The Health Insurance Portability and Accountability Act (HIPAA) does not have to be confusing. Whether you are a doctor, manage a practice, or are a patient, you should know about HIPAA. Surprisingly, even many medical professionals struggle with the intricacies of the law. In the meantime, the Office of Civil Rights (OCR) Health and Human Services (HHS) division continues to dole out exorbitant fines to medical offices that fail to comply. Here are five misconceptions to help you better understand the HIPAA law.
1. HIPAA is About Data Privacy
In actuality, HIPAA is about data as property. Your data has a tangible value. It is stored, transferred, bought and sold both legally and illegally every day. HIPAA takes a specific subset of data, called Protected Health Information (PHI), assigns ownership of it to doctors and other medical offices (referred to as covered entities), and outlines the proper way they can use that data. In addition, HIPAA provides guidelines on how to best protect that data, and penalties for failing to do so. So, in short, your doctor owns your medical data.
In order to best understand this concept, we need to compare it to another law. The EU’s General Data Protection Regulation (GDPR) assigns the ownership of a citizen’s data to the individual citizen. It then gives the authority of that citizen to share their data as needed, and to revoke access to that data at any time and for any reason. Some states have begun to push for GDPR-like legislation in recent months. Data protection legislation seems to slowly be moving in that direction.
2. My Doctor or Practice is HIPAA Compliant
HIPAA Compliance is a cultural shift. Risk assessments provide a snapshot of how the covered entity is doing at that moment. Striving for compliance is a full-time, never-ending process that requires teamwork. Compliance can disappear at the snap of a finger. There is no magic pill to achieve compliance.
Achieving compliance shouldn’t be like cramming for a test, making changes to how a practice operates, and then going back to “normal” operations after the assessment. It should be practiced every hour of every day. When completed properly, a risk assessment will identify the difference between the offices making a conscientious effort and the “crammers.”
It is rare to find a doctor’s office that can achieve and maintain HIPAA Compliance. Far too many have failed to even make an attempt.
3. My PHI isn’t Worth Worrying About
When you go to the doctor, you fill out a patient history form. Often, that form has information on it that you wouldn’t want shared with the public. A few examples might include:
- Questions about sexual contacts and sexually transmitted illnesses
- Current or prior drug/alcohol abuse
- Prior psychiatric treatment
- Prior surgeries or diseases
- Last colonoscopy/Pap Test/Mammogram and their results
- Medication you are taking
- DNA profile
PHI is valuable to pharmaceutical reps, cyber-criminals, government actors, marketing firms, other doctors, and in some cases, media outlets (for example, a celebrity going into rehab).
4. HIPAA is a New Law and More Time Should be Given for Compliance
HIPAA first became law in 1996. Covered entities have had more than 20 years to adjust. The Office of Civil Rights began enforcement of the privacy rule in 2003 and the security rule in 2009. Enforcement increased sharply in 2013. Many covered entities approached it with an attitude of “it won’t happen to me.” OCR has stepped up random audits and investigated complaints. There have been marketing campaigns designed to warn doctors that enforcement was coming. The federal government is no longer giving credit to covered entities that claim ignorance.
5. HIPAA Compliance is Too Expensive and Time-Consuming
Securing your data is becoming more and more critical every day. Cyber-crime happens because it has a much lower risk than street crime, with a very high reward. This remains true for all data, but especially true of PHI because the market for it on the Dark Web is a seller’s dream. An oft-cited statistic that appears to be attributed to the National Cyber Security Alliance states that 60 percent of small and medium businesses close permanently after a data breach. They attribute it to recovery costs, embarrassment, and a loss of trust from their customers. Covered entities suffer these as well, and then face government scrutiny and exorbitant fines. By following the federal guidelines, practices often find that they function more efficiently, have less downtime due to network problems, and spend less time worrying about government regulators.
(The preceding article covering HIPAA is advisory in nature and should not be construed as or substituted for proper legal advice.)