Under the HIPAA Privacy and Security Rules, covered entities are obliged to observe proper methods of disposing protected health information (PHI), of any form. Appropriate measures of disposal are required to prevent and limit any unauthorized use and access to the information. Furthermore, covered entities handling electronic PHI are required to impose policies and procedures to facilitate the removal, termination and final disposal of PHI in electronic format including the storage media housing the information.
Common Misconceptions Regarding HIPAA
- State laws always supersede contrary provisions in HIPAA. Fact: MA State laws only supercede HIPAA when a state’s statutes are stiffer.
- Hospitals and insurance companies are exempt from HIPAA Fact: With extremely few exceptions, all hospitals, health plan administrators, clearinghouses, service providers, and all medical professionals are subject to HIPAA
- HIPAA regulates only electronically transmitted data. Fact: HIPAA applies to all forms of communication: written, verbal and any form of electronic transmission
- Under HIPAA, the unintentional or accidental release of data cannot be treated as a criminal act. Fact: Like any accident, the degree of negligence assigned to the act, as well as the defendant’s intent determine whether criminal or civil penalties apply.
- Information stored in archives by third parties is exempt. Fact: The use of third party bailment agents does not relieve or exempt the responsible parties from their HIPAA duties and obligations.
- Not all practicing physicians are subject to HIPPAFact: All practicing physicians are subject to some degree to HIPAA oversight.
- Dentists, optometrists, nurses, and pharmacists are exempted from HIPAA regulation. Fact: All healthcare professionals who handle or create patient records are subject to HIPAA and other privacy statutes.
- Recycling is an acceptable form of disposal under HIPAA. Fact: The practice of shredding medical records creates an anticipatable risk to both patient privacy and security, and is therefore a potential violation of HIPAA.
- In-house shredding programs prevent HIPAA related compliance issues from arising. Fact. In-house shredding programs potentially create more HIPAA concerns than they resolve, because document destruction cannot be independently certified, and because proper security protocol is rarely practiced.
- HIPAA rules do not pertain to healthcare clearinghouses. Fact: All such non-medical institutions serving the medical industry are subject to HIPAA.
- Verbal release of patient information is not a HIPAA violation. Fact: Unless authorized, verbal communication of medical information is subject to HIPAA, as is all written and transmitted data.
- If improperly released information is not exploited, there is no violation of the law. Fact: Improper release is in itself a violation of HIPAA. The act of failing to take reasonable care in protecting individually identifiable health information is likewise a violation.
- The release of individually identifiable information already in the public domain is not a HIPAA violation. Fact: The release of a patient’s most innocuous and publicly available individually identifiable information by a medical professional such as a license number or address can be interpreted as a violation of HIPAA.
Okay, Doctors et al, so maybe you’re still not convinced. Consider experiencing the following legal colonoscopy, sans anesthetic:
The maximum fines and penalties for failure to comply with the law is $250,000 and 10 years imprisonment. This of course doesn’t take into consideration the additional civil judgments and penalties that surely follow a criminal conviction.
What’s the best way to avoid a problem with the HIPAA police?