The Rheumatologist
COVID-19 News
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
      • Gout Resource Center
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Resource Centers
    • Axial Spondyloarthritis Resource Center
    • Gout Resource Center
    • Psoriatic Arthritis Resource Center
    • Rheumatoid Arthritis Resource Center
    • Systemic Lupus Erythematosus Resource Center
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
    • Interprofessional Perspective
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
    • Electronic Health Records
    • Apps
    • Information Technology
    • From the College
    • Multimedia
      • Audio
      • Video
  • Resources
    • Issue Archives
    • ACR Convergence
      • Systemic Lupus Erythematosus Resource Center
      • Rheumatoid Arthritis Resource Center
      • Gout Resource Center
      • Abstracts
      • Meeting Reports
      • ACR Convergence Home
    • American College of Rheumatology
    • ACR ExamRheum
    • Research Reviews
    • ACR Journals
      • Arthritis & Rheumatology
      • Arthritis Care & Research
      • ACR Open Rheumatology
    • Rheumatology Image Library
    • Treatment Guidelines
    • Rheumatology Research Foundation
    • Events
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Legal Updates: Tips for Protecting Your Patients’ Health Information

Legal Updates: Tips for Protecting Your Patients’ Health Information

December 18, 2019 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF

In the daily shuffle of evaluating patients and focusing on the delivery of high-quality patient care, the importance of protecting patient information may get overlooked. Human error is just one possible way patient information can be compromised. Cybersecurity attacks are becoming more numerous and sophisticated every day, with the number of patient records compromised increasing. This trend is expected to continue as practices increase their use of digital technology and social media, and use patient information in ways never anticipated. As a result, practices need to take a proactive approach to safeguarding patient information.

You Might Also Like
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
Explore This Issue
December 2019
Also By This Author
  • What Rheumatologists Should Know about Purchasing a Healthcare Practice

What Is PHI?

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), identifiable patient information is referred to as protected health information (PHI). PHI is defined as individually identifiable health information that is transmitted or maintained by electronic media or in any other form or medium.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

Individually identifiable health information is information (including demographic information) created or received by a covered entity and that relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual; and that identifies the individual, or with respect to which, there is a reasonable basis to believe the information can be used to identify the individual.

The general rule is that, except as expressly permitted or required by HIPAA, a covered entity may not use or disclose PHI without valid authorization. In certain circumstances, patient authorization is not required to disclose PHI, including:

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE
  • Disclosures required by law;
  • Uses and disclosures for public health activities;
  • Disclosures about victims of abuse, neglect or domestic violence;
  • Uses and disclosures for health oversight activities;
  • Disclosures for judicial and administrative proceedings or law enforcement purposes;
  • Uses and disclosures about decedents or for cadaveric organ, eye or tissue donation purposes;
  • Uses and disclosures for research purposes;
  • Uses and disclosures to avert a serious threat to health or safety;
  • Uses and disclosures for specialized government functions; and
  • Disclosures for workers compensation.

To disclose PHI without patient authorization pursuant to one of the listed exceptions, the disclosure must satisfy each of the required elements permitting the disclosure. Failure to do so will result in an unauthorized use or disclosure in violation of HIPAA.

Enforcement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is the agency tasked with enforcing HIPAA. In April 2019, the maximum penalty for a HIPAA violation was reduced. Despite this, the OCR maintains an aggressive enforcement policy for privacy incidents, and investigations may take several years.

In addition to OCR investigations, increasingly more states are conducting their own investigations of security incidents that run afoul of state privacy laws and regulations.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Finally, although HIPAA does not afford victims a private cause of action, class action lawsuits filed under state and other federal laws by victims of security incidents are increasing.

Pages: 1 2 3 4 | Single Page

Filed Under: Legal Tagged With: HIPAA, protected health informationIssue: December 2019

You Might Also Like:
  • Legal Updates: Healthcare Data Privacy and Security under HIPAA
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online
  • Department of Health and Human Services’ Final Rule Expands HIPAA Obligations, Violation Penalties
  • Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

Meeting Abstracts

Browse and search abstracts from the ACR Convergence and ACR/ARP Annual Meetings going back to 2012.

Visit the Abstracts site »

ACR Convergence

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Convergence site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2022 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)