HIPAA Privacy and Security Measures: Are You Compliant?

By: Karin M. Zaner, JD
Monday, September 15, 2014

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) mandate certain privacy and security measures for patient information.

Non-compliant physicians are exposed to criminal and civil sanctions in the event that a HIPAA breach occurs, such as a theft or loss of a mobile device, and triggers an audit by Health & Human Services (HHS). Physicians should understand certain HIPAA basics and practical guidelines:

  1. Protected Health Information (PHI) is “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.
  2. Covered entities are health plans, healthcare clearinghouses or healthcare providers (including physicians) conducting certain financial and administrative transactions electronically (e.g., claim submission, billing and fund transfers). Actively practicing physicians should assume “covered entity” status.
  3. PHI is everywhere. PHI’s incredibly broad definition includes many common identifiers, such as name, address, birth date and Social Security number if associated with health data content.
  4. Do not access PHI of non-patients. Medical records systems may contain PHI for patients that are not yours. You may be present in a healthcare facility where you do not have clinical privileges. Be aware that these situations pose risk and avoid them.
  5. No audio or video recording. Surreptitious audio or video recording in healthcare environments should be absolutely avoided. Even with patient consent, such recordings should be used for treatment purposes only.
  6. Use appropriate safeguards. Hard copies should be under lock and key while unencrypted electronic information should be password protected and properly safeguarded with firewalls. HIPAA compliant procedures must be observed at all times.
  7. Mobile devices pose special risk. Physicians should strictly observe certain protocols (see www.healthit.gov/mobiledevices) including maintaining physical control at all times, using encryption and passwords, installing firewall and remote disabling software, using adequate security when using public Wi-Fi networks, and deleting all PHI before discarding devices.
  8. Forwarding PHI for business or legal purposes. Attorneys, accountants and business advisors are business associates if they need PHI to perform services. An appropriate Business Associates Agreement (BAA) mandating administrative, physical, and technical safeguards for PHI must be executed and strictly observed.
  9. Forwarding PHI to vendors. BAAs are also required for any third-party/vendor who has access to PHI, including copy services, experts, storage facilities and other third parties, except for janitorial services that “incidentally” have contact with PHI.
  10. Peer review is exempted. But a physician must operate within formal channels (policies and procedures), and not outside of them. If you face peer review, get legal advice to make sure you are able to defend yourself without violating HIPAA.

Don’t be a target. HIPAA violations have become the focus of many health care entities. Physicians should avoid even the appearance of a HIPAA violation and consult with a healthcare attorney if any issues arise.

Karin Zaner

Karin M. Zaner is a director and healthcare attorney in the Dallas office of Kane Russell Coleman & Logan PC. Ms. Zaner represents physicians and physician groups in a variety of health care matters, including those relating to HIPAA, peer review, credentialing, physician employment/non-competes and practice disputes, as well as Texas Medical Board issues.