptops, are handled with care and securely stored to prevent theft of the device and the patient information on them.
Additional breaches include unauthorized access (snooping) of the record, loss of the record, and hacking and improper disposal of the record.
In her next column, Benton will address the 10 most common HIPAA violations.
Lindy Benton is the CEO of MEA|NEA, a provider of electronic attachment, health information exchange, and secure cloud storage solutions for dental and medical practices.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.