Is this a HIPAA Privacy Violation? 5 Questions from the Workplace

HIPAA Privacy Violation

Is this a HIPAA privacy violation?  Not too surprisingly, the questions never end!  In just over three months in 2018, we have received over 12 specific questions about HIPAA privacy.  We thought it might be helpful to summarize some of the types of questions and remind everyone about the rules and guidance on HIPAA privacy violations.  The questions break down into two primary areas.

In this Article …

 

HIPAA Privacy Violations – Questions from Providers

“Is it a HIPAA privacy violation to use email to send records or otherwise communicate information that may contain PHI?”

The Fox Group, LLC response:

  • It is not “per se” a violation of HIPAA to send medical records (PHI) via email, BUT . . .
  • Unencrypted (not Secure) email is subject to interception – although it does not happen very often, it certainly is possible.  So not using a secure email application to send PHI could be seen as not adequately protecting the privacy of someone’s PHI.
  • Most secure email applications can be used to send information via an encrypted “channel”.  These applications typically require the recipient to log onto a website and set up an account. They enter their password, and then they can see the email message plus any attachments.
  • Another option you can consider is to scan the medical records as pdf files, and password-protect the pdf files that contain the medical record information.  Assuming the recipient has a pdf application reader, you would send the email using regular email with the password-protected file attached.  Send the password in a separate email, for the recipient to utilize and to un-protect the pdf file.

 

“Can I get terminated for a HIPAA privacy violation by sending pHI to the wrong person?”

The Fox Group, LLC response:

  • HIPAA requires Covered Entities to have a policy on sanctioning employees but does not specify what the policy should say.  So the final answer is yes, you could be terminated for a HIPAA privacy violation by making this mistake, but most employers utilize some framework for deciding on such sanctions.  For instance, most employers would probably terminate someone who maliciously released PHI, or engaged in an unauthorized disclosure for some personal benefit.  Most would probably not terminate an employee for a first-time mistake that did not result in an unauthorized disclosure.
  • Is it a HIPAA privacy violation if you didn’t send the Email! We advise people to approach email conservatively, arguing that even the disclosure of a person being a patient at a certain type of physician specialty practice could be considered a HIPAA privacy violation.

So Covered Entities should make sure they always (1) Keep their Notice of Privacy Practices up to date; (2) Appoint a Privacy Officer who can explain the policies to patients with questions; (3) Train staff on the policies; and (4) Conduct periodic HIPAA Risk Analyses.  Always Protect the Privacy of PHI with which you are entrusted!

 

HIPAA Privacy Violation – Questions from Patients

“Is it a violation of my privacy if someone else emails my psychiatrist about me?

The Fox Group, LLC response:

  • Covered Entities and their staffs have wide latitude to exchange PHI (Protected Health Information) for purposes of your treatment, their operations, or to obtain payment for services they have rendered.  We always recommend when electronic methods like email are used, that Covered Entities utilize secure methods to exchange such information.  This is not a requirement of the HIPAA regulations; HIPAA “only” requires Covered Entities to protect the privacy of PHI.  Since unencrypted email is subject to hacking or other interception, an unauthorized disclosure of PHI sent unencrypted could be found to be a HIPAA privacy violation.
  • However, an email from an individual who is not a staff member of a Covered Entity, HIPAA privacy rules do not apply.  They are free to share information about you with anyone, including your psychiatrist.
  • There is a lot of confusion among physicians and their office staff on the use of email as you can see in this FAQ from HHS.  HHS recommends email be utilized very carefully!  For instance, HHS advises limiting the amount of information disclosed through unencrypted email.  We see physician offices taking the approach that HIPAA prohibits communicating with patients via email (which it doesn’t!).  Some utilize unencrypted email without getting patient consent and communicate PHI with few restrictions (which are not good ideas!).

 

“Can I insist that a provider communicate with me via email?”

The Fox Group, LLC response:

  • It is correct that an individual has the right under the HIPAA Privacy Rule to request that a covered entity (like your doctor) communicate with you by alternate means or at alternate locations if it is reasonable for them to do so.   The most common circumstance for an alternate means of communication is to request communications in writing via US mail to a specified address other than the patient’s residence address.

 

My health status is being discussed within earshot of patients in other treatment cubicles.  Is this a HIPAA privacy violation?”

The Fox Group, LLC response:

  • The answer is “maybe . . .”
  • The HIPAA Privacy Rule protects your medical information in whatever form it is stored or delivered, including orally.  But it also provides for Incidental Uses and Disclosures.
  • On its website at the Department of Health and Human Services notes:
    1. a hospital visitor for example, may overhear a provider’s confidential conversation with another provider or a patient or may glimpse a patient’s information on a sign-in sheet or nursing station whiteboard.
    2. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards.
    3. The Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.
  • Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals’ health information, avoiding privacy violations, even if unintentionally – for instance:
    1. By speaking quietly when discussing a patient’s condition with family members in a waiting room or other public area;
    2. By avoiding using patients’ names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;

So a dentist or physician who is cognizant of the need to minimize incidental disclosures will utilize the strategies noted above.  So the risk of all incidental disclosure does not have to be eliminated to satisfy the HIPAA Privacy Rule.

“Privacy – like eating and breathing – is one of life’s basic requirements”
(by Katherine Neville, an American author)

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.