Is HIPAA Only Between a Doctor and a Patient?

The Three Rules of HIPAA

Upon implementation of HIPAA, three rules were established: 

1. The Privacy Rule – The Standards for Privacy of Individual Identifiable Health Information 
2. The Security Rule – The Security Standards for the Protection of Electronic Protected Health Information
3. The Breach Notification Rule – The Standards for Breach Notification & Responsibilities

Together, these three rules define specific requirements for individuals and organizations to comply with. These standards provide an understanding of how to properly handle protected health information (PHI). Ultimately, these requirements protect health records and other personal information. 

These requirements also protect the organizations that deal with protected health information. These organizations need safeguards to help prevent potential information leaks as well as other potential vulnerabilities that could put the company and everyone else associated with it at risk. 

What is Protected Health Information?

Protected health information (PHI), also commonly personal health information, would be any data that healthcare professionals end up collecting in order to identify an individual as well as determine the appropriate care for that person. All of the following information would be considered as PHI:

• Demographic-related information
• Medical histories
• Laboratory tests and results
• Mental health records
• Health insurance information

HIPAA’s Patient Identifiers

Patient identifiers are any information that is directly associated with an individual or that can independently identify the individual as the person who the medical service or treatment is intended for. 

HIPAA has listed 18 varying identifiers that become PHI when paired with health information. Some of these identifiers can allow an individual to be identified, contacted, or located. The identifiers are as follows

1. Names
2. Addresses
3. Dates
4. Phone number
5. Fax number
6. Email address
7. Social security number
8. Medical records numbers
9. Health plan beneficiary
10. Account number
11. License number
12. Vehicle identifiers or serial numbers
13. Device identifiers or serial numbers
14. Web URL
15. IP address
16. Biometrics Identification
17. Full-face photographs
18. Identifying characteristics (tattoos or piercings)

Is There Any Information That Can be Shared Without Violating HIPAA Rules?

There is some information that can be shared without violating HIPAA rules. The HIPAA Privacy Rules specifically allow covered entities to share information that is directly relevant to the involvement of a spouse, family members, or friends identified by the patient in regard to the patient’s care or payment for health care. 

Who Does HIPPA Apply To?

Other than doctor and patient confidentiality, HIPAA rules and guidelines also apply to certain individuals and organizations. These individuals and organizations are commonly called covered entities. 

HIPAA Covered Entities

According to HIPAA, covered entities are categorized into three categories. These categories are healthcare providers, health plans, and healthcare clearinghouses. Any individual or organization that fits under one of these three category descriptions is required to follow HIPAA rules. 

• Healthcare providers – Healthcare providers would be anyone who provides medical or health services. This would include clinics, pharmacies, doctors, nursing homes, and dentists.
• Health plans – Health plans would be any individual or company that covers the cost of medical care. This category would include health insurance companies and government-sponsored healthcare. 
• Healthcare clearinghouses – Any individual or company that receives health information from another entity and processes it would be considered a healthcare clearinghouse. Some good examples of these would be billing services and community health information systems.  

HIPAA also applies to most employers and employees because they normally associate with these covered entities. 

HIPAA Business Associates

HIPAA defines a business associate as ”a person or company that provides services to a covered entity that involves the disclosure of PHI.” Some examples of the individuals or organizations that would be considered business associates are:

• Software companies with access to PHI
• Companies in claims processing
• Companies in collections

Business associates are also required to follow all HIPAA rules, and if they were to violate these rules, they may receive the same penalties.

Who Does HIPAA Not Apply To?

The US Department of Health and Human Services states that there are a few individuals and organizations that are exempt from following the HIPAA guidelines. This would include

• Life insurers
• Workers’ compensation carriers
• Employers*

*There is a special rule that applies to employers in regards to HIPAA rules. We will discuss this rule in the following section.

If you would like more information on this subject check out our related article Who Does HIPAA Apply To?

Employers & Employee Privacy

As stated in an earlier section, HIPAA applies to employers in a different way. Since most employers provide their employees with some sort of healthcare program or plan, they cannot get information from one of the covered entities. However, HIPAA does not apply to employment records. 

For example, an employer can ask an employee for a doctor’s note or other health information. However, a healthcare provider cannot share information directly with an employer. 

HIPAA Violation

When it comes to HIPAA rule violations, the US Department of Health and Human Services will issue civil penalties to those who performed the violation. The Office of Civil Rights (OCR), a branch of the Health and Human Services Department, is responsible for investigating complaints against potential HIPAA violations. There are four tiers of civil penalties based on the intent of the violation. These four tiers are as follows:

• Tier 1 – This applies to individuals who were unaware of the fact that HIPAA rules were being violated. The minimum penalty is a $100 fine per violation with a maximum fine of $25,000 for repeated violations. 
• Tier 2 – This applies to violations that were found with reasonable cause. This entails a minimum fine of $1,000 per violation and up to a $100,000 for repeated violations.
• Tier 3– This tier applies to violations that involve willful neglect of HIPAA rules as long as the violation has been corrected within the required time period. The minimum fine per violation is $10,000. The maximum fine for repeated violations is $250,000.
• Tier 4 – This tier applies to violations involving willful neglect of HIPAA rules with no attempt to correct the violation. This violation would be considered the most severe, with a minimum penalty of $50,000 per violation and a maximum of $1.5 million for repeated violations. 

Criminal Penalties

When investigating, if the Office of Civil Rights feels as though there has been a potential criminal violation of the HIPAA rules, they are able to refer the violation to the Department of Justice for review and/or an investigation. Criminal penalties for HIPAA violations are not common; however, they are severe when they do happen. There are only three tiers for criminal violations. They are as follows:

• Tier 1 – This tier applies to negligence or reasonable cause violations, which can result in a fine of up to $50,000 and up to one year in prison. 
• Tier 2 – Tier 2 applies to false pretense violations. Violations like this end up resulting in a fine of up to $100,000 and up to five years in prison. 
• Tier 3 – This applies to violations caused by personal gain or malicious intent. A violation of this degree could end up resulting in a fine of up to $250,000 and up to 10 years in prison. 

10 HIPAA Violation Examples

There are many common causes of HIPAA violations, even accidental ones. In this section, we will go over the ten most common violations to look out for and be aware of. 

#1 – Medical Records Fall into the Wrong Hands

Mishandling patient records is one of the most common HIPAA violations. This occurs most often when a healthcare provider uses paper records. This can result in the provider or another medical employee accidentally leaving the record in the patients’ rooms, resulting in another patient seeing it. Patient records should always be kept in a private, locked space for optimal patient privacy. 

#2 – Employees Exposing Patient Information

Patient information and medical records are required to be kept private. Employees talking about patients to coworkers or friends is a HIPAA violation that can land you in a mountain of fines. Healthcare providers and employees can not share patient information with friends, family members, third-party individuals, or other organizations. 

If a discussion is necessary in providing optimal patient care, healthcare providers and employees should only discuss patient information in private places and only with other medical personnel. 

#3 – Stolen PHI Items

If an item containing PHI, like a phone or tablet, is lost or stolen, this is also considered a HIPAA violation and will result in a hefty fine and, in some cases, jail time. To safeguard against an incident like this, HIPAA recommends that any mobile or personal devices containing PHI should be password protected.

#4 – Lack of Proper Safety Training

Another common cause of HIPAA violations is medical staff and healthcare employees that have not received proper training when it comes to HIPAA standards and requirements. Employees who are properly trained on how to avoid HIPAA violations are much more likely to avoid making mistakes. 

#5 – Texting Private Patient Information

While texting private information may seem faster and more efficient, it also gives hackers the ability to get their hands on that information. If you get caught putting a patient’s name or private information in a text, you will end up with a hefty fine on your hands. 

#6 – Passing Information Through Skype or Zoom

Texting is not the only communication-related HIPAA violation, and this next one was most common during the heat of the COVID-19 epidemic. Never discuss PHI over a Skype, Zoom, or other video call format. The same issue as texting applies to this situation. Hackers can once again, easily obtain the patient’s PHI. 

#7 – Discussing Information Over The Phone

Another potential HIPAA violation that is easily ignored or overlooked is discussing information over the phone, even if it is with the patient themselves. When discussing patients’ private medical information over the phone, you need to be aware of your surroundings. Only do this in a private place where no one can accidentally overhear you. And always ensure that the person you are speaking with is the patient. Asking confirmation on their birthdate or address can be an efficient way to identify the individual. 

#8 – Posting On Social Media

While this one may seem way more obvious than others, it is another very common HIPAA violation. You absolutely cannot post pictures of your patients on social media. It is a definite HIPAA violation, even if no names or other information are posted. A face picture is one of HIPAA’s 18 patient identifiers (which we listed above). 

#9 – Employees Accessing Patient Files Without Authorization

This is one of the most common HIPAA violations, and the ultimate cause of this decision does not matter for the outcome. Accessing patient information without proper authorization is illegal, even if your intentions are pure. Termination of your job and suspension of your medical license are highly likely in this situation. 

#10 – Using PHI for Personal Gain

Accessing or selling an individual’s PHI for personal gain is illegal. Not only is this a HIPAA violation, but it is also a criminal offense and will most likely cause you to serve time in prison. 

HIPAA Exceptions in Emergency Situations

There are very few exceptions when it comes to HIPAA rules and guidelines. However, that does not mean there aren’t any. Some of the most common expectations are only permitted in an emergency situation. For example, HIPAA rules allow exceptions for:

• Public health authorities in order to prevent or control disease, disability, or injury
• Foreign government agencies upon direction of a public health authority
• Individuals who may be at risk of disease
• Family or others caring for an individual; this could include notifying the public

Our Safety Training

Here at Hard Hat Training, our goal is to make safety training courses fun and engaging. Our HIPAA Safety Training course is ready for purchase today.

All of our training materials are updated whenever any formal changes are made to the safety standards that apply. This enables us to provide our customers with the most thorough and up-to-date training options for employees.

Our course catalog presents our customers with over 200 training topics to choose from. Each of our courses are organized and fully-narrated. We do this in order to help the students follow along with and understand all the safety information that they are learning. We offer many ways to accomplish safety training that are easy, affordable, and convenient.