Hospitals know their patients’ darkest secrets. They know what they struggle with, what medications they take, their address, the names of their family members, and all sorts of other information that most people like to keep private.
HIPAA law, the Health Insurance Portability and Accountability Act of 1996, protects the trust that patients extend to their doctors.
These rules are there to ensure that medical workers cannot share a patient’s medical records and private information without their consent. They allow patients to feel comfortable seeing their doctors and being honest with them.
But, what happens when a healthcare worker violates a HIPAA privacy rule? Keep reading and we’ll tell you.
What Is HIPAA Training?
The law requires that all healthcare workers go through HIPAA training. In a HIPAA training program, medical workers learn exactly how HIPAA compliance works.
Workers learn which pieces of information are protected under HIPAA. They also learn when it is appropriate to disclose that information. They are also taught the proper methods of keeping patient information secure.
The most vital aspects of patient privacy are in the HIPAA Security and Privacy Rules. These aspects include:
- Keeping electronic health information confidential and available
- Recognizing security threats and keeping them at bay
- Protecting against inappropriate use and access of medical records
- Ensuring that medical information gets disclosed to those who need it
- Obtaining proper consent from a patient before disclosing information
Employees can’t observe HIPAA compliance if they aren’t properly trained. If a hospital does not provide proper HIPAA training, they are more liable in case of a privacy breach.
What Is HIPAA Certification?
All healthcare organizations have the option of becoming HIPAA certified. Organizations do this by hiring a third party to audit their policies and practices.
There is no legally recognized provider of HIPAA certifications, and healthcare organizations are not required to take this step.
The most important aspect of HIPAA compliance is making sure every employee completes their training. In the case of employees that are expose mostly on BBP or other infectious diseases, it is necessary they comply some bloodborne pathogens training certification. The hospital must also keep copies of their training certificates on file.
When Employees Break HIPAA Law
An employee of the Aultman Health Foundation in Ohio was recently terminated for inappropriately accessing patient files. The employee engaged in this behavior for almost twelve years before they got caught.
The employee was not a doctor but did have access to patient records as part of their administrative role at Aultman.
However, the employee was accessing records that were irrelevant to their duties. They accessed names, addresses, social security numbers, and medical records without the knowledge or consent of those patients.
All of these pieces of information are Protected Health Information under HIPAA. Inappropriate handling of that information is a gross violation of the act.
This failure to comply with HIPAA laws reflects poorly on both the hospital and the employee. More importantly, however, it puts patients at risk.
On Friday, June 25th, 2021, the hospital announced that there had been a privacy breach in over 7,000 of their patient records.
The employee’s access to those records was immediately suspended pending an investigation. They were later terminated from their position.
The Aftermath
The Aultman Health Foundation sent out letters to all patients whose records the employee accessed inappropriately. These patients were undoubtedly confused and disturbed by the news.
As of now, Aultman claims that there is no evidence that the employee misused or redistributed the files.
However, it is the lack of security that is most troubling. If this employee was violating HIPAA regulations for over a decade without getting noticed, how are patients to know that all the evidence of these crimes has been found?
The employee is currently not facing criminal charges. However, it wouldn’t be surprising if many of the foundation’s patients are now seeking treatment elsewhere.
Aultman is now implementing additional training for their employees and stricter measures to keep their system secure.
Other Recent Cases
Unfortunately, the security breach at the Aultman Health Foundation was not an isolated issue. In 2021, many other medical providers around the United States have discovered HIPAA violations in their midst.
Montefiore Medical Center
The Montefiore Medical Center in New York recentlystatedthat one of their employees was viewing patient files without authorization for over a year.
This is the third incident of its kind at the Montefiore Medical Center. Two other staff members violated the HIPAA security rules in 2020. One of those employees stole personal information from over 4,000 patients.
The most recent offender was fired and may face criminal charges.
Village Plastic Surgery
Not all HIPAA violations involve breaches of privacy, but those are still taken seriously by the law. Village Plastic Surgery of New Jersey learned that lesson in March.
One patient requested their records from Village Plastic Surgery and did not receive them within the legally required time limit of 30 days. They filed a complaint, and the practice ended up paying a $30,000 fine.
One of the rights guaranteed to patients under HIPAA is the right to access their medical records. When a hospital fails to provide records, they are breaking the law.
Hackers
Irresponsible healthcare workers are only one of the risks that patient information faces. In 2020, 67% of healthcare data breaches were the result of hacking.
The number of hacking-related breaches in the medical field has been rising steadily for the past several years. Reported breaches nearly doubled between 2019 and 2020.
One important responsibility that healthcare organizations have under HIPAA is the protection of their electronic files against potential hackers.
This is outlined in the HIPAA Security Rule and must be taken seriously in the present moment even more than ever before.
What to Do When Rights Are Violated
If medical records are mishandled, patients are fully justified in taking action against their healthcare provider. When a doctor informs you of your rights under HIPAA, you have both entered intoa legally binding contract.
What action you can take, however, depends on the specific incident.
Many HIPAA violations are accidental and do no harm to the patient. For example, if a healthcare worker accidentally opens the wrong file for a brief moment, that is a HIPAA violation (but it is not a severe one).
The worker did not intentionally access an unauthorized file, and they will do nothing with whatever information they happened to see. That patient would most likely not be able to take legal action.
However, legal action should occur if a doctor intentionally accesses files inappropriately and uses that information to harm patients in any way.
Your first step should be to file a complaint within your healthcare organization. If a particular worker is at fault, the organization can investigate that person. They will decide whether or not they should be terminated from their position.
What if a security breach comes from hackers or a fault in their computer system? The organization can adopt a better system for securing electronic files.
You may have grounds for a lawsuit if someone at a hospital intentionally uses your personal information in an unauthorized way. That depends on whether the incident caused you provable harm.
Chances are that if that is happening to you, it is happening to other patients too. If you suspect this may be the case, you should file a complaint with the Office for Civil Rights.
Know Your HIPAA Rights
You can’t always know when a HIPAA violation will occur. However, there are a few things that you can look out for to make sure that your healthcare provider is following the law.
Your doctor should always notify you of your HIPAA rights. This should happen at your first appointment with a new healthcare provider. If you don’t receive a notice of your rights, that is a red flag.
Keep track of which consent forms you sign at the doctor. When you see a new doctor, they must obtain your consent to treat you, store your medical records, and disclose them to any other parties.
If the hospital needs to transfer your records from another practice, you must also consent to that.
If you use telehealth services, you must consent to electronic treatment. Any virtual health provider that does not provide this consent form may not be reputable.
If you are over 18 years of age and able to make medical decisions on your own behalf, your doctor may not discuss your treatment with anyone except you.
There are a few exceptions to this rule. In general, HIPAA forbids your doctor from discussing your personal information with your family, spouse, or friends.
Transparency is key. If you feel confused about any aspect of your HIPAA rights, ask your doctor. They are legally required to be knowledgeable of these rules and to clearly disclose them to you.
Get Proper HIPAA Training
As a healthcare provider, proper HIPAA Training will make sure your institution retains its patients. Don’t wait to seek out a training course.
Your patients and your staff will thank you.