As the federal government beefs up its efforts to root out fraud in the health sector, healthcare professionals need to understand HIPAA's role as a source of criminal liability, according to a STAT column by healthcare privacy lawyers Anne Murphy, Laura Angelini and Jared Shwartz from Hinckley Allen.
HIPAA sets standards on viewing, sharing and protecting patients' health records. Anyone who knowingly violates the privacy rule by viewing, obtaining or disclosing an individual's personal health information is subject to a fine, prison time or both.
However, the authors note that "knowingly" is defined as accessing any identifiable health information without authorization.
Federal prosecutors are increasingly stepping up their game when it comes to imposing criminal penalties for HIPAA violations at every corporate level from nonsupervisory employees to management to the corporations themselves. For example, the University of Texas MD Anderson Cancer Center in Houston was recently ordered to pay nearly $4.3 million to settle a HIPAA violation.
Moreover, when proving criminal liability, ignorance of the law doesn't mitigate its effects, according to the column authors. Even if they aren't immediately aware of what is OK under the law, an individual who accidentally breaks it is still subject to punishments, generally a fine of up to $50,000 and up to one year in prison.
Here are five precautions healthcare professionals can take, as noted by the authors:
1. Providers should "maintain all patient privacy and confidentiality-related policies … in writing and review them regularly to make sure they are addressing trends in federal agency interpretation and enforcement of the law," the report reads.
2. It is important to make these policies visible to patients so they can provide written consent for the release of information for purposes other than treatment.
3. Keeping policies in writing also shows authorities that your organization takes patient privacy seriously and installs the appropriate measures.
4. Compliance staff should ensure all employees — clinical and nonclinical — are trained on HIPAA each year. They should be educated as to what constitutes personal health information, best practices for secure communication and how to address patients, their family members and news media requests for health information.
5. Organizations should also be very careful when disclosing information to third parties and consult with a compliance professional or legal counsel before to responding to their requests.
More articles on cybersecurity:
Top cybersecurity vendors, as ranked by KLAS
MD Anderson slapped with $4.3M penalty for HIPAA violations
Ransomware attacks down despite general hike in cyber intrusions