I violated HIPAA. Now what?

Dr. Doe has a 25-year-old dermatology practice in a quiet suburban area. Although he loves practicing dermatology, he finds himself overwhelmed with government regulation. HIPAA, EMR, meaningful use, ACA - he does not know where to begin.

One year ago, his practice administrator received a request for medical records from a female patient seemingly on behalf of her husband who was also a patient in the practice. What the administrator did not realize is the husband had not authorized release of the records that contained documentation of his several sexually transmitted diseases. What the administrator also did not know was the couple was in the process of a bitter matrimonial dispute.

Related E-Book | What if you had a HIPAA incident tomorrow?

The wife gave the records to her divorce attorney, who submitted them to the court as proof of the husband’s infidelity. The husband filed suit against Dr. Doe for a HIPAA violation - he never would have authorized release of his medical records to his estranged wife. Dr. Doe knows that this is a HIPAA violation and is now frightened about the consequences of this act. Should he be?

HIPAA’s impact widespread

The Affordable Care Act (ACA), or “Obamacare,” gets most of the front-page headlines in healthcare right now. However, an earlier and perhaps equally sweeping piece of healthcare legislation still consumes much of the healthcare industry’s time and concern behind the scenes. The Health Insurance Portability and Accountability Act (HIPAA) can be felt in almost every corner of the healthcare industry.

Like Obamacare, HIPAA covers a great deal of legislative and regulatory ground, and both cause significant confusion and anxiety for healthcare professionals. In HIPAA’s case, however, only one small part of the original law in particular is responsible for this frustration.

HIPAA’s Administrative Simplification Rules turned out to be one of the most important parts of the law’s legal legacy. The Simplification Rules now dominate how each and every patient experiences healthcare. Whether they realize it or not, almost every person who receives care in this country sees some version of a HIPAA authorization stating their rights under the statute and the terms on which their personal health information (PHI) can be disclosed. Healthcare providers who transmit any health information electronically are termed “covered entities” (CEs).

The Privacy Rule of HIPAA sets out the terms on which health information may be transferred and disclosed without any additional or special consent from the individual, and what rights the individual has regarding their health information. The Privacy Rule is structured such that consent from the individual is always required to use or disclose an individual’s PHI, but most of the routine uses of PHI in the healthcare industry, such as treatment or payment activities, are exempted from the authorization requirement. Disclosure of medical records to others is generally not exempt.

What are the consequences?

Besides being required to get the individual’s consent, CEs must, upon request, allow individuals to amend their PHI records, provide them with an accounting of all the disclosures of their PHI, and provide them a full copy of their PHI records. These terms may seem like innocuous services that should be provided as a common sense courtesy to the individual, but come to form the meat and potatoes of the Simplification Rules. They control how and when information can flow.

The big question in today’s healthcare industry is how this law affects actual practice. The amount of actual enforcement of the Simplification Rules under the original Enforcement Rule was not significant. It has been hard for CEs to take HIPAA seriously when they saw what the statistics showed.

From July 2003 - when the complaints system was set up - to Aug. 31, 2007, there were a total of 29,994 submitted complaints. Over those four years and almost 30,000 complaints, however, there were no civil fines whatsoever levied for a violation of HIPAA. It seemed clear that CEs and others affected by HIPAA had little to fear from the Privacy Rule or other Simplification Rules based on these numbers. However, the Department of Justice has had slightly more luck in enforcing the criminal (non-civil) aspects of HIPAA. Yet by 2006, there were only three HIPAA criminal cases against individuals.

Dr. Doe’s staff seems to have clearly committed a HIPAA violation. However, the consequences, in reality, may lead to nothing.