HIPAA Myth #1 “I don’t bill Medicare, so I don’t need to follow HIPAA Rules”
All covered entities must abide by HIPAA Privacy and Security Rules. Covered entities include healthcare providers, health plans and healthcare clearing houses. Only healthcare providers who do not transmit claims electronically meet an exception. Business Associates must also follow HIPAA Rules and a written Business Associate Agreement with the covered entity is part of the requirement. A lot can be learned by reviewing previous settlement announcements from The Office for Civil Rights, the agency in charge of ensuring HIPAA compliance.
HIPAA Myth #2 “As the patient, I own my whole medical record and I want it now.”
HIPAA allows individuals the Right to Access and to receive a copy of the Designated Record Set within 30 days. However, the patient does not have ownership of the entire medical record. The provider “owns” the medical record. The individual also has the Right to Request an Amendment of their record within the Designated Record Set. The healthcare provider or plan must respond to such a request in 60 days (with 30-day extension, if requested in writing) but is not obligated to make the correction if the provider does not agree with the request. Disputes should always be documented in the patient’s record and patient engagement should be encouraged for accuracy of the medical record.
HIPAA Myth #3 “While looking up a patient on the EHR, I accidentally looked up the wrong patient. This is a breach and it needs to be reported.”
Not every impermissible use or disclosure is considered a breach. Under HIPAA, there are exceptions to what is a true breach requiring breach notification, such as in this case. Keep in mind that if the impermissible use or disclosure does not meet one of the exceptions, there are strict deadlines to meet under the Breach Notification Protocol to avoid violations and subsequent penalties for untimely reporting. If more than 500 individuals are affected by the breach, your organization will be listed on HHS’ Wall of Shame.
HIPAA Myth #4 “Since it was my Business Associate, a billing company that caused the large breach of PHI, I am off the hook.”
With a valid written Business Associate Agreement (BAA), this may be true in regard to the financial harm from penalties for a breach by the Business Associate, but this may not prevent significant reputational harm to the covered entity. Be sure that the BAA includes the notification procedure and coverage of costs incurred for meeting breach notification requirements and credit monitoring, if needed.
HIPAA Myth #5 “In the waiting room, the nurse should not call out my name [PHI] when it’s time to see the doctor.”
This is an example of an Incidental Use which is permitted by HIPAA. However, there are many ways that PHI may be impermissibly disclosed from your facility. An unsuspecting employee can easily be the source of a breach of PHI by simply opening or sending an email. Staff training to recognize potential threats and vulnerabilities should be part of your Security Awareness Training and Security Management Process.