The Purpose of HIPAA
HIPAA serves several essential purposes in the healthcare industry. First, it enhances individuals’ control over their health information by providing them with specific rights and protections. Secondly, it establishes national standards for the electronic exchange of health information to ensure consistency and compatibility among different healthcare systems.
Is billing information protected under HIPAA?
Yes, billing information is protected under HIPAA.
HIPAA violations involving medical billing and other financial communications happen every day. Patient financial correspondence is absolutely protected health information (PHI) under HIPAA because it contains health information linked to individual identifiers. Every precaution should be made to keep these communications safe, yet healthcare data breaches, both deliberate and accidental, are skyrocketing ‒ along with penalties for violations.
HIPAA Privacy Rule
The HIPAA Privacy Rule regulates how covered entities handle PHI. It sets guidelines for obtaining patient consent, providing notice of privacy practices, and ensuring PHI’s confidentiality, integrity, and availability.
Common Types of HIPAA Violations Under the Privacy Rule
Improper Disclosure of Your PHI
HIPAA violations can occur when healthcare providers disclose your information to unauthorized individuals or entities. Improper Disclosure can happen through inadvertent sharing, such as discussing patient cases in public spaces or intentional disclosure without proper consent. Memorial Hermann Health settled a case for over 2 million dollars from an improper disclosure of PHI.
Denying Access to Your Health Records
You have the right to access your medical records and receive copies if requested. The right allows you to check your records for errors and makes sharing them with other providers easier. Cignet Health was penalized over $4 million for delayed responses to records requests.
Exceeding the 60-Day Deadline for Breach Notifications
Data breaches must be reported as soon as possible. There is a 60-day deadline for breach disclosure. Oklahoma State University paid an $875,000 settlement for violating the deadline.
Disposing of PHI Improperly
When your PHI is no longer needed or the retention periods have ended, the information must be securely and permanently destroyed. Paper records can be shredded, and digital records must be eliminated with a secure wiping protocol. Simply deleting the data from a computer can be a violation. Parkview Health paid an $800,000 penalty for disposing of PHI improperly.
HIPAA Security Rule
The HIPAA Security Rule focuses on the technical and physical safeguards that entities and business associates must implement to protect electronic PHI (ePHI). It covers access controls, data encryption, audit controls, and contingency planning.
Common Violations of the HIPAA Security Rule
Lack of Risk Assessments
Failing to conduct regular risk assessments is another common violation. Covered entities should regularly assess potential risks and vulnerabilities to their systems and implement appropriate measures to address them effectively. Premera Blue Cross paid nearly $7 million for improper risk assessments.
Failure to Encrypt PHI on Portable Devices
While encryption is not required, if a business does not use encryption or alternative security measures, you may have a claim for a HIPAA violation. If the provider encrypts PHI, they usually are immune from HIPAA penalties. Children’s Medical Center of Dallas paid over $3 million for failing to use encryption protocols.
Filing a Complaint
The easiest way to file a complaint is to use the online portal provided by the Office for Civil Rights.
Privacy complaints can also be filed in writing, by email, or by fax.
Security complaints need to be filed by mail using the packet provided by the OCR.
Contact us for more information.