HIPAA Requirements – Surviving the Blitz

Posted on the 01 August 2012 by Ironcomet @Ironcomet


I’ve worked in many healthcare facilities and must admit to seeing and overhearing some blatant violations of HIPAA requirements.  Some breaches were simple ignorance of the regulations while others were just plain dumb.  There are some easy solutions to possible leaks in small practices.  If patient information that you store is improperly accessed or  breached, the penalties are quite substantial.

The monumental rise of EMRs (Electronic Medical Records) has led us to advise our customers about implementing data encryption technology.  Protected health information (PHI) that is secured using encryption falls under the safe harbor provision from breach notification.

Since 1996, HIPAA Requirements have grown substantially and now includes actions against violators and enforcement methods.  Some violations are unintended actions by healthcare providers while others are intentional and malicious in nature.  This article will give you and overview of HIPAA requirements, protected health information (PHI), and potential consequences of HIPAA violations.


PHI is any data about a patient that would tend to identify that person including Social Security number, name, and address, date of birth, diagnosis, test results, and account number.  PHI rights include:

  1.  Receive notice of an agency’s privacy practices.
  2. Know and agency will use its PHI for treatment, payment, operations etc.
  3. Consent to and control of the use and disclosure of their PHI.
  4. Access to their PHI except for psychotherapy notes.
  5. Receive accountings of disclosures for the prior 6 years.
  6. File privacy complaints to an agency officer.

HIPAA Requirements cover all forms of communication used in a healthcare facility, such as computer screens, patient orders, laboratory slips, medication records, and faxes.  The laws restrict the sharing of PHI and cannot be released to individuals or companies interested in marketing ventures without the patient’s permission.  This information should be shared with as few people as needed to ensure the patient care only to the extent required to fulfill that person’s role in their treatment.

Typical HIPAA Requirements Violations

There are two types of violations: negligent and purposeful.

Negligent HIPAA Requirements violations include:

Improper disposal of PHI

Faxing information to an incorrect number

Leaving detailed PHI on an answering machine

Exposing provider information systems to malicious code when connecting to the Internet outside the system.

Purposeful HIPAA Requirements violations:

Accessing or using PHI without having a legitimate need to do so.

Allowing another employee to utilize any systems via your password.

Disclosing PHI to an unauthorized individual

Sale of PHI to any source

Failing to secure confidential information.

Deliberately compromising Electronic Record security measures.

There have been numerous high profile breaches in the past few years that you might remember involving celebrity cases.  The records of Tammy Wynette and Farrah Fawcett were viewed and sold to the media.  In 2010, a court sentenced Huping Zhou, a former researcher at the UCLA School of Medicine to prison for accessing high profile patient files more than 300 times.  These included Barbara Walters, Sharon Osbourne, and Leonardo DiCaprio.  An unintentional breach in Florida occurred when the program director of a healthcare facility allowed an unauthorized employee to enter an area where PHI“could have been viewed.”  Under HIPAA requirements, the potential for such a disclosure can constitute a violation, even when there is no communication of PHI.

Privacy and Social Media

The growth of online social media is another hotspot of problems.  The potential pitfall for providers is that they can’t always verify that the patient is in fact who he says he is online.  Posting pictures can be hazardous as well.  Many of these violations are innocent but can put healthcare professionals at risk.

Legal disclaimer: The information herein should not be considered legal advice.  Instead it is a summary of laws and rules.  Refer to your attorney to determine how these laws and rules can apply to your organization.




Back to Featured Articles on Logo Paperblog