HIPAA covered groups should be familiar with the types of data that must be safeguarded in order to comply with HIPAA Rules, but many patients are confused regarding what exactly what is protected by HIPAA.
The HIPAA Privacy Rule states that HIPAA covered entities and their business associates must protect all individually identifiable health information that is created, stored, maintained, or sent by HIPAA covered entities – typically healthcare providers, health plans and healthcare clearinghouses – as well as their business associates.
The HIPAA Privacy Rule titles individually identifiable health information as ‘Protected Health Information’ which includes past, present, and future information on an individual’s physical or mental health well being and data relating to the provision of healthcare or the payment for healthcare services. The HIPAA Privacy Rule also creates restrictions on the allowable uses and disclosures of PHI.
While PHI can incorporate information like names, addresses, and phone numbers. It would only be thought of as PHI if it was included along with health data.
De-identified protected health information is not safeguarded by HIPAA Rules. This is healthcare information that has been stripped of all identifiers that would permit an individual to be identified.
The HIPAA Security Rule states that covered entities must implement safeguards to ensure the confidentiality, integrity and availability of PHI which must include administrative, technical, and physical security measures. HIPAA is deliberately not focused solely on technology to ensure that regular updates to HIPAA Rules are not required when new technology becomes available. The precise safeguards that must be implemented should be based on a risk analysis and are left to the discretion of the covered entity.
Can a Patient Take a Legal Action for a HIPAA Violation?
If a patient or health plan member feels their privacy has been violated or HIPAA Rules have not been complied with, they can submit a complaint to the Department of Health and Human Services’ Office for Civil Rights (OCR). OCR treats all complaints seriously and will investigate complaints, provided they are not submitted anonymously.
If a HIPAA-covered entity or business associate is found to have violated HIPAA Rules, OCR has the power to issue fines and other sanctions. In many instances, when the violation is not major and corrective action is voluntarily taken to address the violation and ensure similar privacy breaches do not take place in the future, that may be deemed to be sufficient by OCR.
When particularly dangerous violations of HIPAA Rules have occurred, widespread compliance issues are discovered, or there have been willful violations of HIPAA Rules, fines may be applied.
There is no provision for a private cause of action in HIPAA, so it is not possible for patients to sue for a HIPAA violation. However, it may be possible to take legal action against aperson or healthcare organization under state laws.
What are the fines for HIPAA Violations?
Civil penalties for HIPAA breaches can be applied to HIPAA covered entities, business associates of HIPAA-covered entities, and healthcare workers by the HHS’ Office for Civil Rights and state attorneys general. Criminal penalties for HIPAA violations are likely when HIPAA has been willfully violated.