Patient confidentiality is something that every healthcare provider in the country must adhere to, but sometimes circumstances change and patients aren’t able to confirm or deny a request that information is shared that could potentially save their lives. There are many ethical lines to toe in the world of healthcare, but HIPAA infringements are some of the hardest.
Here is a look at HIPAA, and some examples of when doctors may break patient confidentiality rules.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, was put into place to create a set of standards for protecting patient health information private unless the patient gave consent for it to be shared. Some health information can be embarrassing to some people, but even more of a reason for the law coming to fruition was the fact that hospitals and other healthcare facilities were selling this information for profit.
One of the most repeated terms in the HIPAA text is “PHI” or personal health information. With an emphasis on “personal,” the Act ensures that individuals’ health information is shared only on a “need-to-know” basis, and not for profit. If public safety is in jeopardy, and someone’s PHI could help protect them, sharing it can be used, but even in extreme cases, it is still law to not share anything that isn’t relevant to public safety, or another one of the stipulations mentioned later in this article. When breached for non-essential reasons, HIPAA infractions are taken very seriously.
When violated, HIPAA penalties fall into a tiered system, with increasing severity for subsequent infractions, and though the costs lend themselves to an “everyone makes a mistake” for first infractions, they get very, very serious when repeated. HIPAA violations are talked about in the media very frequently, but as is the case with many TV reports, they are often sensationalized, and it’s very rare that infractions are deemed deliberate (versus “unintentional” which is a case when too much information is shared).
Here is a look at the tier system for HIPAA violations:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Fines are $100 for Tier 1, and $1,000, $10,000 and $50,000 for Tiers 1, 2, and 3, respectively.
‘Covered Entities’ and Other Exceptions
Covered entities, as mentioned in the tier rules above, are individuals who are subject to HIPAA violations (in other words, if you disclose health information to your friend and they tell someone, they aren’t subject to one of the fines above).
- Healthcare Providers – Everyone who performs care on a patient is responsible for keeping their information private and is liable if they do not.
- Health Plans – Information needs to be shared with health plans and insurers to properly reimburse for care, but if information leaks out of this “need-to-know” chain, the guilty party is liable.
- Healthcare Clearinghouses – Similar to a health plan, there are times when clearinghouses need to know the information to correctly bill, but anything shared outside of that scope can be deemed an infraction.
- Business Associates – If an individual needs to disclose PHI to an employer, that employer is responsible for securing said information.
Covered entities in the healthcare sector are generally well-versed in HIPAA rules and regulations, and leadership teams make these laws part of their training frequently. Employers, however, especially those in small businesses, aren’t always and are encouraged to educate themselves anytime an employee needs to disclose PHI.