We frequently get questions about whether or not an event is a HIPAA violation. Some of the events are hazy, others are clear-cut. We received an email from a nurse last week with a question. She received a postcard inviting her to a weight-loss clinic and get a $25 deduction even though she was not a previous user of their services.
We called her and discussed her concern. The nurse indicated she didn’t have a serious weight problem. The postcard was sent to her office where other people could see it and she was embarrassed. She said to me, “I’ve been trained on HIPAA and I think this is a clear-cut example of a breach.”
Although we’re not lawyers, we agree. First, she never signed any agreement that the weight-loss clinic could send marketing materials to her. Second, PHI was on a postcard addressed to her so anyone who sorted the mail could read the information.
Increasingly small businesses such as this weight-loss clinic are going to be scrutinized for their actions. More and more businesses that see or generate PHI such as rehabilitation clinics, group foster homes, long-term care facilities, social workers, accountants and shredding companies realize that they need to be HIPAA compliant.
One of the largest groups that must be compliant are employers who provide health benefits to employees and see Protected Health Information. If one of these organizations improperly releases information, the loss of trust will translate into a loss of clients and business.
Filing a Complaint
When an individual feels their Protected Health Information has been breached, they can file a complaint with the company, through HHS (HIPAA Complaint Portal Assistant and 1-800-368-1019). In several states, individuals can file with the State Attorney General Office, and we’ve seen in some states that protection of PHI is considered a standard of care, so patients are suing under malpractice laws. Although the fines and penalties are not currently shared with the individual, this may soon be available which will result in a feeding frenzy in the legal community.
How do you prepare your staff so that violations of HIPAA like the one affecting the nurse, do not occur? Training your staff on the HIPAA law and on your organization’s unique policies and procedures is part of the HIPAA compliance process. Also, you are required to complete a risk assessment, and then convert the information captured in the risk assessment into privacy and security policies and procedures.
If you do it yourself, completing required documents takes between 40 and 60 hours. The question then is, did you capture all the required information and have you determined that your file sharing, email encryption, firewalls and virus checker are truly HIPAA compliant. Are these solutions the easiest to use and most cost-effective choices for your organization? Many times, companies say they are HIPAA compliant, but they have no documentation to back up the claim.
If you fit any of these groups: health insurance agent/broker, an employer offering health benefits to your employees, or business associate that can access health information about a client (shredding company, IT vendor, or accountant), find out if you need to be HIPAA compliant. This short survey will help you determine if you need to take action: *
*(Healthcare providers and dental practices should already be aware of their responsibility to implement HIPAA.)