Learn something new every day
More Info... by email
In 1996, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA), which includes provisions on health care and insurance. Part 1 of HIPAA addresses health insurance coverage, while Part 2 regulates patient privacy. Part 2 of the HIPAA Act brought about major changes in health care administration in the US, and changed the way patient health records are managed. Health care workers or other individuals who fail to follow any of these laws are guilty of a HIPAA violation, which comes with both criminal and civil penalties.
Part 2 of the HIPAA Act covers three basic tenants of patient rights, broken down into administrative, physical, and technical categories. The section on administrative rights requires all health care organizations to designate a single individual to take charge to patient privacy, and to ensure that HIPAA regulations are followed. This category also covers employee training, interactions with third-parties who may view patient records, and policies for handling a security breach. Companies who fail to designate an individual to manage HIPAA requirements may be guilty of a HIPAA violation, and could be subject to penalties. Any failure to implement the required administrative policies could represent an additional HIPAA violation.
In terms of physical requirements, health care organizations must provide secure locks for all patient files in order to avoid a potential HIPAA violation. The organizations must keep these files away from the public, and should ensure that access is only granted on a need-to-know basis. For example, an employee who snoops into files that he does not need to see to perform his job could be guilty of a HIPAA violation. This category also requires organizations to safely and securely dispose of files when they are no longer needed.
To avoid a technical HIPAA violation, organizations must encrypt all computer files related to patient health records. Each must require a password for access, and only those employees who need access should be informed of the password. In some instances, each employee must be given a unique password so regulating officials can determine who accessed specific files.
Penalties for a HIPAA violation cover both intentional and unintentional violations, including those caused by simple neglect. Civil penalties can be as high as $1.5 million US Dollars (USD) in a single year. Each basic violation could bring criminal fines of as much as $25,000 USD, and intentional misuse of records carries a prison term of up to 10 years. Penalties may be even higher for multiple violations within a specified period.
I had read about a Californian who received 4 months in prison and was said to have been the first person to ever go to prison for a HIPAA violation. He had gone to prison seemingly for the amount of times he violated HIPAA - he had looked up something like three hundred and something different medical records!
Luckily he had not done anything with the medical records, as it seems there were also celebrity's records he had looked up so it was thought that he might have intended to leak the news but he had not done so.
It made me want to learn more about HIPAA to see what else it covered in patient rights for privacy.
When I was first starting out in speech therapy school I thought my professor was a little overly cautious with the clients information as she took them from a school to our clinic in a locked file holder.
I quickly learned however about HIPAA (pronounced like you pronounce SCUBA - by saying the letters together as a word) and was appreciative of the laws when I learned about them. The laws really have the patient's privacy in their best interest.
Has anyone ever actually been sent to prison for HIPAA violations?