A $1.2 million settlement with the Department of Health and Human Services (HHS) for failing to erase photocopier hard drives containing electronic protected health information (ePHI). A $50,000 settlement with HHS after a laptop containing unencrypted ePHI is stolen. A $100,000 settlement with HHS after posting surgery and appointment schedules on a publicly accessible Internet calendar. Immeasurable reputation damage after a USB flash drive containing ePHI is lost and patients and the local media are notified. These are just a few real-world examples of the consequences practices, health systems, and health plans have faced due to violations of HIPAA.
What is it? The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress and signed into law in 1996. The Act is broken down into 5 separate Titles, each with a distinct role. Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies. It requires and limits restrictions that group health plans can place on preexisting conditions. Title I also requires insurers to issue policies that provide individuals leaving their group plans with creditable coverage exceeding 18 months. Insurers are also required to renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market.
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. It also outlines numerous offenses relating to health care and sets civil and criminal penalties for violations. In addition to setting forth precedents against fraud, waste, and abuse the most significant Title II provisions may be contained within the Administrative Simplification rules. These five rules are aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information. For the purposes of this post I will focus solely on the Privacy Rule.
The Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by employer sponsored health plans, health insurers, and medical service providers. PHI is any information held by these entities which concerns health status, provision of health care, or payment for health care that can be linked to an individual. PHI includes: name, address information, telephone numbers, FAX numbers, email, social security numbers, medical record numbers including prescription numbera, member IDs), and account numbers.
How does it affect me? Anyone who has ever been treated by a healthcare professional has at one point given out at least a portion of their PHI. Patients should take protection of their health information as seriously as healthcare professionals and the federal government. In the wake of countless incidents of financial identity theft, medical information identity theft is just as serious of an issue.
What can I do to protect my PHI? First of all, never give out your PHI to entities that aren’t covered by HIPAA law. Second, never give out your social security number if you don’t have to. Third, your best protection against medical identity thieves is to make sure you verify the source before sharing your personal or medical information. Finally, if you have health information stored on your home computer or mobile device – or if you discuss your health information over email – simple tools like passwords can help keep your health information secure if your computer is lost or stolen.
Is my health care practitioner doing enough? In my experience, healthcare providers take the protection of your PHI very seriously. If you are concerned about their level of compliance, I invite you to ask your personal healthcare professional about the compliance programs they have in place. If you would like to learn more about HIPAA regulations, please visit the HHS Website.