In the daily shuffle of evaluating patients and focusing on the delivery of high-quality patient care, the importance of protecting patient information may get overlooked. Human error is just one possible way patient information can be compromised. Cybersecurity attacks are becoming more numerous and sophisticated every day, with the number of patient records compromised increasing. This trend is expected to continue as practices increase their use of digital technology and social media, and use patient information in ways never anticipated. As a result, practices need to take a proactive approach to safeguarding patient information.
What Is PHI?
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), identifiable patient information is referred to as protected health information (PHI). PHI is defined as individually identifiable health information that is transmitted or maintained by electronic media or in any other form or medium.
Individually identifiable health information is information (including demographic information) created or received by a covered entity and that relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual; and that identifies the individual, or with respect to which, there is a reasonable basis to believe the information can be used to identify the individual.
The general rule is that, except as expressly permitted or required by HIPAA, a covered entity may not use or disclose PHI without valid authorization. In certain circumstances, patient authorization is not required to disclose PHI, including:
- Disclosures required by law;
- Uses and disclosures for public health activities;
- Disclosures about victims of abuse, neglect or domestic violence;
- Uses and disclosures for health oversight activities;
- Disclosures for judicial and administrative proceedings or law enforcement purposes;
- Uses and disclosures about decedents or for cadaveric organ, eye or tissue donation purposes;
- Uses and disclosures for research purposes;
- Uses and disclosures to avert a serious threat to health or safety;
- Uses and disclosures for specialized government functions; and
- Disclosures for workers compensation.
To disclose PHI without patient authorization pursuant to one of the listed exceptions, the disclosure must satisfy each of the required elements permitting the disclosure. Failure to do so will result in an unauthorized use or disclosure in violation of HIPAA.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is the agency tasked with enforcing HIPAA. In April 2019, the maximum penalty for a HIPAA violation was reduced. Despite this, the OCR maintains an aggressive enforcement policy for privacy incidents, and investigations may take several years.
In addition to OCR investigations, increasingly more states are conducting their own investigations of security incidents that run afoul of state privacy laws and regulations.
Finally, although HIPAA does not afford victims a private cause of action, class action lawsuits filed under state and other federal laws by victims of security incidents are increasing.