In the HIPAA world, just because you can, doesn’t mean you should – unless you’re keen on trading your business casual for prison orange. No one expects that a HIPAA violation will send them to jail, but there can be serious criminal penalties associated with HIPAA breaches, ranging from fines to imprisonment. Today, we will share real-life examples of how some people misinterpret their rights to access patient records.
In this episode:
Just Because You Can Does NOT Mean You Should – Ep 467
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[10:51] Criminal penalties for HIPAA violations. We’ve said it before and we will say it again – you can go to prison over a HIPAA violation.Under HIPAA, criminal penalties for violations vary based on the severity and intent:
- Unknowingly or with Reasonable Cause: Up to 1 year in prison.
- Under False Pretenses: Up to 5 years in prison.
- For Personal Gain or Malicious Reasons: Up to 10 years in prison.
Additionally, fines can range from $50,000 to $250,000 depending on the level of intent and the damage caused by the violation.
Just Because You Can Does NOT Mean You Should
[13:40] I recently received a couple of questions on Quora about people seeing medical records without their knowledge. I don’t think people truly understand just how many people have legal access to your records under HIPAA. There are so many it is overwhelming for most once they understand it. Let’s explain what HIPAA allows by default and how you could limit it, somewhat.That thing that you sign:
The law requires CEs to ask you to confirm in writing that you received the Notice of Privacy Practices.
- The law does not require you to sign the “acknowledgement of receipt of the notice.”
- Signing does not mean that you have agreed to any special uses or disclosures (sharing) of your health records.
- Refusing to sign the acknowledgement does not prevent a provider or plan from using or disclosing health information as HIPAA permits.
- If you refuse to sign the acknowledgement, the provider must keep a record of this fact.
Basically, they have to ask you to sign it, you don’t have to sign it, they have to note if you don’t sign it. End of exchange. Signing it basically just means nothing which is why it should be removed from our to do list!
What does HIPAA allow CEs and BAs to do with your record?
Per the HHS site: Notice of Privacy Practices for Protected Health Information | HHS.gov
Covered entities are required to provide a notice in plain language that describes:
- How the covered entity may use and disclose protected health information about an individual.
- The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity.
- The covered entity’s legal duties with respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information.
- Whom individuals can contact for further information about the covered entity’s privacy policies.
You should be able to find it on their website easily. But, often I have to search around to find it.
Here is an example of one: Your Information. Your Rights. Our Responsibilities.
Just because you can
[23:22] That being said, for all of you with that access out there let me say this: Just because you can do NOT mean you should access those records. It must be part of your job duties to use or disclose those records at any time. Using them does mean accessing them. Disclosing them does mean telling or sharing them with anyone that isn’t allowed access on their own to those specific records.For example,
Gossip
When you find out a patient has some horrible thing happen to them – you do not have the option of telling all the others around you in the office. Gossip is not an acceptable reason for disclosure.
Amusement or outrage
A patient writes a message to the office in their portal account and something in there was outrageous or funny. Not something you get to share and if you do have the rights to see it for some reason not something you discuss with the patient!
Outsourcing
[31:30] You don’t get to outsource your JOB! This new story popped up recently where staff were fired because they had hired someone else to help out with their job. Mass. General Brigham employees allowed unauthorized persons to view patient info, health group says There was another one like this years ago where a case manager posted a job for admin help on FB. The person they hired happened to be a law student and reported the situation once they received their first batch of work!Dating
And you DEFINITELY do not get to access records of people you used to date, plan to date, hope to date or ARE dating!
Dr. Gabriel Hernandez Roman pled guilty to wrongfully obtaining health information and thereby violating HIPAA and awaits sentencing. He is often referenced as being named one of the “Sexiest Doctors” in these articles.
Dr. Gabriel Hernandez Roman admitted to lying about the HIPAA violations. Specifically, he initially provided a false justification for sending the photograph, claiming it was to remind his mother about a medical condition. He later admitted this was untrue, acknowledging that his actions were unauthorized and inappropriate.
It is shocking for some to learn just how much sharing is built into HIPAA. But, it is also shocking to see just how many people will blatantly disregard their obligations to protect and respect patient privacy. Come on man!
Think of HIPAA compliance like driving with your headlights on – staying vigilant keeps you and everyone else safe. Patient privacy matters. Your access to information is a privilege, not a free pass to snoop. Stay informed, stay compliant, and keep those gossip sessions out of the office.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
