The consequences of violating the Health Insurance Portability and Accountability Act (HIPAA) can be very severe. According to the American Medical Association, penalties vary depending on whether the violation is classed as civil or criminal. Those found to have breached the act face fines or even jail time. It is hardly surprising therefore that those providing direct care to patients and those working within medical coding and billing might be overly sensitive about patient data and what they can do with it. Those experts at Find-A-Code say that this often results in people working within the medical industry believing certain myths in relation to the HIPAA to be true. Below are a few examples:
- Myth: HIPAA prohibits healthcare providers from sharing any information about a patient.
- Reality: HIPAA permits healthcare providers to share information with other healthcare providers and entities for treatment, payment, and healthcare operations purposes, as well as for public health and research purposes.
- Myth: HIPAA applies only to healthcare providers.
- Reality: HIPAA applies to any entity that handles protected health information, including healthcare providers, health plans, and healthcare clearinghouses (as well as their business associates).
- Myth: HIPAA requires covered entities to obtain written consent before sharing a patient’s information.
- Reality: HIPAA allows covered entities to share patient information for treatment, payment, and healthcare operations without obtaining written consent. However, covered entities must obtain written authorization from patients before sharing their information for other purposes.
- Myth: HIPAA fines are minor and rarely enforced.
- Reality: HIPAA violations can result in significant fines that can range from $100 to $50,000 per violation (depending on the severity of the violation). Additionally, the Department of Health and Human Services Office for Civil Rights actively enforces HIPAA, and there have been several high-profile settlements in recent years.
- Myth: HIPAA requires healthcare providers to encrypt all patient data.
- Reality: HIPAA requires covered entities to implement reasonable and appropriate administrative, physical, and technical safeguards to protect patient data. Encryption is just one of many potential safeguards that covered entities can use to protect patient data.
- Myth: HIPAA prohibits healthcare providers from using email to communicate with patients.
- Reality: HIPAA allows healthcare providers to communicate with patients via email, but they must take appropriate measures to ensure the security and privacy of patient information. This includes using secure email systems and encrypting sensitive information.
- Myth: HIPAA requires healthcare providers to provide patients with copies of their medical records for free.
- Reality: While patients have the right to access their medical records, healthcare providers may charge reasonable fees for providing copies of medical records, including costs associated with labor, supplies, and postage.
- Myth: HIPAA requires healthcare providers to obtain a patient’s consent before disclosing their information to law enforcement.
- Reality: HIPAA allows covered entities to disclose patient information to law enforcement without obtaining patient consent in certain circumstances. This could be when required by law or court order, or to identify or locate a suspect, fugitive, or missing person.
- Myth: HIPAA requires healthcare providers to delete a patient’s information upon request.
- Reality: HIPAA requires healthcare providers to allow patients to request amendments to their medical records, but they are not required to delete information upon request unless it is inaccurate or incomplete.
- Myth: HIPAA only applies to electronic health records.
- Reality: HIPAA applies to all forms of protected health information, whether in electronic, paper, or oral form.
It is no surprise that those handling patient data are confused or worried about accidental violations. By understanding these and other HIPAA myths and realities though, healthcare providers and entities can ensure compliance with the law and protect patient privacy and security.