About this course:

This module reviews the core components of HIPAA, the personal rights guaranteed under HIPAA, and the adherence responsibilities of health care providers.

Course preview

HIPAA Basics for Health Care Providers

Disclosure Statement

This module reviews the core components of HIPAA, the personal rights guaranteed under HIPAA, and the adherence responsibilities of health care providers.

Upon completion of this activity, learners should be able to:

identify the core components of HIPAA and patient rights.
outline the Privacy, Security, and Breach Notification Rules and the procedures for using and disclosing patient health information.
discuss HIPAA adherence issues and challenges and the consequences of non-adherence.
review good privacy practices for organizations, agencies, and individual health care professionals.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that applies in all 50 states and U.S. territories. It mandates adherence to national regulatory standards to safeguard the privacy and security of all "individually identifiable health information." The Privacy Rule calls this information protected health information or PHI. HIPAA gives patients the right to their health information and protects sensitive and individually identifiable PHI from being disclosed without consent. HIPAA adherence is regulated by the U.S. Department of Health and Human Services (HHS) and is enforced by the HHS Office for Civil Rights (OCR). Violations may result in civil monetary penalties, and criminal penalties may be enforced by the U.S. Department of Justice (DOJ; Centers for Medicare & Medicaid Services [CMS], 2024; HHS, 2021, 2022a, p. 5).

HIPAA Background and Evolution

HIPAA was signed into law by President Bill Clinton on August 21, 1996, and it officially became effective on July 1, 1997. HIPAA was initially intended to improve the portability and accountability of health insurance coverage. The act promoted medical savings accounts by introducing tax breaks and ensured health care coverage for employees with preexisting medical conditions. It also guaranteed the continuation of coverage when individuals changed employers. Since then, the act has evolved to encourage the conversion of paper files to electronic sources while safeguarding the protection and security of personal information. HIPAA also defines actions that covered entities must take to notify victims of breaches to their PHI and mitigate the damage incurred. Persons or agencies and businesses that furnish, bill, or receive payment for health care in the ordinary course of business must adhere to HIPAA laws. The HIPAA Privacy Rule establishes standards for protecting PHI held by persons and entities required to adhere to these laws (see Table 1; CMS, 2023; HHS, 2021).

Table 1

Persons and Entities Required to Comply With HIPAA

Entity/Person	Description	Examples
Health care providers	Those who submit or execute transactions (claims) in an electronic form	Individual health care providers (physicians, psychologists, advanced practice registered nurses, chiropractors, dentists, pharmacists) Hospitals Clinics Medical offices Long-term care facilities (nursing homes, rehabilitation facilities) Regional health systems/services
Health plans	Corporations or organizations that provide health care coverage	Health insurance companies Employer-sponsored health plans Health maintenance organizations Government-funded programs that pay for health care services (Medicare, Medicaid, Veterans Health, military care programs)
Health care clearinghouses	Entities that process nonstandard health information to conform to standards for data format or content on behalf of other organizations The intermediaries between health care providers and insurance payers who appraise medical claims for accuracy and identify errors to ensure the payer can correctly process claims	Billing services Repricing companies Information systems Value-added networks
Specific companies and business associates	Covered entities that appoint business associates (third parties that perform a function or activity on behalf of a covered entity and require access to PHI) to help execute their health care functions Must have a written business associate contract or arrangement that establishes specifically what the business associate has been engaged to do and mandates their adherence to all HIPAA regulations	Any business or agency that bills or receives payment for health care, such as: Private sector vendors Third-party administrators Consultants who perform utilization reviews for hospitals

(CMS, 2023; HHS, 2021)

The Privacy Rule

The Privacy Rule sets national standards and mandates for how PHI may be used and disclosed. It applies to all forms of PHI, "held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral" (HHS, 2022a, p.5). It also applies to email and fax and prohibits the exchange of PHI with anyone who does not have a legitimate right to access it. PHI includes many standard identifiers, such as a person's name, address, birth date, and Social Security number (see Table 2). The primary goal of the Privacy Rule is to ensure that PHI is protected without precluding the transmission of necessary health information to deliver high-quality care and protect the overall health and well-being of the public. Therefore, the Privacy Rule focuses on the careful balance between utilizing necessary information and protecting patient rights and privacy when seeking care. It is intended to be flexible and comprehensive to cover the various uses and disclosures that must be addressed across a diverse and evolving health care system. The Privacy Rule pertains to health care providers and services, whether they transmit transactions directly or utilize a billing service or other third party to do so on their behalf (CMS, 2024; HHS, 2021, 2022a). PHI includes information that relates to:

An individual's past, present, or future physical or mental health or condition(s)
The provision of health care to an individual

Past, present, or future payment for the provision of health care to the individual

(HHS, 2022a)

The Privacy Rule protects information that may identify a patient or their relatives, employer, or household members, alone or combined. Therefore, health information that contains any patient identifier is protected under HIPAA. Table 2 provides examples of the most common health care identifiers and locations of PHI (HHS, 2022a).

Table 2

PHI: What and Where?

What

Where

...purchase below to continue the course

Fax sheets
Patient status boards
Financial records
Data used for research purposes
Patient identification bracelets
Prescription bottle labels
Photograph or video recordings of patients

(HHS, 2022a)

Individual Rights

The Privacy Rule articulates individuals' rights regarding PHI, including the right to access, inspect, and obtain a copy of their health records in the form and manner they request. Individuals have the right to request corrections to their PHI if the information is inaccurate or incomplete. Individuals have the right to receive a notice of privacy practices and obtain an account of disclosures of their PHI within 6 years leading up to the date of the request (HHS, 2022a).

Health Care Providers and Health Plan Requirements

For health care providers and health plans, the Privacy Rule mandates core actions, such as:

Notifying patients about their privacy rights and how their information can be used.
- Notices of privacy practices must be provided at the time of coverage enrollment.
- Participants must be notified that privacy practices are available and of how they can obtain them at least once every 3 years.
Adopting and implementing privacy procedures.
Training employees so they understand and adhere to the privacy procedures.
Designating responsible persons for enforcing, overseeing, and monitoring ongoing adherence to all privacy procedures.
Securing all forms of patient records that contain identifiable health information so they are not readily available to those who do not need them.

(HHS, 2022a)

Covered Entity Requirements

A covered entity is permitted, but not required, to use and disclose PHI without an individual's authorization for six specific purposes, as outlined in Table 3 (HHS, 2022a). Under HIPAA, before a covered entity can share PHI for any of the purposes noted in Table 3, the following three requirements must also be met (OCR, 2016):

Both covered entities must have or have had a relationship with the patient (former and current patients).
The PHI requested must pertain to the relationship.
The discloser must release only the minimum information necessary for the health care operation at hand.

Table 3

Permitted Uses and Disclosures

Permitted use and disclosure		Description
1	Individual (unless required for access or accounting of disclosures)	A covered entity may disclose PHI to the individual who is the subject of the information.
2	Treatment, payment, and health care operations	A covered entity may use and disclose PHI for: Treatment, payment, and health care operation activities of any health care provider Payment activities of another covered entity and any health care provider Health care operations of another covered entity involving either quality or competency assurance or fraud and abuse detection and adherence activities
3	Opportunity to agree or object	Informal permission may be obtained by asking the individual outright or by circumstances that clearly provide the individual with the opportunity to agree, consent, or object. If the individual is incapacitated, experiencing an emergency, or not available, covered entities may make such uses and disclosures if, in the exercise of their professional judgment, the use or disclosure is in the best interest of the individual and their health.
4	Incidental use and disclosure	The Privacy Rule does not require every risk of an incidental use or disclosure of PHI to be eliminated. The use or disclosure of PHI that occurs because of, or as "incident to," an otherwise permitted use or disclosure is permitted if the covered entity has adopted reasonable safeguards and the information shared is limited to the minimum necessary (as required by the Privacy Rule).
5	Public interest and benefit activities	The Privacy Rule permits the use and disclosure of PHI, without an individual's authorization or permission, for 12 national priority purposes (see Table 4). These disclosures are permitted, although not required, by the Privacy Rule due to the important uses made of health information outside of a health care context.
6	Limited data set	A limited data set refers to PHI in which specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes if the recipient enters a data-use agreement promising specified safeguards for PHI.

(HHS, 2022a)

A covered entity may rely on professional ethics and best judgments when deciding which of the above permissive uses and disclosures to enact. They may also rely on an individual's informal permission to use or disclose PHI to notify (including identifying or locating) family members, personal representatives, or others responsible for the individual's care of their location, general condition, or death. Furthermore, PHI may be disclosed for notification purposes to public or private entities authorized by law or charter to assist in disaster relief efforts (CMS, 2024).

Table 4

12 National Priority Purposes

Priority		Description
1	Required by law	Covered entities may use and disclose PHI without individual authorization as required by law (including statute, regulation, or court order).
2	Public health activities	Covered entities are allowed to disclose PHI to: Public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability, and public health or other government authorities permitted to receive reports of child abuse and neglect Entities subject to U.S. Food & Drug Administration (FDA) regulation regarding FDA-regulated products or activities for purposes such as adverse event reporting, product tracking and recalls, and post-marketing surveillance Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law Employers, regarding employees, when requested for information concerning a work-related illness or injury or workplace-related medical surveillance, as the employer needs such information to adhere to regulations from the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration, or pertinent state laws
3	Victims of abuse, neglect, or domestic violence	In specific circumstances, covered entities and health care providers are permitted under the Privacy Rule to disclose PHI to appropriate government and public health authorities regarding victims of abuse, neglect, or domestic violence.
4	Health oversight activities	Covered entities may disclose PHI to health oversight agencies, such as audits and investigations necessary to oversee the health care system and government benefit programs.
5	Judicial and administrative proceedings	Covered entities may disclose PHI in a judicial or administrative proceeding if the request is through a court order or an administrative tribunal. If requested by a subpoena or other lawful process, such information may be disclosed if certain assurances regarding notice to the individual or a protective order are provided.
6	Law enforcement purposes	Covered entities may disclose PHI to law enforcement officials for law enforcement purposes under the following circumstances and conditions: When required by law (including court orders, court-ordered warrants, and subpoenas) and administrative requests To identify or locate a suspect, fugitive, material witness, or missing person In response to a law enforcement official's request for information about a victim or suspected victim of a crime To notify law enforcement of a person's death if the covered entity suspects that criminal activity caused the death Whenever a covered entity believes that PHI is evidence of a crime that occurred on its premises By a covered health care provider in a medical emergency not occurring on its premises when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime
7	Decedents	Covered entities may disclose PHI to funeral directors as needed and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.
8	Cadaveric organ, eye, or tissue donation	Covered entities may use or disclose PHI to facilitate cadaveric organs, eyes, and tissue donation and transplantation.
9	Research	The Privacy Rule allows covered entities to use and disclose PHI for research purposes without an individual's authorization, provided the covered entity obtains: Documentation that an alteration or waiver of an individual's authorization for the use or disclosure of PHI about them for research purposes has been approved by an Institutional Review Board or Privacy Board. Representations from the researcher that the use or disclosure of the PHI is solely to prepare a research protocol or for a similar purpose preparatory to research, that the researcher will not remove any PHI from the covered entity, and that PHI for which access is sought is necessary for the research. Representations from the researcher that the use or disclosure is solely for research on the PHI of decedents, that the PHI sought is essential for the research, and (at the request of the covered entity) documentation of the death of the individuals about whom information is sought.
10	Serious threat to health or safety	Covered entities may disclose PHI when they feel it is required to prevent or lessen a serious and imminent threat to a person or the public when such disclosure is made to someone they believe can prevent or reduce the threat. Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
11	Essential government functions	An authorization is not required to use or disclose PHI for certain essential government functions, such as assuring the proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the U.S. president, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in specific government benefit programs.
12	Workers' compensation	Covered entities may disclose PHI as authorized and adhere to workers' compensation laws and similar programs providing benefits for work-related illnesses and injuries.

(HHS, 2022a)

Furthermore, covered entities must train all workforce members on their privacy policies and procedures as necessary and appropriate to carry out HIPAA requirements and functions. Initial HIPAA training is required no later than the adherence date for the covered entity and for each new member of the workforce within a reasonable period after the person joins the covered entity's workforce (HHS, 2022a). Health care organizations and agencies require HIPAA training during onboarding and at least annually. Employees must complete a documented attestation verifying their mandated training. There are no restrictions for using or disclosing de-identified health information (data that neither identify nor provide a reasonable basis to identify an individual). According to the HHS (2022a), there are two techniques to de-identify information properly:

formal determination by a qualified statistician
removing all specified identifiers of an individual and their relatives, household members, and employers, which is required and adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual

Security Rule

The HIPAA Security Rule sets national standards to secure the transmission, use, and handling of all electronic PHI (ePHI). It applies to all covered entities that share and transmit ePHI and outlines the precautions each entity must implement to safeguard the confidentiality, integrity, accessibility, and availability of ePHI. Before HIPAA, there was no universal security standard or general requirement for protecting health information in health care. However, as innovative and novel technologies emerged and the health care industry began to rely more heavily on electronic information systems to pay claims, provide health information, and conduct a host of other administrative and clinically based tasks, the security of ePHI became increasingly vital. Since privacy and security go hand in hand, the Security Rule protects a subset of information covered by the Privacy Rule. However, while the Privacy Rule covers the "what" (what information is protected), the Security Rule focuses on the "how" (how the information is protected). The Security Rule does not apply to PHI transmitted orally or in writing. Under the Security Rule, health care organizations and agencies must delineate the specific procedures they will implement to protect ePHI in their HIPAA policies and procedures and train employees on these topics annually, with documented confirmation (HHS, 2022b, p. 1).

The Security Rule includes the following specific physical, technical, and administrative protections that all covered entities must uphold:

Ensure the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted.
Identify and protect against reasonably anticipated threats to the security or integrity of the ePHI.
Guard against reasonably anticipated impermissible uses or disclosures.
Ensure adherence by their workforce.

(HHS, 2022b)

Examples of physical safeguards include implementing workstation and device security features and limiting physical access to facilities to authorized persons only. Administrative protections include security personnel responsible for developing and implementing all security processes and procedures, workforce training, and evaluation. Specific technical safeguards include audit controls and transmission security (private and password-protected electronic networks; HHS, 2022b). Today, health care providers primarily utilize electronic health records (EHRs), digital clinical applications such as computerized provider order entry systems, and electronic radiology, pharmacy, and laboratory systems. In addition, health plans provide electronic access to claims, care management, and member self-service applications. These advancements allow for more accessible, mobile, adaptive, and efficient health care services. However, the increased use and reliance on these technologies heightens the risk of potential security breaches (HHS, 2022b).

A primary goal of the Security Rule is to protect the privacy of ePHI while allowing covered entities to adopt novel technologies to improve the quality, competence, and effectiveness of patient care. Since the health care marketplace is diverse and continually evolving, the Security Rule was designed to be flexible and scalable to allow a covered entity to implement policies, procedures, and technologies based on its size, organizational structure, unique needs, and risks to the personal information of its consumers (see below). In addition, covered entities can analyze their needs and implement solutions appropriate for their specific environment, workforce, and resources (HHS, 2022b).

Security rule requirements for covered entities include:

Organization size, complexity, and capabilities
Technical, hardware, and software infrastructure
Costs of security measures
Plans to review and modify security measures to protect ePHI in a continuously evolving industry
Performance of routine risk analysis as a component of security management processes, including:
- Evaluating the likelihood and anticipated impact of potential risks to ePHI
- Implementing appropriate safety measures to address the risks identified through the risk analysis process
- Documenting the selected security measures and the reason for choosing such measures
- Sustaining continuous, reasonable, and appropriate security measures

(HHS, 2022b)

The Security Rule defines "confidentiality" as ePHI that is not available or disclosed to unauthorized persons. Its confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of ePHI. In addition, the Security Rule promotes two other goals: maintaining the integrity and the availability of ePHI. The Security Rule defines "integrity" as ePHI that is not altered or destroyed unauthorizedly. "Availability" denotes ePHI that is accessible and usable on demand by an authorized person (HHS, 2022b).

The Breach Notification Rule

The Breach Notification Rule is a set of standards that covered entities and business associates must follow if a data breach containing PHI or ePHI occurs. It delineates the requirements for breach reporting depending on the extent and size of the breach. According to the HHS (2013, p. 1), a breach is defined as follows:

Generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:

the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
the unauthorized person who used the PHI or to whom the disclosure was made
whether the PHI was acquired or viewed
the extent to which the risk to the PHI has been mitigated

An example of a data breach is when an employee's unencrypted company laptop with access to medical records is stolen from their apartment. Similarly, a data breach includes any stolen or lost laptop, smartphone, or USB device with accessible PHI (HHS, 2013).

According to the HHS (2013), there are three exceptions to the definition of a breach:

The unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate if such acquisition, access, or use was made in good faith and within the scope of authority
The unintentional or inadvertent disclosure of PHI by a person authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the covered entity or business associate or organized health care arrangement in which the covered entity participates
If the covered entity has a good faith belief that the unauthorized person to whom the unauthorized PHI disclosure was made would not have been able to retain the information

In all the above cases, to qualify as an exception, the PHI cannot be further used or disclosed in a manner not permitted by the Privacy Rule (HHS, 2013).

While organizations are required to report all breaches to the HHS, specific protocols for reporting vary based on the type and extent of the breach. The HIPAA Breach Notification Rule outlines how covered entities and business associates must respond in the event of a breach. Following a breach of unsecured PHI or ePHI, covered entities must notify affected individuals and (in certain circumstances) the media. Notifications must be provided without unreasonable delay and no later than 60 days after discovering the breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. However, affected individuals must still be notified that their data were involved in a breach within 60 days of the breach discovery. Breaches affecting more than 500 individuals must also be reported to HHS within 60 days, and affected individuals must be notified immediately, but there are additional requirements for large-scale breaches. Local law enforcement agencies must be contacted, and local media agencies may be used to alert potentially affected individuals. Furthermore, they are posted on the HHS Breach Notification Portal, a permanent archive of all HIPAA violations caused by large-scale breaches in the U.S. since 2009. This searchable database is a consequence of a HIPAA violation that can permanently damage the organization's reputation. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate (Compliancy Group, n.d.; HHS, n.d., 2013).

Between 2009 and 2020, 3,705 health care data breaches of 500 or more records were reported to the OCR. These breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 health care records, equating to more than 80% of the U.S. population. In 2018, health care data breaches of 500 or more records were reported at a rate of approximately 1 per day, and by December 2020, that rate had doubled. For 2020, the average number of breaches per day was 1.76. While the loss or theft of health care records and ePHI was the primary source of breach reports between 2009 and 2015, enhanced policies and procedures and the increased utilization of encryption have reduced these preventable breaches. Currently, hacking or information technology (IT) incidents are the leading cause of health care data breaches, followed by unauthorized access or disclosure. Advancements in technology have equipped organizations with the tools to detect breaches more readily when they occur (HIPAA Journal, n.d.-a).

HIPAA Adherence Issues

Federal requirements preempt state laws with conflicting HIPAA rules. Thus, federal regulations always apply. A HIPAA violation denotes any breach in HIPAA adherence (or failure to adhere to any aspect of the HIPAA rules) that compromises the integrity of PHI or ePHI. A violation occurs when a HIPAA-covered entity or business associate fails to adhere to HIPAA Privacy, Security, or Breach Notification Rules provisions. Violations may be intentional or unintentional. An example of an unintentional HIPAA violation is when excess PHI is disclosed, and the minimum necessary information standard is violated. Disclosed PHI must be limited to the minimum information required to achieve the purpose for which it is needed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be less severe than for willful violations of HIPAA Rules (Compliancy Group, n.d.; HHS, n.d., 2021).

HIPAA violations are typically different than data breaches. As cited in the example above regarding the stolen laptop that led to a data breach in PHI, a HIPAA violation would occur if the company whose laptop was stolen did not have a policy in place prohibiting laptops from being taken offsite (or requiring that they are all encrypted). Other examples of HIPAA violations include sending PHI or ePHI to the wrong patient or contact, sharing such information via social media posts, or discussing PHI outside of a private area where others can overhear the information. An example of a deliberate violation is unnecessarily delaying issuing breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach. In addition, many HIPAA violations result from negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures (Compliancy Group, n.d.; HHS, n.d., 2021).

HIPAA Enforcement Rule and Penalties for Non-Adherence

The HHS and OCR conduct complaint investigations and adherence reviews. The HIPAA Enforcement Rule sets civil monetary penalties for violating HIPAA rules and establishes investigations and hearings for HIPAA violations. If a covered entity's employees (including volunteers) do not follow all HIPAA laws, the federal government has the right to investigate and impose monetary penalties and jail sentences if found guilty. Penalties for HIPAA violations can potentially be issued for all HIPAA violations. However, the OCR typically resolves most cases through voluntary adherence, technical guidance, or accepting a covered entity or business associate's plan to address the violations and change policies and procedures to prevent future occurrences. Unintentional HIPAA violations can lead to civil penalties such as fines. However, a penalty may be waived in specific circumstances, such as if the violation was due to a reasonable cause and did not involve intentional neglect, and the covered entity corrected the damage within 30 days of recognizing the violation. Intentional unauthorized disclosure of PHI (such as deliberately selling information) and offenses that include willful neglect and pretenses can lead to substantial fines (up to $250,000) and/or incarceration. If the violations are serious or have been allowed to persist for a long time, or if there are multiple areas of non-adherence, financial penalties may be appropriate. The U.S. DOJ is responsible for enforcing criminal sanctions. Four categories (or tiers) are used for the penalty structure and are outlined in Table 5 (American Medical Association, n.d.; HHS, 2020b, 2022a, 2022b; HIPAA Journal, n.d.-a).

Table 5

Four Tiers of Penalties

Tier	Violation Description	Fine Range
1	Unknowing: a violation that the covered entity was unaware of and could not have realistically avoided if reasonable care had been taken to abide by HIPAA Rules	$100 to $50,000 per violation, with an annual maximum of $25,000 for repeat violations
2	Reasonable cause: a violation that the covered entity should have been aware of but could not have avoided even with reasonable care (but falling short of willful neglect per HIPAA Rules)	$1,000 to $50,000 per violation, with an annual maximum of $100,000 for repeat violations
3	Willful neglect: a violation as a result of willful neglect that is corrected within the required period	$10,000 to $50,000 per violation, with an annual maximum of $250,000 for repeat violations
4	Willful neglect: a violation as a result of willful neglect where no attempt has been made to correct the issue, or it is not corrected within the required period	$50,000 per violation, with an annual maximum of $1.5 million

(American Medical Association, n.d.; HHS, 2020b; HIPAA Journal, n.d.-a)

HIPAA Violation Case Study

In 2018, Boston Medical Center, Brigham and Women's Hospital, and Massachusetts General Hospital settled with the OCR for almost $1 million for compromising patient privacy while filming a television network documentary. These hospitals reached separate settlements and fines with OCR for inviting television crews to film onsite without first obtaining patient authorization. In addition to the monetary penalties, each hospital was required to implement staff training as part of its corrective action plans and policies and procedures regarding photography and video and audio recording. According to the settlement agreements, all three hospitals denied they impermissibly disclosed PHI and testified to obtaining appropriate consent. This was a breach because patients entering hospitals expect to encounter doctors, nurses, and other authorized staff while receiving treatment, not film crews recording them in private, vulnerable moments. Thus, hospitals must obtain the appropriate consent from patients before allowing unauthorized persons access to patients and their medical information. Likewise, in 2016, New York-Presbyterian Hospital settled with OCR for $2.2 million when PHI was disclosed to a television crew during filming. The OCR cited the breach as "an egregious disclosure" (Davis, 2018).

Institutional Challenges and Strategies

HIPAA adherence is an ongoing process, and efforts seek to ensure that safeguards remain effective and staff members remain vigilant of their responsibilities regarding PHI and HIPAA. For example, regular risk analyses must be performed to identify new threats to PHI confidentiality, integrity, and availability. Identified risks must be managed appropriately and reduced to an acceptable level. In addition, documentation should be maintained on adherence efforts and inspected by regulators if there is an audit, a complaint about an organization, or a breach of PHI (Compliancy Group, n.d.; HHS, 2020b).

Significant HIPAA challenges for organizations include ensuring that patients receive their medical records promptly, attaining a level of security provided and maintained by IT (see Table 6), and balancing staff education with enforcement. With the development and increased use of patient EHR portals, such as MyChart, patients have greater access to their medical information than ever before. A lack of effective training is a common reason for HIPAA violations. Adherence training is a proactive, efficient, and effective way for organizations to prevent HIPAA violations. Organizations are encouraged to offer regular training (in-office, virtual, or on-demand), teach employees about HIPAA privacy and security regulations, and maintain an open-door policy encouraging employees to ask questions and report concerns. Since another common HIPAA violation is stolen or lost mobile devices (smartphones, tablets, laptops) that store PHI, organizations must enable encryptions, firewalls, and secure user authentication on each device. Certain technologies, software programs, and apps can remotely lock or wipe data (reset to factory defaults, thereby erasing all apps and data) if the device is lost or stolen. Furthermore, organizations need to address the risk of social media HIPAA violations. Organizations can enhance adherence by prohibiting employees from posting, texting, or transmitting workplace information, PHI, or photographs on social media outlets (Compliancy Group, n.d.; Edemekong et al., 2024; HHS, 2017, 2020b; KentuckyRHIO, 2017).

Table 6

HIPAA IT Pitfalls and Solutions

Pitfall	Priority Solutions
Missing patches for operating systems and applications	Without the latest security updates to an operating system and application software, the organization assumes unnecessary risk.
Failure to monitor and detect sensitive data loss (data exfiltration)	The organization should have an automated process to identify any data breaches quickly. The organization should be the first to know about a breach.
Weak passwords	Weak passwords should be prohibited. Strong passwords using lowercase and uppercase letters, numbers, and symbols should be required for all employees. Alternatively, multifactor authentication requirements can be implemented during employee login.
Coding deficiencies	Some applications have deficiencies in coding, which can lead to a breach. Therefore, IT experts should double-check the security of all applications.
Lack of security validation for new systems	Security adherence should validate that all systems are configured securely. In addition, the EHR system must be assessed thoroughly via vulnerability and penetration testing.
Missing or outdated anti-malware technology	Anti-malware updates should be automatic and centralized and not left to users.
Missing encryption of sensitive information in transit	Email and files should be encrypted for enhanced security.
Outdated disaster recovery plans	A disaster recovery plan should be consistently updated to avoid issues when a breach occurs.

(Compliancy Group, n.d.; Edemekong et al., 2024; HHS, 2017)

Good Privacy Practices for Health Care Professionals

There are several approaches that health care professionals can implement to ensure patient privacy and HIPAA adherence. Some of the most important activities include the following:

Ensure all papers and documents with PHI are kept in a secured area.
Do not leave PHI exposed where others can access it.
Handle and dispose of PHI securely. When PHI is not filed or used, it should be shredded immediately.
Only discuss specific patient cases in private where other people cannot overhear the conversation, including other staff members not involved in the patient's care.
Use passwords to prevent others from accessing your computer files and ensure your computer is locked every time you walk away from it.
Minimize all PHI in email communication. Include only the minimum necessary information.
Ensure fax machines that receive PHI are placed in secure and private locations.
Be mindful of where mobile devices are located at all times and lock them when not in use.
Use social media wisely.

(Compliancy Group, n.d.; HHS, 2020b)

If health care professionals wrongfully disclose PHI, they should immediately inform their direct supervisor. They should provide the following information to their supervisor (or another designated HIPAA officer [also known as a Privacy Officer] as outlined by the employer's policy):

Whose PHI was disclosed
How it was disclosed
To whom
The date and time of the disclosure
Any actions taken to remedy the problem

If they observe a colleague wrongfully disclosing PHI, they should address the person who is wrongfully disclosing PHI, telling them what they saw and heard and explaining how PHI has been wrongfully disclosed. The observer should then immediately speak to their supervisor about the situation (HIPAA Journal, n.d.-b).

How to File a Complaint

Anyone can file a health information privacy or security complaint if they feel there has been a violation of HIPAA. The complaint can be based on a violation that affected one's own or another person's PHI or any type of breach of HIPAA laws. The complaint must be filed with the OCR's online complaint portal (https://www.hhs.gov/hipaa/filing-a-complaint/index.html) or by mail, fax, or email. The complaint must supply the following:

Information about the complainant
The name of the covered entity or business associate involved
A description of the acts or omissions believed to have violated the requirements of the Privacy, Security, or Breach Notification Rules

(HHS, 2020a)

The complaint should be filed within 180 days of when the act or omission occurred or was first identified (OCR may extend this period if the complainant can demonstrate "good cause" for the delayed reporting; HHS, 2020a).

HIPAA prohibits retaliation against persons who file a complaint. Thus, employees are protected from retribution for sharing a HIPAA-related privacy or security grievance. Any employee or representative of an employee who believes they have been retaliated against for disclosing HIPAA-protected information when reporting a workplace safety or health issue can file a whistleblower complaint with OSHA under Section 11(c) of the OSHA Act. The complaint must be filed within 30 days of the alleged retaliation (HHS, 2020a; OSHA, 2018).

References

American Medical Association. (n.d.). HIPAA violations & enforcement. https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement

Centers for Medicare & Medicaid Services. (2023). HIPAA basics for providers: Privacy, security, & breach notification rules. https://www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf

Centers for Medicare & Medicaid Services. (2024). Are you a covered entity? https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity

Compliancy Group. (n.d.). What is HIPAA compliance? https://compliancy-group.com/what-is-hipaa-compliance

Davis, J. (2018). 3 Massachusetts hospitals fined nearly $1 million by OCR for HIPAA violations. Healthcare IT News. https://www.healthcareitnews.com/news/3-massachusetts-hospitals-fined-nearly-1-million-ocr-hipaa-violations

Edemekong, P. F., Annamaraju, P., & Haydel, M. J. (2024). Health Insurance Portability and Accountability Act. StatPearls. https://www.ncbi.nlm.nih.gov/books/NBK500019

HIPAA Journal. (n.d.-a). Healthcare data breach statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics

HIPAA Journal. (n.d.-b). How should you respond to an accidental HIPAA violation? https://www.hipaajournal.com/accidental-hipaa-violation

KentuckyRHIO. (2017). Preventing HIPAA violations through practice compliance. https://krhio.org/preventing-hipaa-violations-practice-compliance

Occupational Safety and Health Administration. (2018). OSHA fact sheet: Health privacy and OSHA whistleblower complaints. https://www.osha.gov/sites/default/files/publications/OSHA-factsheet-HIPPA-whistle.pdf

US Department of Health and Human Services. (n.d.). Breach portal: Notice to the Secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

US Department of Health and Human Services. (2013). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

US Department of Health and Human Services. (2017). Health information privacy beyond HIPAA: A 2018 environmental scan of major trends and challenges. https://ncvhs.hhs.gov/wp-content/uploads/2018/05/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf

US Department of Health and Human Services. (2020a). Filing a HIPAA complaint. https://www.hhs.gov/hipaa/filing-a-complaint/index.html

US Department of Health and Human Services. (2020b). The HIPAA enforcement rule. https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html

US Department of Health and Human Services. (2021). HIPAA for professionals. https://www.hhs.gov/hipaa/for-professionals/index.html

US Department of Health and Human Services. (2022a). Summary of the HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

US Department of Health and Human Services. (2022b). Summary of the HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

US Department of Health and Human Services, Office for Civil Rights. (2016). Permitted uses and disclosures: Exchange for health care operations; 45 code of federal regulations (CFR) 164.506(c)(4). https://www.hhs.gov/sites/default/files/exchange_health_care_ops.pdf

HIPAA Nursing CE Course

About this course:

Course preview

Single Course Cost: $11.00

HIPAA Nursing CE Course

About this course:

Course preview

Single Course Cost: $11.00

Save while Futhering your Education