chat icon


Is HIPAA Only Between a Doctor and a Patient?

While HIPAA has made significant strides in protecting personal health information for patients and even their doctors, HIPAA affects many people even outside of the healthcare industry. In other words, HIPAA is notonly between a doctor and their patients. 

Throughout this article we will discuss who else HIPAA rules impact and what happens if those people were to violate HIPAA standards. 

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to protect a person’s sensitive medical information from being shared or disclosed. HIPAA also prevents healthcare providers and businesses from working with people or organizations who will sell out an individual’s private health information. HIPAA is a federal law and was created by the US Department of Health and Human Services. Violations of this law result in hefty fines and potential jail time. 

The Three Rules of HIPAA

Upon implementation of HIPAA, three rules were established: 

  1. The Privacy Rule – The Standards for Privacy of Individual Identifiable Health Information 
  2. The Security Rule – The Security Standards for the Protection of Electronic Protected Health Information
  3. The Breach Notification Rule – The Standards for Breach Notification & Responsibilities

Together, these three rules define specific requirements for individuals and organizations to comply with. These standards provide an understanding of how to properly handle protected health information (PHI). Ultimately, these requirements protect health records and other personal information. 

These requirements also protect the organizations that deal with protected health information. These organizations need safeguards to help prevent potential information leaks as well as other potential vulnerabilities that could put the company and everyone else associated with it at risk. 

What is Protected Health Information?

Protected health information (PHI), also commonly personal health information, would be any data that healthcare professionals end up collecting in order to identify an individual as well as determine the appropriate care for that person. All of the following information would be considered as PHI:

HIPAA’s Patient Identifiers

Patient identifiers are any information that is directly associated with an individual or that can independently identify the individual as the person who the medical service or treatment is intended for. 

HIPAA has listed 18 varying identifiers that become PHI when paired with health information. Some of these identifiers can allow an individual to be identified, contacted, or located. The identifiers are as follows

  1. Names
  2. Addresses
  3. Dates
  4. Phone number
  5. Fax number
  6. Email address
  7. Social security number
  8. Medical records numbers
  9. Health plan beneficiary
  10. Account number
  11. License number
  12. Vehicle identifiers or serial numbers
  13. Device identifiers or serial numbers
  14. Web URL
  15. IP address
  16. Biometrics Identification
  17. Full-face photographs
  18. Identifying characteristics (tattoos or piercings)

Is There Any Information That Can be Shared Without Violating HIPAA Rules?

There is some information that can be shared without violating HIPAA rules. The HIPAA Privacy Rules specifically allow covered entities to share information that is directly relevant to the involvement of a spouse, family members, or friends identified by the patient in regard to the patient’s care or payment for health care. 

Who Does HIPPA Apply To?

Other than doctor and patient confidentiality, HIPAA rules and guidelines also apply to certain individuals and organizations. These individuals and organizations are commonly called covered entities. 

HIPAA Covered Entities

According to HIPAA, covered entities are categorized into three categories. These categories are healthcare providers, health plans, and healthcare clearinghouses. Any individual or organization that fits under one of these three category descriptions is required to follow HIPAA rules. 

HIPAA also applies to most employers and employees because they normally associate with these covered entities. 

HIPAA Business Associates

HIPAA defines a business associate as ”a person or company that provides services to a covered entity that involves the disclosure of PHI.” Some examples of the individuals or organizations that would be considered business associates are:

Business associates are also required to follow all HIPAA rules, and if they were to violate these rules, they may receive the same penalties.

Who Does HIPAA Not Apply To?

The US Department of Health and Human Services states that there are a few individuals and organizations that are exempt from following the HIPAA guidelines. This would include

*There is a special rule that applies to employers in regards to HIPAA rules. We will discuss this rule in the following section.

If you would like more information on this subject check out our related article Who Does HIPAA Apply To?

Employers & Employee Privacy

As stated in an earlier section, HIPAA applies to employers in a different way. Since most employers provide their employees with some sort of healthcare program or plan, they cannot get information from one of the covered entities. However, HIPAA does not apply to employment records. 

For example, an employer can ask an employee for a doctor’s note or other health information. However, a healthcare provider cannot share information directly with an employer. 

HIPAA Violation

When it comes to HIPAA rule violations, the US Department of Health and Human Services will issue civil penalties to those who performed the violation. The Office of Civil Rights (OCR), a branch of the Health and Human Services Department, is responsible for investigating complaints against potential HIPAA violations. There are four tiers of civil penalties based on the intent of the violation. These four tiers are as follows:

Criminal Penalties

When investigating, if the Office of Civil Rights feels as though there has been a potential criminal violation of the HIPAA rules, they are able to refer the violation to the Department of Justice for review and/or an investigation. Criminal penalties for HIPAA violations are not common; however, they are severe when they do happen. There are only three tiers for criminal violations. They are as follows:

10 HIPAA Violation Examples

There are many common causes of HIPAA violations, even accidental ones. In this section, we will go over the ten most common violations to look out for and be aware of. 

#1 – Medical Records Fall into the Wrong Hands

Mishandling patient records is one of the most common HIPAA violations. This occurs most often when a healthcare provider uses paper records. This can result in the provider or another medical employee accidentally leaving the record in the patients’ rooms, resulting in another patient seeing it. Patient records should always be kept in a private, locked space for optimal patient privacy. 

#2 – Employees Exposing Patient Information

Patient information and medical records are required to be kept private. Employees talking about patients to coworkers or friends is a HIPAA violation that can land you in a mountain of fines. Healthcare providers and employees can not share patient information with friends, family members, third-party individuals, or other organizations. 

If a discussion is necessary in providing optimal patient care, healthcare providers and employees should only discuss patient information in private places and only with other medical personnel. 

#3 – Stolen PHI Items

If an item containing PHI, like a phone or tablet, is lost or stolen, this is also considered a HIPAA violation and will result in a hefty fine and, in some cases, jail time. To safeguard against an incident like this, HIPAA recommends that any mobile or personal devices containing PHI should be password protected.

#4 – Lack of Proper Safety Training

Another common cause of HIPAA violations is medical staff and healthcare employees that have not received proper training when it comes to HIPAA standards and requirements. Employees who are properly trained on how to avoid HIPAA violations are much more likely to avoid making mistakes. 

#5 – Texting Private Patient Information

While texting private information may seem faster and more efficient, it also gives hackers the ability to get their hands on that information. If you get caught putting a patient’s name or private information in a text, you will end up with a hefty fine on your hands. 

#6 – Passing Information Through Skype or Zoom

Texting is not the only communication-related HIPAA violation, and this next one was most common during the heat of the COVID-19 epidemic. Never discuss PHI over a Skype, Zoom, or other video call format. The same issue as texting applies to this situation. Hackers can once again, easily obtain the patient’s PHI. 

#7 – Discussing Information Over The Phone

Another potential HIPAA violation that is easily ignored or overlooked is discussing information over the phone, even if it is with the patient themselves. When discussing patients’ private medical information over the phone, you need to be aware of your surroundings. Only do this in a private place where no one can accidentally overhear you. And always ensure that the person you are speaking with is the patient. Asking confirmation on their birthdate or address can be an efficient way to identify the individual. 

#8 – Posting On Social Media

While this one may seem way more obvious than others, it is another very common HIPAA violation. You absolutely cannot post pictures of your patients on social media. It is a definite HIPAA violation, even if no names or other information are posted. A face picture is one of HIPAA’s 18 patient identifiers (which we listed above). 

#9 – Employees Accessing Patient Files Without Authorization

This is one of the most common HIPAA violations, and the ultimate cause of this decision does not matter for the outcome. Accessing patient information without proper authorization is illegal, even if your intentions are pure. Termination of your job and suspension of your medical license are highly likely in this situation. 

#10 – Using PHI for Personal Gain

Accessing or selling an individual’s PHI for personal gain is illegal. Not only is this a HIPAA violation, but it is also a criminal offense and will most likely cause you to serve time in prison. 

HIPAA Exceptions in Emergency Situations

There are very few exceptions when it comes to HIPAA rules and guidelines. However, that does not mean there aren’t any. Some of the most common expectations are only permitted in an emergency situation. For example, HIPAA rules allow exceptions for:

Our Safety Training

Here at Hard Hat Training, our goal is to make safety training courses fun and engaging. Our HIPAA Safety Training course is ready for purchase today.

All of our training materials are updated whenever any formal changes are made to the safety standards that apply. This enables us to provide our customers with the most thorough and up-to-date training options for employees.

Our course catalog presents our customers with over 200 training topics to choose from. Each of our courses are organized and fully-narrated. We do this in order to help the students follow along with and understand all the safety information that they are learning. We offer many ways to accomplish safety training that are easy, affordable, and convenient.