Health Information Privacy: A Case-Based Discussion
The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information (PHI). The Rule also establishes limits and conditions regarding the uses and disclosures that may be made of PHI without patient authorization. The Rule gives patients rights over their PHI, including privileges to examine and obtain a copy of their health records. The Office for Civil Rights (OCR) enforces the confidentiality provisions of the HIPAA Privacy Rule. If a patient believes that a covered entity (CE) or a business associate (BA) has violated his or her health information privacy rights or committed another violation of the HIPAA Privacy Rule, the patient may file a HIPAA Privacy Rule Complaint with OCR. OCR investigates complaints and attempts to achieve an informal resolution through voluntary compliance. When OCR is unable to achieve an informal resolution, the Secretary may impose a civil monetary penalty of up to $11,000 for each knowing and reckless disclosure of PHI.
Ongoing staff training will help to ensure that your workforce remains compliant with the HIPAA Privacy Rule.
The following are actual HIPAA Case Examples and Resolutions after an OCR Investigation:
Case 1: Hospital Implements New Minimum Necessary Policies for Telephone Messages
Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications
A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number.
Resolution: Hospital developed and implemented several new procedures: 1) Employees were trained to provide only the minimum necessary information in telephone messages and were given specific direction as to what information could be left in a message. 2) Employees were trained to review registration information for patient contact directives regarding leaving messages.
These new procedures were incorporated into the standard staff privacy training, both as part of refresher series and mandatory yearly compliance training.
Case 2: Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance
Covered Entity: Private Practice
A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During an OCR investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance.
Resolution: OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due.