Last year, three separate hospitals gave ABC permission to film a television network documentary series on their premises. The problem? These hospitals hadn’t received patient authorization first. As a consequence for this massive information privacy breach, they collectively paid the Department of Health and Human Services Office of Civil Rights (OCR) $999,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule.
HIPPA was signed into law on August 21, 1996 to “improve the portability and accountability of health insurance coverage”. The Privacy Rule, signed in August of 2002, “establishes national standards to protect individuals’ medical records and other personal health information”. It requires “appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”
There are three types of entities who must follow HIPPA’s regulations:
Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
A substantial amount of information (Protected Health Information or PHI) is covered under the Privacy Rule. This includes any information that health care providers put in a patient’s medical record or a health insurer’s computer system, billing information, and any conversations the patient’s doctor has about their care or treatment with nurses and others. If all of the following 18 criteria are removed from the PHI, then it no longer falls under HIPPA’s Privacy Rule:
Names (Full or last name and initial)
All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
Dates (other than year) directly related to an individual
Phone Numbers
Fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health insurance beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers (including serial numbers and license plate numbers)
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Patients have the right to request that their health information be withheld. However, as long as the patient has not requested as such, hospitals can release specific information without patient authorization:
Name—Information can be released to those people (media included) who ask for the patient by name. Information cannot be released to an individual unless that person knows the patient’s name.
Condition—A one-word explanation of the patient's condition can be released.
Location within the hospital—As long as prohibited information is not revealed, such as the patient being treated for substance abuse, the location can be released.
Religion—This information can be released only to clergy on request. Clergy do not need to ask for the individual by name. Hospitals are not obligated to collect this information. If hospitals collect this information, they should inform the patient why they are collecting it and inform the patient that it will be handed over to clergy if requested.
There are a number of reasons that other individuals can be given access to a patient’s released information:
For patient treatment and care coordination
To pay doctors and hospitals for the patient’s health care and to help run their businesses
With the patient’s family, relatives, friends, or others they identify who are involved with their health care or health care bills
To make sure doctors give good care and nursing homes are clean and safe
To protect the public's health
To make required reports to the police
In regards to accessing their own information, patients can:
Ask to see and get a copy of their health records
Have corrections added to their health information
Receive a notice that tells them how their health information may be used and shared
Decide if they want to give their permission before their health information can be used or shared for certain purposes, such as for marketing
Get a report on when and why their health information was shared for certain purposes
A Violation of the Privacy Rule, whether unintentional or deliberate, falls under one of four categories in the penalty structure:
Category 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Category 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Category 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
While OCR prefers to settle the matter of a HIPPA violation outside of court with voluntary compliance and advanced training, the severity of the violation or its persistence may incur a hefty financial penalty. Each category holds its own financial penalty range. The final number is determined by OCR according to a number of factors, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed:
Category 1: Minimum fine of $100 per violation up to $50,000
Category 2: Minimum fine of $1,000 per violation up to $50,000
Category 3: Minimum fine of $10,000 per violation up to $50,000
Category 4: Minimum fine of $50,000 per violation
Criminal charges may also be filed against any individuals involved in the PHI breach incident. The severity of the charge is determined by a number of factors, such as whether or not the individual(s) profited financially from the breach, whether it was unintentional or deliberate, how quickly the violation was reported, and the severity of the breach.
Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail
Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail
Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail
A patient’s medical and health information is private and should be protected. Patients’ rights are protected by heavily restricting access to who has this information through the Privacy Rule. Although some information may be released without patient authorization, it is done in order to provide each patient with the best care possible.