HIPAA or the Health Insurance Portability and Accountability Act has been gaining a lot of traction not just in the news but amongst our conversations with friends, families, and close circles as well. Besides our inherent concern for our data privacy, the pandemic has also motivated us even more to protect our medical records and privacy.
That is why there have been several reports and stories about patients accusing others of violating HIPAA rules.
However, while HIPAA does protect your medical information, there are some limitations to it.
For instance, your COVID vaccination is not covered by HIPAA. So when someone asks for your vaccination, they are simply doing their job and they are not violating any HIPAA law.
So in line with this, we provided some HIPAA violation examples so that you would be able to determine whether your case is a legitimate violation or not.
Since we already talked about HIPAA violations in our previous article, this would simply be a quick overview before we provide examples.
Very basically, HIPAA is a set of regulations that protects patient information and medical record.
HIPAA applies to covered entities and they are in violation if they fail to secure your medical records and/or share your health information without your consent. The covered entities are as follows:
- Covered Health Care Provider (e.g. Chiropractors, Clinics, Dentists, Doctors, etc.)
- Health Plan (e.g. Health insurance companies, Company health plans, HMOs, etc.)
- Health Care Clearinghouse (e.g. Billing services, Community health management information systems, Repricing companies, etc.)
Keep in mind that not all medical information is a HIPAA-protected document such as your COVID vaccination card. The law also does not prevent other entities such as restaurants, hotels, stores, and others from asking you about such medical information.
The HIPAA violation examples provided below are from the United States Department of Health and Human Services (HHS) website. We picked some of the most common examples of HIPAA violation case that are more likely to happen in everyday life.
The HIPAA Privacy rule specifically states that covered entities should protect a patient’s health information with “reasonable administrative, technical, and physical safeguards.” This means that all healthcare entities should strive to protect their patient data at all costs to prevent any unauthorized access.
Failure to Conceal Patient’s Information
This is one of the subtlest but most unreported and common HIPAA violations.
It is when computer screens displaying patients’ health information are visible to other patients as well. It is a violation of HIPAA because the healthcare provider was unable to implement necessary measures to safeguard their patient records.
When the OCR found out about this case, they immediately require the provider to reposition their computer monitor so it would not be visible to other patients. They also encourage the provider to install computer monitor privacy screens to prevent any further impermissible disclosure in the future.
Impermissible Uses and Disclosures
This type of HIPAA breach happens when the covered entity provider uses and discloses a patient’s medical records. This is applicable to scenarios that could have been easily prevented if the provider is careful and had enforced an appropriate safeguard against it.
Accessing an Employees Medical Record
If you work in any healthcare organization, then your employer does not have the right to access your medical record. It does not matter whether they hold a position above you or not, accessing and disclosing a coworker’s medical record without their consent is a violation of the HIPAA regulations.
In this case, it is specifically a violation of the HIPAA Privacy Rule. Applying this rule in this scenario means that your medical record is protected. No one other than you can access, use, or disclose it.
According to the HHS, corrective actions for this type of violation can include a letter of reprimand, counseling, and providing the violators additional training about the Privacy Rule.
Disclosure to Persons Without a “Need to Know”
Lack of oversight and carelessness can result in HIPAA violations.
For example, an employee who is also a patient alleged that her health information was disclosed to her supervisor. Based on a report of the Office for Civil Rights (OCR), it was found that the hospital distributed Operating Room (OR) schedules to their employees via email. One of the recipients of the email was the employee/patient’s supervisor at the hospital, who is not part of the treatment team and therefore should not have received the email containing the operation schedule of the employee/patient.
For cases like this, the Privacy Rule states that while it is okay to disclose OR schedules, the supervisor should not have received the email because he/she is not part of the treatment team.
To prevent mishaps like this from happening, some of the corrective actions that the hospital can do is to retrain and disciplined the employee who sent the email. The hospital can also revisit and make some corrections to the way they disseminate information like this via email.
Misunderstanding the Rule
Some misunderstandings could lead to violations as well.
An outpatient surgical facility reportedly believed that the Privacy Rule of HIPAA gives them the right to disclose patients’ health information for recruitment purposes. What they fail to understand is that the Privacy Rule only allows such cases if the patient gave them authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. Without these documents, the service provider is prohibited by law to access and disclose any of their patient’s health information.
So to remedy the situation, the OCR corrected the facility’s written policies and procedures in line with the Privacy Rule. They also encourage the service provider to retrain its entire staff about the new policies, log the disclosure of the patient’s health information for accounting purposes, as well as apologize to the patient for the impermissible disclosure of their medical record.
Pharmaceutical Company Disclosing Health Information to Law Enforcement
Big pharma companies have been involved in a lot of issues and scandals before, so you probably think that they are required by law to always cooperate and respond to the request of authorities.
But, just like any medical provider, the Privacy Rule still applies to them. So they cannot simply disclose any protected health information to authorities such as law enforcers or municipal officials.
Yes, they need to be cooperative with the authorities but as per the Privacy Rule, they can only respond to their request of disclosure if there is a written letter of request. Otherwise, they are prohibited to disclose any protected health information.
If this happens, then the OCR would surely take notice and suggest a list of corrective actions to remedy the situation.
Discussing the Patient’s Health Information in Public
For some who have worked in the healthcare industry for a long time, discussing a patient’s health information has probably become part of your daily life. With that, mistakes are bound to happen no matter how hard you tried to avoid them.
But, given that you still work in the healthcare industry, you are required by law to avoid these mistakes as much as possible.
For example, a nurse and an orderly at a state hospital discuss a patient’s HIV status within earshot of other patients. Although it is not intentional, both of them should have taken extra precautionary measures to prevent disclosure. So when the hospital found out, they were placed on leave, put under one-year probation, and were required to attend training to avoid further unintentional HIPAA violation.
Right to Access Health Information
Apart from safeguarding a patients’ medical record, the HIPAA also empowers these patients to be more in control of their health and well-being. That is why the law gives them a legal and enforceable right to access and get a copy of their medical records. Any medical service provider who fails to do so would be in violation of HIPAA
Failure to Provide Access to Guardian
Minor patients have the right to access their medical records and it is protected by HIPAA as well. Many pediatric clinics are probably already too familiar with the HIPAA protocol for minors, but some covered entities who rarely deal with minors may make a few mistakes every now and then.
Take this example from the HHS, a mother requested a complete copy of his son’s medical record. But upon the OCR investigation, the private clinic had only provided a summary of the record. The fault lies in the private practice because they only relied on the state regulations. In doing so, they slightly misunderstood the way HIPAA works.
As per the HIPAA Privacy Rule, the private practice should have provided the mother of the patient with the complete medical record. They are permitted to provide a summary only if they have informed the requestor in advance why they are unable to provide the full record.
To prevent this from happening again, the OCR required the medical practice to revise its policy when it comes to minors and their right to access their medical record.
Refusal to Provide Access to Information Created by Other Entity
There a many reasons why patients change their medical service providers. Some are not satisfied with the treatments provided by their physicians while others are simply changing for convenience (e.g. moving to a new location, insurance coverage, etc.). In this case, then a patient’s medical record would be comprised of information from different health professionals.
Regardless of who created the record, any healthcare service provider should provide the individual access to their health record. Even if the information was not created by your current provider, the HIPAA Privacy Rule does not limit your right to access your health information.
But, keep in mind that while HIPAA grants you the right to access your entire medical record, you cannot simply ask your current provider to amend your health information. If the information is created by other entities, then your current provider has the right to deny your request for amendment.
Covered entities of HIPAA is required to allow individuals to request alternative means or location to receive their protected health information. This means that patients can request their provider to communicate via telephone, mail, or email.
Failure to Follow the Patient’s Instruction
This scene is all too common in dramas and TV. The clinic would leave a message to the home telephone of the patient and it so happens that the patient is unavailable to hear the message. In turn, the family member or a friend would pick up the phone and they would then find out about the patient’s medical condition.
Turns out, this also happens in real life. And when it does, it is a violation of the HIPAA Privacy Rule.
In a case example by the HHS, a hospital employee did exactly just that. Despite the fact that the patient requested to be only contacted through her work number, the employee still left a message at the patient’s home telephone number and it was the patient’s daughter who heard the message.
So to prevent this from happening again, the hospital updated their HIPAA guidelines for their employees when it comes to relaying protected health information to their patients. They also incorporated new procedures such as staff privacy training and mandatory yearly HIPAA compliance training.
From the HIPAA violation examples stated above, you might have noticed that HIPAA values every patients’ data privacy but the scope of this protection is only limited and applicable to covered entities. That is why it is mostly covered entities who takes the blame and receives sanctions for every HIPAA violation
So remember, when an employer asks for your vaccination card, they are not violating HIPAA because most employers are not considered covered entities.