Over the past few days, social media has been ablaze with a firestorm of HIPAA violations alleged by tens of thousands of self-proclaimed “HIPPA” experts. The problem is that, like most information published on social media, people blindly believe and spread it if it aligns with their moral, ethical, religious, economic, or political ideologies. Because it relates to our health information, something very personal to each of us, HIPAA is the most improperly applied set of legal statutes in healthcare regulation.
So, I will offer a basic framework of understanding covering what I think you, the patient, need to know. I am going to do my best to leave out all the technical stuff and legalese. If you really want to read the actual Codified Federal Regulations that comprise the HIPAA Administrative Simplification Rules, you can find the text here…although I have no idea why you would want to do that. It’s 115 pages. Make lots of coffee first.
SPOILER: Not everything is a HIPAA violation. If you see people on Facebook or Twitter claiming a HIPAA violation, it is almost certainly not a HIPAA violation, especially if it regards an action taken by a government agency. Don’t share or retweet false information.
The law is titled the Health Insurance Portability and Accountability Act of 1996, or more popularly known as HIPAA…not HIPPA, HYPA, HIPPAA, HYPPO, HIPPO…you get the idea. The bulk of the law regulates health insurance and its portability, hence the name of the law, but we aren’t concerned with the portability section. We are concerned with the Administrative Simplification section, which establishes a national standard for the privacy and security of protected health information (PHI). This section includes regulations covering electronic transactions, the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Enforcement Rule. You, the patient, need to know the basics of how these rules apply to you – and how they don’t.
To Whom or What Does HIPAA Apply?
For some reason, people are not concise when answering this question. The law reads “Covered Entities” and their “Business Associates.” “Covered Entities” is nothing more than a fancy name for a category of businesses and people regulated by HIPAA. “Business Associates” are entities or individuals that perform a function on behalf of a Covered Entity that involves the disclosure of PHI. Answering this question with “Covered Entities” doesn’t tell anyone anything about who or what is regulated by HIPAA.
The actual answer to the question is any health care organization, health care provider, health plan, healthcare clearinghouse (a third-party system that interprets medical claim data between providers and payors), their business associates, and their workforces that collect, store, use, and transmit PHI.
What is the most important takeaway? The answer does not include you, the rest of the general public, any non-healthcare business or business that does not perform work on behalf of a healthcare business, journalists, TV talking heads, politicians, or anyone else. If you disclose health information to a family member or a friend, HIPAA does not prohibit that person from posting it on Facebook or offering it up in a prayer request in front of 1,000 churchgoers. HIPAA does not prevent Walmart from asking you about your medical condition. If a Walmart greeter does ask you, HIPAA is not the applicable law that protects you from having to disclose it. Why? Because your family, your friends, you, and the Walmart greeter are not subject to HIPAA.
How Can Covered Entities and Business Associates Use Your PHI?
HIPAA authorizes Covered Entities and their Business Associates to use and disclose to other HIPAA-regulated entities your PHI to treat you, get paid for providing services to you, or for “healthcare operations,” which is a pretty broad spectrum. Pretty much anything inside a healthcare organization can be categorized as “healthcare operations,” which is the point.
HIPAA also permits disclosures to public health authorities legally authorized to receive and use your health information to prevent or control disease, injury, or disability. It permits disclosures to law enforcement or as part of a legal discovery process. It requires disclosure in cases of suspected abuse or neglect. Covered Entities and Business Associates do not need your permission to use or disclose your PHI for any of these purposes.
Note: HIPAA privacy rules regulating disclosures to public health authorities for general public health activities permit the CDC and HHS, among many other agencies, to receive and use your health data. This has been a subject of great interest of late.
HIPAA outlines how your PHI may be de-identified, meaning that it cannot be used to identify you. If your information is appropriately de-identified, HIPAA no longer applies and that de-identified data can be published anywhere.
HIPAA requires that anyone accessing your PHI must only access the minimum amount of information necessary to perform the required task. Even if someone is legally required to access your medical records, it does not give that person free rein to access your entire medical history. Some records have special legal protections, such as mental health, substance abuse, sexually transmitted infections, reproductive matters, genetic information, and adolescents.
Your Opportunity to Object
HIPAA permits a provider to use professional judgment when disclosing your health information to friends and family if you are incapacitated or involved in an emergency. HIPAA includes a “Friends & Family” exception. A facility may list your name, location, and general condition in a facility directory. HIPAA allows you to object to each of these three permitted disclosures, but you must do so in advance.
How Can Covered Entities and Business Associates NOT Use Your PHI?
Covered Entities and Business Associates may not sell your PHI without your written authorization. Covered Entities and Business Associates may not disclose your PHI for research or marketing without your written permission.
A hospital or medical practice cannot allow a news crew to film you under care as a patient or post anything about you on social media without your written consent. If you see your doctor, hospital, or someone they employ post content on social media and you can identify the individual that person is referencing, whether it is you or someone you know, it is very likely a violation, even if it does not include a name. A quick internet search of “social media HIPAA violations” will provide hundreds of examples.
The Security Rule
I am not going to dive deep into the Security Rule. It contains Physical, Administrative, and Technical Safeguards that describe controls designed to protect your PHI. They include policies and procedures, cybersecurity protection, auditing requirements, physical security, software access controls, and many others.
The Breach Notification Rule
The Breach Notification Rule requires varying types of notifications to the Office of Civil Rights (the agency responsible for HIPAA enforcement) and the patient in the event of a security breach of your PHI. If a security breach involves more than 500 patients, the Office of Civil Rights will post it on what we lovingly call the “Wall of Shame.” Check it out here. See if a physician’s office, dental office, hospital, or health insurance company that you use is listed. As a healthcare business, this list is not where you want to be. Pay particularly close attention to the types of breaches and the numbers of individuals affected. You can sort by state.
The Enforcement Rule
The Enforcement Rule outlines investigative mechanisms, including individual complaints, audits, investigations, and penalties for a HIPAA violation. There are both civil and criminal penalties. It is important to note that there is no private cause of action for a HIPAA violation. That means that you, the patient, cannot file a lawsuit against a Covered Entity or a Business Associate for a HIPAA violation. However, it is possible to take legal action for violations of similar state laws.
As you have likely noticed, if you have read this far, except for your limited opportunity to object to a few types of disclosures, none of the regulations above actually apply to you or the individual exercise of your right to privacy. They outline requirements that Covered Entities and Business Associates must do as part of their duty of confidentiality. They apply to your PHI and measures that Covered Entities and their Business Associates must take to protect your right to privacy. So, what rights does HIPAA grant that you, the patient, may exercise?
You have a right to access your record. Many rules regulate how and when you may access them. You have the right to direct your PHI to another person or entity, such as another physician or hospital. Your right to direct disclosure is different than permitting disclosure. Directing disclosure requires the Covered Entity to make the disclosure. A HIPAA Authorization does not compel the Covered Entity to make it. There are some limited scenarios in which a provider may deny you access.
This one gets a little dicey. You have a right to request modifications be made to your record, but your rights are limited. There is a process by which a Covered Entity must respond to your request. Your provider may deny your request for several reasons, one example being if the Covered Entity believes that the record is accurate and complete. If your provider denies your request, you must be provided with a written denial that contains the basis for the denial. If you ever find yourself in a situation where you wish to request an amendment, I encourage you to seek competent assistance.
You have the right to request restrictions for use and disclosure of your health information, but your right is limited again. A Covered Entity may refuse to restrict uses and disclosures or may agree only to certain aspects of your request if the restrictions could negatively affect patient care. If you pay cash for a service, a Covered Entity must grant a request not to notify your health insurance company.
Accounting of Disclosures
You have the right to receive a listing of all disclosures of your health information that includes what was disclosed and to whom. Again, this right is limited. Covered Entities are only required to include on the list disclosures that were not made for treatment, payment, or healthcare operations.
You made it to the end and should have a better understanding of how HIPAA applies to you and your PHI. HIPAA is a law that issues many privacy and security requirements for healthcare organizations and businesses working with them. Many parts of the law are complicated and technical.
Evaluating the law in situations where an individual or business may have disclosed PHI without authorization in a manner that violates the Privacy Rule can be a challenge. Is it a HIPAA violation, or isn’t it? You have a right to privacy, and HIPAA regulates how your health care provider may use your PHI while protecting your right.
I regularly advocate that the greatest threat to healthcare businesses is cybersecurity attacks designed to access your PHI. Your Social Security Number, which is undoubtedly already for sale on the dark web, has a black market value of about $4. Compromised bank accounts with a $10,000 balance are valued at around $25. You can purchase a stolen Credit Card with a $1,000-$5,000 balance for about $10. So, how much is your medical record worth to thieves? Patient medical records sell for $1,000 on the dark web. This means that your health information is a high-value target, and healthcare businesses are under constant cyberattack.
One thing you can be sure…you, your friends, your family, and all the social media warriors out there – patients and members of the general public – cannot violate HIPAA unless you are employed by a Covered Entity or a Business Associate. And unless your business is a Covered Entity or Business Associate, neither can it.