Legal Background

The Health Insurance Portability and Accountability Act, commonly known as HIPAA, protects personally identifiable health information of patients, and specifies to providers how such information may be used. HIPAA has been in effect for about a decade, and in that time, the HHS has received a total of almost 80,000 complaints.

Of those, more than 44,000 were dismissed, 19,000 were investigated and resolved with changes to privacy practice, and 9,000 were investigated but no violations were found. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement.

The top two compliance issues most frequently investigated are impermissible use and disclosure of protected health information and lack of safeguards for protected health information.

When a HIPAA complaint is filed with the HHS, the first determination made is whether there was a possible privacy violation and whether it was of a criminal nature. If it was determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution.

If it was determined that it was not a criminal issue (as in this case) the violation is investigated by the OCR. If it is determined that a HIPAA violation did, in fact, take place, the OCR can either obtain voluntary compliance, corrective action or some other voluntary agreement with the offender, or the OCR can issue a formal finding of violation and force the offender to change its practices.

In this particular case, the office manager and Dr. G recognized the mistake and immediately tried to take corrective action by apologizing to the patient. Dr. G’s office also voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.

Protecting Yourself

This particular scenario was the result of a careless error. While a careless error can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status.

Confidential patient records must be treated with the greatest of care as they contain information of an extremely personal nature. Many HIPAA cases have involved the unintentional divulging of the HIV or AIDS status of a patient.

In a similar case, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. And in a case that took place in a hospital, a nurse and orderly lost their jobs for discussing a patient’s HIV status within earshot of other patients.

A good rule of thumb is to treat a patient’s confidential information as you would want yours to be treated, and then add a little extra security for good measure.