In this series on The Basics of HIPAA, we review the definition and meaning of the term Protected Health Information, or PHI. At the end of our conversation, you will see that the penalties for violating HIPAA are pretty severe. However, because most provider organizations understand the sanctions for noncompliance, your practice probably has implemented many of the safeguards we discuss in this series. If you have any questions about that, be sure to ask your supervisor.
Protected Health Information
The focus of HIPAA’s Privacy Rule is protected health information. This is individually identifiable information that has to do with the “past, present or future physical or mental health or condition of an individual.” The key to PHI, as it’s called, is that it must identify or reasonably identify, the person. For example, how many identifying characteristics can you think of for health information? Some include: the patient’s name, address, social security number and other contact information. What about employer information? That’s an identifier. How about date of birth, medical record number or photograph? Those are means of identifying a person as well. HIPAA has a list of at least 20 identifiers.
The important thing to remember is that a person has the right to expect privacy of his or her health information. And don’t forget, PHI can be verbal, too, so it’s especially important to watch what we share about a person’s PHI, with whom and the circumstances in which we share information.
The HIPAA law says we can’t use or disclose PHI except in specific circumstances. It’s crucial to understand that “using” PHI usually refers to what is done with it inside the practice or organization. The law is very clear about when you can look at someone’s PHI, and basically, it must be in the course of performing your job responsibilities.
We’ll give you an example: Suppose you answer the phones for a provider and have no need to access PHI as part of doing your job. In that case, the law says you should not have access to it. However, what if you happen to come across PHI that you know you shouldn’t have access to? The law also says that you will not view the PHI since you know you really don’t have a right to do so. That part is on the “honor system” as long as the provider has taken the steps to limiting your ability to view PHI. It’s always a good idea to let your supervisor know of this incident so that revisions can be made to the office policies if necessary.
Disclosing PHI has to do with providing information outside the practice or organization. The law obviously states that you may disclose PHI for the purposes of treating a person. For example, if a patient was referred to a cardiologist, and this physician needed a test result, it would be permissible for you to fax the information to the cardiologist’s office, as long as you made sure you were faxing to the correct place. Other permitted disclosures are outlined in the HIPAA law and are probably included in your organization’s HIPAA policies.
Penalties
As with any law, HIPAA has numerous provisions and standards. Non-compliance with HIPAA, or any violation of this law, can result in fines and even criminal penalties.
When HIPAA was first implemented, the fine to a Covered Entity was $100 per violation up to $25,000 per year for negligent violation of a single standard. When President Obama signed the Health Information technology for Economic and Clinical Health (HITECH) Act in 2009, the penalties escalated.
Moreover, HIPAA provides for severe criminal penalties for individuals who knowingly disclose protected health information. Fines start at $50,000 and can reach up to $250,000, with the added possibility of one to ten years in prison.
In short, HIPAA shouldn’t be taken lightly. Remember, when in doubt, always check with your practice’s Privacy and/or Information Security Official. If you don’t know who that person is, ask your supervisor or the practitioner. Next time, we’ll complete our five-part series on the Basics of HIPAA with a look at the Security Rule that governs electronic health information.