HIPAA Advice

What to Do if You Discover a HIPAA Violation in the Workplace

Posted by HIPAA Journal

If you discover a HIPAA violation in the workplace, what you should do depends on the nature of the violation, whether or not unsecured PHI has been impermissibly disclosed, and what the potential consequences are.

You suspect there has been a HIPAA violation in the workplace, should you report the violation? If so, how should you report the potential violation and who needs to be told?

Is it Necessary to Report a HIPAA Violation in the Workplace?

If you think you have accidentally violated HIPAA Rules or you believe a work colleague or your employer is failing to comply with the HIPAA Rules, the potential violation(s) should be reported.

Since the publication of the HIPAA Enforcement Rule, HIPAA-covered entities can be financially penalized for HIPAA violations. If an uncorrected HIPAA violation is discovered during an investigation of a complaint, a data breach, or HIPAA audit, HHS’ Office for Civil Rights (OCR) may choose to pursue a financial settlement to resolve the violation. Such actions are far less likely when a violation has been discovered internally and corrected to prevent a recurrence.

If a patient’s privacy has been violated, by reporting the violation internally you will allow your employer to take steps to reduce the potential for further harm and will be helping to ensure that similar incidents do not occur in the future.

Who Should be Notified About a Potential HIPAA Violation?

Healthcare employees who discover a HIPAA violation in the workplace should report the incident to their supervisor or their HIPAA Privacy Officer in the first instance. The HIPAA Privacy Officer will need to be notified of any HIPAA compliance failure as an investigation will need to be conducted, which should include a risk assessment.

The risk assessment will help the Privacy Officer determine whether the violation is a reportable incident. Not all internal violations of HIPAA Rules need to be reported, but the failure to notify the patient and OCR of a reportable breach of unsecured PHI could result in a financial penalty.

Action should also be taken to ensure that the cause of the breach is corrected. That may require updates to policies and procedures and/or further staff training.

There have been cases of employees reporting HIPAA violations internally only for no actions to appear to be taken to address the issue. In such cases, the matter can be escalated and a complaint filed with the HHS’ Office for Civil Rights – the main enforcer of the HIPAA Rules.

How long do you have to report a HIPAA violation?

HIPAA violations should be reported internally immediately. Employees and patients have the option to bypass notifying the Covered Entity and directly file a HIPAA complaint with the Office for Civil Rights (OCR) under the Department of Health and Human Services (HHS) if they believe that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules. This is especially applicable in cases of serious violations, potential criminal violations, willful/widespread neglect of HIPAA Rules, or multiple suspected violations. The OCR provides various channels for submitting HIPAA complaints, including their Complaint Page, fax, mail, or email. When filing a complaint, it is important to provide details such as the reason for the complaint, the potential violation, information about the Covered Entity or Business Associate involved, the suspected date and location of the violation, and the date when the complainant became aware of the possible violation. Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted with good cause. While anonymous complaints are accepted, it is important to note that OCR requires name and contact information for investigation purposes. All complaints will be reviewed, and investigations will be initiated if there are suspected violations of HIPAA Rules and the complaint is filed within the designated timeframe.

Do HIPAA violations have to be reported?

While HIPAA does not explicitly require individuals or organizations to report every single HIPAA violation they encounter, there are certain circumstances where reporting is mandatory or strongly encouraged. Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, are required to report breaches of unsecured protected health information (PHI) to the affected individuals, the Department of Health and Human Services (HHS), and in some cases, the media. Additionally, business associates, who are third-party entities that handle PHI on behalf of covered entities, are required to report breaches of PHI to the covered entity. Apart from breach reporting, it is generally recommended that individuals and organizations report HIPAA violations to the appropriate authorities. This helps to ensure compliance with HIPAA regulations, protect patient privacy and security, and prevent further violations. Reporting can be done to the covered entity’s privacy officer or the Office for Civil Rights (OCR) within HHS, which is responsible for enforcing HIPAA. Certain states may have additional reporting requirements or regulations that apply in conjunction with HIPAA. Therefore, it is advisable to consult state-specific laws and regulations to determine the reporting obligations in a particular jurisdiction.

Examples of HIPAA Violations by Employers

HIPAA Violation Description
Improper Access to Employee Health Information Employers accessing and reviewing the medical records or health information of their employees without a legitimate need or proper authorization.
Inadequate Safeguards for Employee Health Information Employers failing to implement appropriate security measures to protect the confidentiality and integrity of employee health information, such as storing health records in an insecure location or failing to secure electronic health systems.
Unauthorized Disclosure of Employee Health Information Employers sharing an employee’s medical condition, treatment details, or other sensitive health information with individuals who are not involved in the employee’s healthcare or have a legitimate reason to access that information.
Retaliation against Employees Employers retaliating against employees for exercising their rights under HIPAA, such as filing a complaint or reporting a violation.
Insufficient Employee Training Employers neglecting to provide adequate training and education to employees on HIPAA regulations and the proper handling of employee health information, leading to unintentional violations.
Improper Use of Employee Health Information Employers using employee health information for purposes unrelated to healthcare, such as making employment decisions based on an employee’s health condition or sharing health information for non-work-related reasons.
Lack of Written Policies and Procedures Employers failing to establish and maintain written policies and procedures outlining how employee health information should be handled, safeguarded, and disclosed, as required by HIPAA.

Filing a Complaint with the HHS’ Office for Civil Rights

OCR investigates complaints about potential HIPAA violations, but only if the complainant provides their name and contact details. Complaints can be submitted anonymously, although it is unlikely any further action will be taken. While many employees may be reluctant to provide such information, healthcare organizations are not permitted to take retaliatory action against individuals who report a HIPAA violation in the workplace.

Financial penalties for HIPAA violations are typically only issued when there has been a willful violation of the HIPAA Rules, although penalties are possible for violations that have occurred through negligence or ongoing compliance failures. However, in many cases, HIPAA violations are resolved through voluntary compliance or by OCR providing technical assistance.

FAQs about Reporting a HIPAA Violation in the Workplace

What happens if I am not an employee, but I see a HIPAA violation in the workplace?

If you are not an employee, but you see a HIPAA violation in the workplace, what happens depends on whether you are a member of a covered entity´s or business associate´s workforce (see definition of workforce in §160.103), or if you are a member of the public (i.e., patient, visitor, etc.).

If you are a member of a covered entity´s or business associate´s workforce, you should report the violation to your immediate manager or supervisor. If you feel your report is not acted on, you can escalate it to the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights.

If you are a member of the public, you can raise the issue with the organization´s HIPAA Privacy Officer or HHS´ Office for Civil Rights. The contact details of the organization’s Privacy Officer is on the organization´s Notice of Privacy Practices and website, or you can contact HHS´ Office for Civil Rights via any of the methods explained on this link.

When I raised a violation concern with my supervisor, I was told HIPAA did not apply. Can this be true?

If you have raised a violation concern with your supervisor and been told HIPAA does not apply, there could be several reasons for this. HIPAA may not apply due to the nature of the organization’s operations. For example, not all healthcare providers qualify as HIPAA covered entities; and, even when they do, other federal and state laws may preempt HIPAA (i.e., FERPA, Texas HB300, etc.).

HIPAA may not apply because the nature of information disclosed is not covered by HIPAA (not all patient information is “protected”) or because the disclosure is permitted by the HIPAA Rule even though it appears it shouldn’t be – for example, to an employer who needs information about a patient’s illness or injury to comply with OSHA reporting requirements.

Your best course of action is to ask your supervisor why HIPAA doesn´t apply to the suspected violation and use a third party source to confirm the supervisor´s response. It may be the case your supervisor is misinformed about when HIPAA applies, and your violation concern may have to be escalated to the HIPAA Privacy Officer.

Should reporting violations be included in HIPAA training?

The process for reporting violations should be included in HIPAA training when the organization you work for is subject to any of the HIPAA Privacy, Security, or Breach Notification Rules. This not only means covered entities (who are required to provide training on “policies and procedures with respect of PHI”) but also business associates (to whom the Security Rule applies) and vendors of personal health apps who are required to comply with the Breach Notification Rule.

Why doesn´t HHS´ Office for Civil Rights investigate anonymous reports?

HHS´ Office for Civil Rights does not investigate anonymous reports because it could lead to an increase in false reports and unjustified or malicious complaints – stretching the agency’s resources and potentially reducing the amount of technical assistance available for organizations that need it.

Additionally, the Privacy Rule protects genuine complainants from retaliation. Under §160.316, a covered entity or business associate “may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person” who:

  • Files a complaint or reports a HIPAA violation,
  • Assists in an investigation into the complaint/report, or
  • Refuses to take an action that would violate HIPAA.

How do I go about reporting a whole team that is not compliant with HIPAA?

Reporting a whole team that is not compliant with HIPAA can be complicated because sometimes teams take short cuts with HIPAA compliance “to get the job done” and when the short cuts are allowed to continue, a “culture of non-compliance” can develop. In such circumstances, it is a good idea to initially report your concerns to a supervisor or escalate them to the Privacy Officer if you have concerns reporting them to a supervisor may affect your standing among your colleagues.

What is a HIPAA violation in the workplace?

A HIPAA violation in the workplace is any failure to comply with the standards and implementation specifications of the HIPAA Administrative Simplification Rules (i.e., the Privacy, Security, and Breach Notification Rules) when the workplace is controlled by an entity subject to the Health Insurance Portability and Accountability Act of 1996.

Entities subject to HIPAA include – but are not limited to – health plans, health care clearinghouses, and most healthcare providers (collectively known as “Covered Entities”), third-party businesses that provide a service for or on behalf of a Covered Entity (collectively known as “Business Associates”), subcontractors of Business Associates, and vendors of some personal health devices.

Is HIPAA violation reporting mandatory in all workplaces?

Whether HIPAA violation reporting is mandatory in all workplaces depends on the policies developed and implemented by the Covered Entity or Business Associate in control of the workplace. Generally, HIPAA violation reporting to an organization’s Privacy Officer is mandatory for certain types of violation, while minor violations that do not result in an impermissible disclosure of PHI or breach of unsecured PHI might be dealt with by a manager or supervisor.

When a HIPAA violation does result in an impermissible disclosure of PHI or a breach of unsecured PHI, Covered Entities and Business Associates are required to report the breach to affected individuals and to HHS´ Office for Civil Rights. Some states also have mandatory HIPAA violation reporting requirements; and, in these states, reports have to be made to the state Attorney General. Additionally. HIPAA requires Business Associates to report all “security events” to the Covered Entity whether they result in an impermissible disclosure/breach of PHI or not.

Are there any examples of HIPAA violations by employers?

There are many examples of HIPAA violations by employers when the word “employer” relates to a Covered Entity or Business Associate and the “employer” has failed to train staff on HIPAA-compliant privacy policies or implement appropriate safeguards to protect the confidentiality, integrity, and availability of electronic PHI. You will find a wide selection on HHS´ Breach Report.

However, when the word “employer” relates to a business in its role as an employer, it is important to be aware that HIPAA does not apply (other than when an employer administers a self-sponsored health plan). Therefore, when an employer maintains health information about employees (for example, in an HR role), Privacy Rule protections do not apply; and, if the health information is disclosed without an employee’s authorization, it is not a violation of HIPAA.

If you believe a privacy violation has taken place, who should you report it to?

If you believe a privacy violation has taken place, you should report it to your organization’s Compliance Officer. If the privacy violation involves an impermissible disclosure of health information, and the organization you work for is covered by the HIPAA Privacy Rule, it is important to make the Compliance Officer aware of this because it is a notifiable breach of PHI.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation depends on the nature of the violation, organizational policies, whether or not the violation involves the impermissible disclosure of PHI or a breach of unsecured PHI, and – if so – the state the violation occurred in.

All Covered Entities (and some Business Associates) are required to develop and implement policies and procedures to comply with the Privacy Rule. The policies and procedures will determine whether a HIPAA violation is reportable and how long a member of the workforce has to report it.

Some organizations may choose to limit which violations are reported to reduce the workload on Privacy Officers. Therefore, an innocuous violation (i.e., the failure to document a patient’s consent to notify family members of their hospitalization) might be dealt with at supervisor level.

If the HIPAA violation involves an impermissible disclosure of PHI or a breach of unsecured PHI, the violation should be reported to the Privacy and/or Security Officer as quickly as possible to mitigate the impact of the violation (regardless of any time limits stipulated in an organizational policy).

Thereafter, the Privacy Officer has 60 days to notify the affected individual(s) and – if a breach affects more than 500 individuals – HHS´ Office for Civil Rights. However, some states have much shorter notification periods; and although many states exempt HIPAA Covered Entities from their Breach Notification laws, they do not always exempt breaches attributable to a Business Associate.

If you witness a HIPAA violation at work, what should you do?

If you witness a HIPAA violation at work, you should report it to your supervisor or manager; or, if this is impractical, to your organization’s Privacy Officer. Many workplaces have implemented anonymous channels of communication for reporting HIPAA violations, and this may save you the embarrassment of being confronted by a work colleague who has been sanctioned for the violation.

How do you report HIPAA violations?

How you report HIPAA violations can depend on whether you are a member of a Covered Entity´s workforce, or a patient or plan member. This is because some Covered Entity´s implement policies stipulating that HIPAA violations in the workplace must be reported by staff members to a specific individual – often the organization’s Privacy Officer.

If such policies apply, you should only contact HHS´ Office for Civil Rights if the Privacy Officer fails to act on the report or you are retaliated against for making a report. HIPAA´s General Administrative Requirements prohibit Covered Entities from intimidation, discrimination, and retaliation if a member of the workforce files a complaint or supports a compliance investigation.

Patients and plan members also have this option, but can – if they wish – report HIPAA violations to their state Attorney General or HHS´ Office for Civil Rights without first reporting a HIPAA violating to the Privacy Officer. Again, the Covered Entity is prohibited from intimidation, discrimination, and retaliation for filing a complaint with HHS´ Office for Civil Rights.

Is there a HIPAA violation reporting reward?

There is no HIPAA violation reporting reward available from HHS´ Office for Civil Rights. However, nothing in the text of HIPAA prevents Covered Entities and Business Associates from implementing a reward system. Indeed, a HIPAA violation reporting reward system could encourage members of the workforce to report HIPAA violations and help support a compliant workforce.

What should you do if you think your policies conflict with HIPAA?

What you should do if you think your policies conflict with HIPAA depends on whether you represent a Covered Entity (i.e., a Privacy Officer) or are a member of a Covered Entity´s workforce. If you represent a Covered Entity, you should seek professional compliance advice and amend your policies to align with HIPAA or any state laws that preempt HIPAA.

If you are a member of a Covered Entity’s workforce, you should raise your concerns with your organization’s Privacy Officer. In such cases, you are not required to comply with organizational policies that conflict with HIPAA (although it may be in your professional best interest to do so), and your employer is not allowed to sanction you for non-compliance with conflicting policies.

Section 45 CFR §160.316 of the General Administrative Requirements states:

“A covered entity may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for […] opposing any act or practice made unlawful by this subchapter, provided the individual has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 [the Privacy Rule].”

What is a medical assistant’s responsibility if they witness a violation of HIPAA?

A medical assistant’s responsibility if they witness a violation of HIPAA depends on the content of the HIPAA violation reporting policy implemented by their employer. Depending on the nature of the violation, the medical assistant may be required to report the violation of HIPAA to a supervisor or manager, or to their organization´s HIPAA Privacy Officer.

The post What to Do if You Discover a HIPAA Violation in the Workplace appeared first on HIPAA Journal.

What is Considered Protected Health Information Under HIPAA?

Posted by HIPAA Journal

Health, treatment, or payment information, and any identifiers maintained with this information, is considered Protected Health Information under HIPAA if the information is created, received, maintained, or transmitted by a “covered entity” or by a “business associate”.

However, because there are times when a covered entity might not maintain identifying information with health, treatment, or payment information, there is no definitive list of what is considered Protected Health Information under HIPAA.

A lack of understanding about what is considered Protected Health Information under HIPAA is one of the primary reasons for HIPAA-related complaints to HHS´ Office for Civil Rights.

Protected Health Information ChecklistThis is not surprising, as there are times when the same information can be both protected and non-protected depending on how it is maintained.

This article aims to provide you with the full and correct definition of Protected Health Information.

HIPAA rules and regulations are substantially about protecting PHI and we recommend you use our Protected Health Information Checklist to understand what is required for the protection of PHI.

What is Considered Protected Health Information under HIPAA?

To best understand what is considered Protect Health Information under HIPAA it is necessary to review not only the definition of Protected Health Information under HIPAA in 45 CFR §160.103, but also the definitions of “health information”, individually identifiable health information”, and “designated record set”.

This is because, when taking the four HIPAA PHI definitions into account, it is easier to determine what information is protected under HIPAA and when.

Starting with health information, this is defined as any information, including genetic information, whether oral or recorded in any form or medium, that:

  1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Thereafter, the definition of individually identifiable health information is much the same, other than the definition only applies to health care providers, health plans, employers (in the role of an administrator of a self-insured health plan), and health care clearinghouses, and only relates to information that identifies or could be used to identify the individual who is the subject of the health information or the individual´s family, employer, or members of their household.

What is Considered Protected Health Information Under HIPAA The Protected Health Information definition is similar to that for individually identifiable health information when maintained or transmitted by a Covered Entity other than PHI excludes health information maintained in students´ educational records (as these are protected by the Family Educational Rights and Privacy Act) and health information maintained by a Covered Entity in its role as an employer (i.e., health information relating to an employee´s absence from work).

It is important to note these HIPAA PHI definitions only apply to health care providers, health plans, and health care clearing houses that qualify as HIPAA Covered Entities, and only to Business Associates while they are performing a service for or on behalf of a Covered Entity.  For more information about when the Protected Health Information definition may not apply to a health care provider or health plan, please see “The HIPAA Definition of Covered Entities Explained”.

Compliance Issues Regarding Protected Health Information under HIPAA

HHS´ Office for Civil Rights updates an Enforcement Highlights webpage on which it lists the compliance issues most often alleged in complaints in order of frequency. Because a single data breach can affect many thousands of individuals, it is not surprising to see impermissible uses and disclosures at the top of the list. However, the next four items imply a lack of understanding about what is considered Protected Health Information under HIPAA:

  • Impermissible uses and disclosures of PHI
  • Lack of safeguards for (non-electronic) PHI
  • Failures to provide patient access to PHI
  • Lack of Administrative Safeguards for electronic PHI
  • Violations of the minimum necessary standard

It is worth noting that, other than mandatory breach notifications, the most likely source of a complaint to HHS´ Office for Civil Rights is a patient. It is not necessarily be the case that Covered Entities, Business Associates, and members of their respective workforces have a lack of understanding about what is considered Protected Health Information under HIPAA, but rather that patients need better educating about what HIPAA Protected Health Information is.

In a perfect world, an explanation of what HIPAA Protected Health Information is would be covered in the Notice of Privacy Practices. However, most Notices of Privacy Practices already contain more information than most patients are prepared to read; and, as will become evident in later sections of this article, explaining what is covered under HIPAA – and what is not – will likely raise more questions than answers for patients wishing to exercise their Privacy Rule rights.

In order to reduce the number of complaints to HHS´ Office for Civil Rights, it is advisable for Covered Entities and Business Associates to ensure all members of the workforce have a thorough understanding of what is considered Protected Health Information under HIPAA – not only to answer patients´ questions, but also to carry out their functions within the Covered Entity or Business Associate in compliance with HIPAA.

Designated Record Sets and What Information is Protected by HIPAA

Considered Protected Health Information Under HIPAAThe definition of designated record sets appears in the introduction to the Privacy Rule in 45 CFR §164.501. This standard defines designated record sets as “a group of records maintained by or for a Covered Entity that is the medical records and billing records about individuals […] or the enrollment, payment, and claims information maintained by or for a health plan that is used in whole or in part by or for the Covered Entity to make decisions about individuals.”

This definition is followed by a footnote that explains a record can be “any item, collection, or grouping of information that includes Protected Health Information and is maintained, collected, used, or disseminated by or for a Covered Entity.” While this may be a little confusing to follow – and likely difficult to make clear to patients unfamiliar with the terminology of HIPAA – an explanation of what information is protected by HIPAA could be explained thus:

  • Protected Health Information is health information (i.e., a diagnosis, a test result, an x-ray, etc.) that is maintained in the same record set as individually identifiable information (i.e., a name, an address, a phone number, etc.).
  • Any other non-health information included in the same record set assumes the same protections as the health information. However, when non-health information is maintained outside the record set, the protections do not apply.
  • A Covered Entity may maintain multiple record sets about an individual (i.e., a patient or plan member), but individuals only have the right to access and request amendments to information maintained in designated record sets.

This explanation of what information is protected by HIPAA can help reduce patients´ misunderstandings about what is considered Protected Health Information under HIPAA and reduce the volume of complaints to HHS´ Office for Civil Rights. It can also accelerate the flow of information within a health care facility when members of the workforce understand that not every piece of information relating to a patient has to be locked down behind access controls.

Examples of Protected Health Information and Why There is No List of Protected Health Information

Many examples of Protected Health Information refer to the PHI identifiers listed under the safe harbor method of de-identification in 45 CFR §164.514. It is now more than twenty years since this Protected Health Information list was compiled and it is very out of date. For example, in many cases Social Security Numbers have been replaced by Medicare Beneficiary Identifiers, social media handles did not exist when the list of PHI identifiers was compiled, and few people had Emotional Support Animals.

Indeed, Emotional Support Animals are a good example of when non-health information can be both protected and non-protected depending on how information is maintained. If information relating to a patient´s Emotional Support Animal is maintained in a record set, it assumes the same protections as the patient´s health information. However, if it is maintained in a separate database that does not contain health information (i.e., to accommodate transport requirements) it is not protected.

It is because of scenarios such as this that there is no list of Protected Health Information. Protected Health Information can be any information relating to an individual that is maintained in the same record set as the individual´s health information. To include non-health information that is not maintained in a record set in a list of Protected Health Information (i.e., license plate numbers, device identifiers, URLs, etc.) is unnecessary and not the objective of the Privacy Rule.

In conclusion, there is no doubt that understanding what is considered Protected Health Information under HIPAA can be complicated; but, by identifying what is Protected Health Information – and what isn´t – and knowing when protections are applied to non-health information – and when they are not – Covered Entities and Business Associates can accelerate the flow of information and reduce the number of unjustified complaints by patients to HSS´ Office for Civil Rights.

FAQs

What does HIPAA protect?

HIPAA protects the privacy of individually identifiable health information via the provisions of the Privacy Rule. However, it is important to be aware that HIPAA provides a “federal floor” of privacy protections. In many locations, states have passed privacy laws with more stringent protections than HIPAA and, in these locations, state law preempts HIPAA.

What information is protected by HIPAA?

The information protected by HIPAA is all health information relating to an individual´s past, present, or future physical or mental health or condition, the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual. Any information that can identify – or be used to identify – the subject of the information is also protected by HIPAA when it is maintained in the same designated record set as an individual’s health information.

What is considered HIPAA information?

What is considered HIPAA information is any health information or connected identifier “created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse”. Many of these organizations are not HIPAA covered entities and not required to comply with HIPAA.

What is considered PHI under HIPAA?

What is considered PHI under HIPAA is any combination of health information and identifiers created, received, maintained, or transmitted by a covered entity. However, although the term combination is used in this definition, PHI can be a single item – for example, a picture of a baby sent to a pediatrician.

When maintained in the same designated record set as information relating to health, treatment, or payment, PHI covered under HIPAA includes any item of information that could be used to identify the subject of the health, treatment, or payment information.

Using this HIPAA definition of PHI, examples of Protected Health Information include an individual’s LGBTQ status, information about their emotional support animal, and contact information for a family member, friend, or support group – if this information could be used to identify the subject of the health, treatment, or payment information.

What is not considered PHI under HIPAA?

There are numerous examples of what is not considered PHI under HIPAA. One of the most common is students´ health information when it is created, received, maintained, or transmitted by a public school or college; for although the school or college may qualify as a partial covered entity, students´ medical records are considered to be part of their educational records under FERPA.

What information can be shared without violating HIPAA?

All information can be shared without violating HIPAA provided it is shared for a permissible use or disclosure or the entity sharing the information has obtained a written authorization from the subject of the information. With regards to written authorizations, it is important to be aware that individuals have the right to revoke their authorizations at any time.

What is not included in PHI?

What is not included in PHI depends on where information is maintained. PHI is any combination of health information and identifiers when they are maintained in the same designated record set. However, when health information and individual identifiers are maintained separately from each other, the identifiers alone are not considered protected health information under HIPAA. For example, jdoe@yahoo.com, Stillwater MN, and auto registration AYP 197 are not included in PHI when they are not maintained with health information in the same designated record set.

What is the difference between PII, PHI, and IIHA?

The difference between PII, PHI, and IIHA is that PII is Personally Identifiable Information used outside a healthcare context, while PHI (Protected Health Information) and IIHA (Individually Identifiable Health Information) is the same information used within a healthcare context. Although PHI is the more commonly used acronym in HIPAA, both PHI and IIHI are protected by the Privacy and Security Rules because they mean exactly the same thing.

Would patient information such as “Mr. Brown from New York” be considered PHI?

Patient information such as “Mr. Brown from New York” could be considered PHI if the information is maintained in a designated record set with either Mr. Brown´s health information or the health information of a family member, employee, or close personal friend.

Are email addresses that don´t reveal a person’s name considered identifiers for PHI purposes?

Email addresses that don’t reveal a person’s name are considered identifiers for PHI purposes if the email address is maintained in the same designated record set as an individual’s health information. This is because it is quite simple to find out who an email address such as “anonymous@xyz.com“ belongs to by doing a little research on social media or using a reverse email lookup tool on the Internet. Even if social media or a reverse lookup tool does not give you the individual´s name, you will still be able to find enough information about the individual for the email address – when maintained with health information – to be considered PHI.

What is the difference between an allowable disclosure of PHI and an incidental disclosure?

The difference between an allowable disclosure of PHI and an incidental disclosure is that covered entities are allowed to disclose PHI for treatment, payment, and health care operations. An incidental disclosure is a secondary, accidental disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another disclosure permitted by the Privacy Rule – for example, if a physician invites a health plan employee to his office to discuss payments, and the health plan employee passes a patient he or she recognizes in the waiting room.

How do you determine what a reasonably anticipated threat to PHI is?

You determine what a reasonably anticipated threat to PHI is by conducting frequent risk analyses in order to identify threats to the integrity of PHI. If the threats could be reasonably anticipated, covered entities and business associates are required to implement measures to protect against the threats occurring, or mitigate the consequences if the threats occur.

What information does HIPAA protect?

The information HIPAA protects is all individually identifiable health information that relates to an individual´s past, present, or future medical condition, treatment for medical conditions, and payment for treatments. As well as medical, treatment, and payment information, any information maintained in the same designated record set as the individually identifiable health information that could be used to identify the individual is also protected.

Who can access information under HIPAA?

The answer to the question of who can access information under HIPAA has three parts. 1. The subject of the information and representatives of HHS´ Office of Civil Rights must have access to information when requested. 2. Authorized personnel and certain organizations can have access to information under HIPAA if it involves a permissible use or disclosure as defined by the Privacy Rule. 3. All other requests for access to information under HIPAA must be accompanied by a written authorization from the patient.

Is gender a HIPAA identifier?

Gender is a HIPAA identifier if the information could be used to identify the subject of health information maintained or transmitted by a Covered Entity – or by a Business Associate acting on a Covered Entity´s behalf. The gender of an individual – and their LGBTQ status – is always Protected Health Information when it is maintained or transmitted in the same designated record set as an individual’s health information.

What health information is protected by federal law?

What health information is protected by federal law depends on the federal law and whether it is preempted by state law. For example, HIPAA laws protect health information relating to an individual’s past, present, or future physical or mental health condition, treatment for the condition, and payment for treatment.

However other federal laws exist that also protect health information in certain circumstances. For example, the amended Confidentiality of Alcohol and Drug Abuse Patient Records Regulations protect the confidentiality of substance use disorder patient records and is enforced by the Substance Abuse and Mental Health Services Administration (an agency within HHS).

Under the Public Health Service Act, any health information provided to a family planning agency is protected even if the family planning agency is not a HIPAA Covered Entity. Similarly, any health information provided to any federal government agency is protected by the Privacy Act, while any health information maintained about a student by a school is protected by FERPA.

With regards to state law, Illinois is one of many states that has introduced regulations that preempt HIPAA in specific areas. In this case, Illinois’ Biometric Information Privacy Act regulates the collection, use, and handling of biometric identifiers and information by private companies. Texas has similar regulations included in its Medical Records Privacy Act.

What is considered HIPAA information?

The term HIPAA information can relate to any standard in the text of the Health Insurance Portability and Accountability Act inasmuch as the term could mean information about a pre-existing condition for insurance purposes, information contained in a Medicare claims transaction, or the right to withhold information from an insurance provider when treatment has been paid for privately.

What is HIPAA protected information?

HIPAA protected information is most often considered to be the contents of a designated record set – i.e., both the health information in the designated record set and any non-health information that identifies or could be used to identify the subject of the health information. This description can also include any data relating to a family member, friend, or employer that could identify the individual.

How should you explain the definition of PHI under HIPAA to a patient?

To explain the definition of PHI under HIPAA to a patient, it is a good idea to create a web page with a full explanation of what is protected under HIPAA and under what circumstances it is protected. A link to the web page could be included in the Notice of Privacy Practices with a note asking patients to review the web page prior to making a complaint.

When is the disclosure of HIPAA data a HIPAA violation?

Any disclosure of HIPAA data is a HIPAA violation if it is permitted by the Privacy Rule or authorized by the individual to whom the data relates. A HIPAA violation of this nature is usually considered to be a data breach; and, depending on the consequences of the violation, may have to be reported to HHS´ Office for Civil Rights and the affected individual(s).

The post What is Considered Protected Health Information Under HIPAA? appeared first on HIPAA Journal.

How To Become HIPAA Compliant

Posted by HIPAA Journal

One of the simplest ways how to become HIPAA compliant is to adapt HHS’ “The Seven Fundamentals of an Effective Compliance Program” to address compliance challenges identified in a HIPAA risk assessment. Thereafter, it can be beneficial to take advantage of HIPAA compliance software in order to maintain a compliant workplace.

7 Steps for HIPAA Compliance

In 2011, HHS published “The Seven Fundamental Elements Of An Effective Compliance Program”. We have slightly amended it to be more relevant to HIPAA compliance in 2025. Here is a summary of the elements, which we outline in more detail in this guide.

  1. Develop policies and procedures so that day-to-day activities comply with the HIPAA Privacy Rule.
  2. Designate a privacy officer and a security officer.
  3. Implement effective training programs.
  4. Ensure channels of communication exist to report violations and breaches.
  5. Monitor compliance at floor level so poor compliance practices can be nipped in the bud.
  6. Enforce sanctions policies fairly and equally.
  7. Respond promptly to identified or reported violations, and breaches.

 

How To Become HIPAA Compliant

The best HIPAA compliance softwareYou can also read more about the background and history of the Seven Elements here. You might consider using HIPAA compliance software which has been designed to use the seven elements framework and can simplify and automate compliance, and provides comprehensive risk management processes.

Step 1: Why HIPAA Privacy Rule Policies and Procedures?

Although HIPAA compliance consists of complying with all relevant Administrative Simplification Regulations, implementing HIPAA Security Rule and Breach Notification standards is generally an organizational process not connected with cultivating a culture of compliance. Additionally, the most common HIPAA violations are attributable to failures to comply with the HIPAA Privacy Rule.

However, it is no longer sufficient to develop policies and procedures that only address permissible uses and disclosures, the minimum necessary standard, and patients’ rights. Covered entities should ensure HIPAA Privacy Rule policies and procedures include how to explain to patients what PHI is (and what it isn’t), how to verify an individual’s identity, and how to record requests for privacy protections.

Step 2: The Roles of HIPAA Compliance Officers

It is interesting that the HHS’ Office of Inspector General placed this “tip” in second place after the development of policies and procedures. This would imply the roles of HIPAA compliance officers are to train members of the workforce, monitor compliance, and enforce the organization’s sanctions policy. However, there is quite a lot more involved in being a compliance officer.

In most cases, the HIPAA Privacy Officer will be the point of contact for members of the public and members of the workforce that want to report privacy concerns. Security Officers are generally more responsible for conducting risk assessments, ensuring security solutions are configured properly, and training members of the workforce on how to use the solutions compliantly.

Step 3: What Makes an Effective Training Program?

The effectiveness of the training provided to members of the workforce can make the difference between ticking the box of compliance or cultivating a culture of compliance. To make HIPAA Privacy Rule training effective, members of the workforce must understand what PHI is, why it has to be protected, and the consequences to patients, employers, and themselves of HIPAA violations.

HIPAA Security Rule training must be focused on protecting PHI in all formats and even more focused on the consequences of taking shortcuts, circumnavigating safeguards, and failing to alert managers of a data breach for fear of “getting into trouble”. One way of achieving this is to ask members of the workforce to run personal online credentials through the HIBP database to illustrate the importance of unique, complex passwords.

Step 4: The Importance of Two-Way Communication

While policy making and training has to come from the top down, it is important that any channels of communication relating to HIPAA compliance are also bottom up – not only to raise compliance concerns or report HIPAA violations, but also to provide feedback on what works and what doesn’t on the ground floor, and what new challenges are facing frontline members of the workforce.

This is why it can be important – when resources allow – to have a compliance team consisting of team members that have worked in or have knowledge of how different departments operate. For example, a compliance team consisting solely of lawyers and IT managers may not appreciate the difficulty of protecting the privacy of PHI in front of a grieving family mourning a recent loss.

Step 5: How Most Poor Compliance Practices Develop

Most poor compliance practices result from well-meaning intentions – for example, to “get the job done” or provide a good service to a patient’s family. When minor violations are allowed to continue, poor compliance practices can develop into a culture of non-compliance. This is why it is important to identify and address poor compliance practices at the earliest opportunity.

While it is important to have eyes on compliance at floor level, it is also important not to take eyes off compliance at higher levels. Busy managers and senior managers can also be guilty of taking shortcuts with compliance or ignoring non-compliant activities because they do not have the time to “sort it out” – when, in truth, the failure to take action is a failure of management.

Step 6: The Best Sanctions are Not Always Disciplinary

Sanctions policies can often be overwhelming documents threatening all manner of disciplinary actions for non-compliance from warnings to suspensions, to termination of contract and loss of license. Some even include the maximum federal penalties for violations of §1177 of the Social Security Act (up to ten years in prison and up to $250,000 in fines).

Although these sanctions may have to legally be included in a sanctions policy, making them the focus of attention is not necessarily the best way to cultivate a culture of compliance. The threat of a loved one being the victim of medical identity theft and the consequences of data breaches can encourage workforce compliance more than the threat of refresher training.

Step 7: Responding Quickly is the Key to Compliance

One of the keys to cultivating a culture of compliance is to respond to queries, issues, complaints, reports of violations, and data breaches as quickly as possible. Responding quickly to any type of communication demonstrates a commitment to compliance and an eagerness to ensure – once a compliant workforce is achieved – the compliant state is maintained.

Responding to queries, issues, complaints, etc. would ordinarily be the responsibility of compliance officers (or teams), but this can lead to the compliance officers being overwhelmed. Consequently, it may be necessary for managers and senior managers to take some responsibility for monitoring compliance and responding to workforce or patient communications.

The post How To Become HIPAA Compliant appeared first on The HIPAA Journal.

What is a HIPAA Violation?

Posted by HIPAA Journal

A HIPAA violation refers to the failure to comply with HIPAA rules, which can include unauthorized access, use, or disclosure of Protected Health Information (PHI), failure to provide patients with access to their PHI, lack of safeguards to protect PHI, failure to conduct regular risk assessments, or insufficient employee training on HIPAA rules. To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what the definition of a HIPAA violation is; for although most people believe they know what a HIPAA compliance violation is, evidence suggests otherwise.

In this article we provide a detailed explanation of HIPAA violations.

Ten Most Common HIPAA ViolationsYou can also use the article in conjunction with our HIPAA Violations Checklist to understand what is required to ensure full compliance. Please use the form on this page to arrange your free copy of the checklist.

Summary Of Article Contents

HIPAA Violation Misunderstandings

The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action.

According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary.

However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity did not violate HIPAA rules. Additionally, in nearly 14,000 cases in which reviews were carried out, no violation of HIPAA was found.

While these statistics imply more than two-thirds of people do not understand what is a HIPAA violation, it is important to put the statistics into context as they only relate to complaints received by the HHS and do reflect complaints made directly to Covered Entities and State Attorney Generals by patients, plan members, and members of the workforce.. Nonetheless, it may be important for some to review their interpretation of what constitutes a violation.

What is HIPAA and Who Does It Apply To?

What is a HIPAA violationThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) was introduced primarily to ensure employees could maintain healthcare coverage between jobs and not be discriminated against for pre-existing conditions. To prevent insurance carriers passing on the cost of compliance to plan members and employers, Congress added a second Title to the Act to simplify the administration of healthcare, eliminate wastage, and prevent healthcare fraud.

Since the passage of HIPAA, most of the regulatory activity has revolved around the Administrative Simplification provisions in 45 CFR Parts 160,162, and 164. These “Parts” include the General HIPAA Provisions, the Transaction and Code Sets Rules, and – most importantly in the context of what is a HIPAA violation – the publication of the Privacy Rule, the Security Rule, and Breach Notification Rule.

The failure to comply with any Standards in these Rules is considered a violation of HIPAA – even if no harm has resulted. For example, one of the most common types of complaint relates to the failure to provide patients with copies of their PHI on request. Examples of other types of HIPAA violations are provided below along with the penalties that may be applied when a violation of HIPAA occurs.

The Standards apply to Covered Entities and Business Associates. Covered Entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards. Most healthcare providers qualify as a Covered Entity, but it is important to be aware that some are exempted.

Business Associates are businesses with whom a Covered Entity shares PHI to help carry out its healthcare activities and functions. Since the publication of the Final Omnibus Rule in 2013, Business Associates have had the same requirements as Covered Entities to comply with the Privacy, Security, and Breach Notification Rules as found in 45 CFR Parts 160, 162, and 164.

What is a PHI Violation?

Violations of HIPAA involving the unauthorized disclosure of PHI beyond the permitted uses and disclosures are the most common type of HIPAA violation. PHI violations can range from providing more information than the minimum necessary to achieve the purpose of an allowable disclosure to the hacking of an unencrypted database that exposes the PHI of thousands of patients.

To avoid a PHI violation, Covered Entities and Business Associates not only need to implement the safeguards stipulated by the Privacy and Security Rules, but also ensure appropriate policies and procedures are in place to minimize the risk of a PHI violation. Members of each entity´s workforce also need to be trained on the policies and procedures and the sanctions for non-compliance.

Other Types of HIPAA Law Violation

One frequent misunderstanding about HIPAA is that a violation is only a violation when it involves authorized uses and disclosures of PHI. However, there are many other ways in which a Covered Entity or Business Associate can violate HIPAA. For example, failing to train members of the workforce on policies and procedures or failing to document the training.

It is also a HIPAA law violation to withhold the details of a breach from the individuals affected by the breach, the HHS´ Office for Civil Rights, and – in certain circumstances – from the media. In recent years, several fines have been issued for HIPAA law violations attributable to non-compliance with the Breach Notification Rule or for failing to comply with the Rule in the time allowed.

Further HIPAA Violation Examples

In addition to the examples previously mentioned, there are many more ways in which Covered Entities and Business Associates can violate HIPAA. Below we list a selection of further HIPAA violation examples:

  • Impermissible disclosures of PHI
  • Improper disposal of PHI
  • Failure to conduct a risk analysis
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to maintain and monitor PHI access logs
  • Failure to enter into a HIPAA-compliant Business Associate Agreement prior to sharing PHI
  • Failure to provide patients with an accounting of disclosures on request
  • Failure to implement access controls to limit who can view PHI
  • Failure to terminate access rights to PHI when no longer required
  • Failure to provide security awareness training
  • Unauthorized release of PHI to individuals not authorized to receive the information
  • Sharing of PHI online or via social media without permission
  • Mishandling and mis-mailing PHI
  • Texting unencrypted PHI
  • Failure to encrypt PHI or use an alternative, equivalent measure to prevent unauthorized access/disclosure

It is important that anybody with access to PHI in an organization is provided with HIPAA training that explains what is a HIPAA violation and that all members of a Covered Entity´s or Business Associate´s workforce are provided with security awareness training regardless of their role.

How are HIPAA Violations Uncovered?

What is a HIPAA compliance ViolationMany HIPAA violations are discovered by HIPAA-covered entities through internal audits. Supervisors may identify employees who have violated HIPAA Rules and employees often self-report HIPAA violations and potential violations by co-workers.

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and investigates complaints of HIPAA violations reported by healthcare employees, patients, and health plan members. OCR also investigates all Covered Entities that report breaches of more than 500 records, conducts investigations into certain smaller breaches, and periodically audits HIPAA-covered entities and business associates.

State attorneys general also have the power to investigate breaches, and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received.

What are the Penalties for Violations of HIPAA Rules?

The penalties for violations of HIPAA rules are dependent on the nature of the violation, the level of culpability, how much harm was caused by the violation, and the efforts made by the Covered Entity or Business Associate to mitigate the breach or its impact. In most cases, the penalties consist of a Corrective Action Plan, but the OCR has the power to impose substantial financial penalties.

State attorneys general also have the power to investigate breaches, and investigations are often conducted due to complaints about potential HIPAA violations and when reports of breaches of patient records are received. These are in addition to any penalties for violations of HIPAA rules that are issued by individual states when data breaches violate state privacy and security rules.

HIPAA Violation Categories

There are four HIPAA violation categories. Each has a minimum and maximum “limit” within which OCR can impose financial penalties depending on the level of culpability. Two of the HIPAA violation categories are designated for Covered Entities and Business Associates that can demonstrate reasonable due diligence, whereas the other two are for entities guilty of willful neglect.

Category 1 – Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules had been violated.

Category 2 – Reasonable cause that the Covered Entity/Business Associate knew about – or should have known about – the violation by exercising reasonable due diligence.

Category 3 – Willful neglect of the HIPAA Rules with the violation corrected and the consequences mitigated within thirty days of discovery.

Category 4 – Willful neglect of the HIPAA Rules and no effort made to correct the violation or mitigate the consequences within thirty days of discovery.

HIPAA Violation Penalties

Originally, the financial HIPAA violation penalties were modest and did not act as an appropriate deterrent to prevent HIPAA-covered entities from violating the HIPAA Rules. They were significantly increased in the HITECH Act of 2009; and, since 2015, they have been adjusted for inflation annually. The table below shows the HIPAA violation penalties for 2023 and includes the maximum an entity can be fined for multiple instances of the same violation. The cost-of-living adjustment multiplier is expected to be set by the Office of Management and Budget (OMB) by January 15, 2023.

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Reasonable Efforts $137 $68,928 $2,067,813
Tier 2 Lack of Oversight $1,379 $68,928 $2,067,813
Tier 3 Neglect – Rectified within 30 days $13,785 $68,928 $2,067,813
Tier 4 Neglect – Not Rectified within 30 days $68,928 $2,067,813 $2,067,813

OCR Reinterprets HITECH Act Penalty Increases

As the above table shows, the maximum penalty per year is the same in all four penalty tiers, which may seem odd. In 2019, the HHS reexamined the text of the HITECH Act and determined that the language had been misinterpreted with respect to the penalty amounts, and OCR determined that the maximum penalty per year should be reduced in three of the four penalty tiers, and set the annual cap at $25,000 for tier 1, $100,000 for tier 2, $250,000 for tier 3, and $1,500,000 for tier 4.

These new maximum penalties have not been made official, as that requires further rulemaking. While that does appear to be the intention of the HHS, this has currently been addressed through a notice of enforcement discretion, which applies indefinitely until the change to the penalty structure is made official. There is still a discrepancy between the maximum penalty per violation in tier 1, which is double that of the annual cap, which will no doubt be clarified in further rulemaking. Adjusted for inflation, the new penalty amounts for 2023, for cases assessed on or after October 6, 2023, are detailed in the table below.

Annual Penalty Limit  Annual Penalty Limit  Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit 
Tier 1 Lack of Knowledge $137 $34,464 $34,464
Tier 2 Reasonable Cause  $1,379 $68,928 $137,886
Tier 3 Willful Neglect $13,785 $68,928 $344,638
Tier 4 Willful neglect (not corrected within 30 days $68,928 $68,928 $2,067,813

Recognized Security Practices

In 2021, the HITECH Act was amended to encourage HIPAA-regulated entities to adopt ´recognized security practices` to better protect healthcare data from unauthorized access. If those security practices have been adopted and have been in place continuously for 12 months, they will be considered by OCR when deciding on financial penalties and other actions in response to data incidents. HIPAA-regulated entities that adopt recognized security practices will not avoid financial penalties for HIPAA Security Rule violations, but they will be considered as a mitigating factor and will see any financial penalties reduced. By adopting recognized security practices, HIPAA-regulated entities will also be subjected to less extensive audits and investigations.

FAQs

How can you tell if an organization is in violation of HIPAA?

It is not always easy to tell if an organization is in violation of HIPAA if, as a health plan member or patient, you are unfamiliar with your rights or the permissible uses and disclosures of PHI. In most cases, individuals are not aware that an organization has been in violation of HIPAA until they receive a breach notification letter. However, if you are unsure about whether an organization is in violation of HIPAA, there are several steps you can take.

Health plan members and patients who believe their privacy may have been violated should, in the first instance, file a complaint with the organization concerned. The organization should acknowledge the complaint and respond with either an explanation of why your privacy was not violated or – if it was – an explanation of what the organization is doing to rectify the cause of the violation.

Complaints can also be filed with the HHS’ Office for Civil Rights or your state´s Attorney General. These agencies have the authority to review complaints against HIPAA covered entities and business associates; and, although it may take longer to get a reply, HHS´ Office for Civil Rights and state Attorneys General can thoroughly investigate if an organization is in violation of HIPAA and take action accordingly.

What is the difference between a risk assessment and a risk analysis?

The difference between a risk assessment and a risk analysis is that a risk assessment is generally regarded to be a review of potential threats, and a risk analysis a calculation of how likely the threats are to occur. There is a lack of clarity in HIPAA about the difference between a risk assessment and a risk analysis inasmuch as the risk analysis section of the Security Rule (45 CFR § 164.308(a)) states:

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate – i.e., the Rule requires an analysis of risks, but doesn´t elaborate on the analysis process.

Who can violate HIPAA?

Anyone covered by the HIPAA regulations can violate HIPAA. However, there has been some confusion – especially during the COVID-19 pandemic – about who exactly is covered by HIPAA. Entities required to comply with HIPAA are health plans, healthcare clearinghouses, and healthcare organizations that engage in qualifying electronic transactions (most now do). Business Associates and contractors with who PHI is shared can also violate HIPAA.

The requirement to comply with HIPAA regulations also applies to all workforces of a Covered Entity, Business Associate, or contractor. HIPAA defines a workforce as “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate”.

When potential risks and vulnerabilities are identified, what happens next?

When potential risks and vulnerabilities are identified, covered entities and business associates are required to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. In order to determine what constitutes a “reasonable and appropriate level”, organizations should take into account (per 45 CFR § 164.306(b)):

  • The size, complexity, and capabilities of the organization
  • The organization´s technical infrastructure, hardware, and software security capabilities
  • The cost of reasonable and appropriate security measures
  • The probability and criticality of potential risks to the integrity of ePHI

What does the “criticality of potential risks” mean?

The term criticality of potential risks refers to the scale of injury that might be caused by a HIPAA violation. For example, a cloud storage volume – containing the payment details and Social Security numbers of thousands of patients – left open to the public Internet has the potential to cause more injury than two nurses discussing the treatment options for patient A within earshot of patient B.

What is the HIPAA Law?

The term HIPAA Law refers to all five Titles of the Healthcare Insurance Portability and Accountability Act. The relevant Title for organizations in the healthcare industry is Title II – “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform” – as this is the section which led to the HIPAA Privacy, Security, and Breach Notification Rules.

What is considered a HIPAA violation?

A HIPAA violation is considered to be non-compliance with any “required” standard or any “addressable” standard for which an equally effective substitute has not been implemented, or a documented reason exists for the standard not to be implemented. An example of non-compliance with a required standard is failing to provide security awareness training to all members of the workforce regardless of their role.

Can a non-medical person violate HIPAA?

A non-medical person can violate because HIPAA applies to covered entities and business associates, and their workforces. Therefore, if a non-medical member of the workforce (such as a member of the IT team) disclosed PHI without authorization, they would be in violation of HIPAA – although it would be their employer who would have to notify the affected individual and report the disclosure to HHS´ Office for Civil Rights.

What are HIPAA violations?

HIPAA violations (in the plural) are a series of violations often attributable to the failure of a Covered Entity to monitor compliance with policies and procedures. There have been cases in which non-compliant short-cuts have been taken by employees “to get the job done”, and when shortcuts are unchecked, they can develop into a cultural norm of non-compliance.

Who can violate HIPAA laws?

Nobody can violate HIPAA laws, although there are many exceptions to HIPAA which mean covered entities and business associates do not have to comply with HIPAA in every circumstance. For example, under the Military Command Exception, healthcare professionals in the military are allowed to disclose PHI without the patient´s authorization in order to report on the patient´s fitness for duty, fitness to perform an assignment, or fitness to perform another activity necessary for a military mission.

What constitutes a HIPAA violation?

What constitutes a HIPAA violation is usually defined as any violation of the Privacy, Security, or Breach Notification Rules. Some violations – such as “incidental uses and disclosures” – would not generally result in financial penalties. Members of the workforce who violate HIPAA in this way are likely to be required to undergo further training.

What are the 3 types of HIPAA violations?

The 3 types of HIPAA violations are administrative, civil, and criminal violations. Most administrative HIPAA violations are investigated by the Centers for Medicare and Medicaid Services (CMS), while civil HIPAA violations are investigated by the HHS´ Office for Civil Rights (OCR). If the Office for Civil Rights investigates a case with possible criminal motives, the case is referred to the Department of Justice for investigation.

What violates HIPAA according to CMS?

What violates HIPAA according to CMS is the failure to comply with the Administrative Requirements (Part 162 of the Administrative Simplification Regulations). The Administrative Requirements cover the code sets and identifiers Covered Entities or Business Associates acting on their behalf must use when conducting transactions for which HHS has published standards. Although CMS has the authority to issue fines for non-compliance, to date, administrative HIPAA violations have been resolved by corrective actions, not financial penalties.

What counts as a HIPAA violation according to the FTC?

Nothing counts as a HIPAA violation according to the FTC. However, while the Federal Trade Commission (FTC) is not concerned with HIPAA enforcement, the agency does enforce the Federal Trade Commission Act, which has a Health Data Breach Rule that allows the FTC to pursue financial penalties for failures to issue breach notifications by vendors of personal health records and related entities not covered by HIPAA. In 2023, the FTC imposed its first financial penalty for failing to notify individuals about the impermissible disclosure of consumers’ health data to third parties, after a vendor promised such information would be kept private.

What is not a HIPAA violation?

The list of alleged violations that are not a HIPAA violation is very long indeed. More than two-thirds of complaints received by HHS´ Office for Civil Rights (OCR) alleging HIPAA violations are rejected after review because the complaints are made against organizations that are not subject to the HIPAA Rules or do not relate to an impermissible use or disclosure of Protected Health Information.

Can HIPAA violations be criminal?

A HIPAA violation can be criminal when an individual knowingly and wrongfully uses or discloses PHI in violation of §1320d-6 of the Social Security Act. Violations of this nature are most often referred to the Department of Justice, who has the authority to impose fines of up to $250,000 and pursue custodial sentences of up to ten years.

Does HIPAA apply to everyone?

HIPAA applies to everyone who is a member of a group health plan or who is a patient of a healthcare provider that qualifies as a covered entity inasmuch as it protects the privacy of these peoples´ individually identifiable health information and ensures the confidentiality, integrity, and availability of these peoples´ electronic Protected Health Information.

With regards to complying with the HIPAA Rules, HIPAA does not apply to everyone. Only “covered entities” and “business associates” with whom Protected Health Information is shared are required to comply with the HIPAA Rules. Members of the workforce for both types of organization have to comply with the policies and procedures developed by their employers to comply with HIPAA.

Can a patient violate HIPAA?

A patient cannot violate HIPAA because they do not qualify as a HIPAA covered entity, a business associate to a covered entity, or a member of the workforce. Even if a patient is employed by the hospital at which they are a patient, they cannot violate HIPAA because an employee is only a member of a covered entity´s workforce while “in the performance of work […] under the control of such covered entity”.

How do you report a HIPAA violation?

How you report a HIPAA violation can vary depending on whether you are a patient or group plan member, or a member of a covered entity´s or business associate´s workforce. If you are a patient or group plan member, you have the options of reporting a HIPAA violation to the Privacy Office where the violation occurred, to your state Attorney General, or to HHS´ Office for Civil Rights.

If you are a member of a covered entity´s or business associate´s workforce, who you report a HIPAA violation to may be determined by the content of your employment contract (i.e., an immediate supervisor). In the event of there being no reporting policy in the employment contract, your options are the same as a patient or group plan member.

What is the penalty for a HIPAA violation?

The penalty for a HIPAA violation depends on the nature of the violation, it´s consequences, the previous compliance history of the perpetrator, and whether the perpetrator is an organization or a member of an organization´s workforce.

If an organization, a minor HIPAA violation with minimal consequences will likely be resolved by technical assistance or a corrective action plan. If the violation is more serious, impacts thousands of individuals, and is a repeat offense, the likely penalty will be a civil monetary penalty.

If you are a member of an organization´s workforce, the penalty will depend on your employer´s sanctions policy. A minor violation may result in a verbal warning, while a more serious violation may result in a written warning – or, if a repeated serious violation, termination of employment.

What are the HIPAA violation categories?

The HIPAA violation categories are administrative violations, civil violations, and criminal violations. An example of an administrative violation would be to use the wrong codes on a claims transaction, while an example of a civil HIPAA violation would be to deny a patient access to a copy of their Protected Health Information (data breaches also fall into the category of civil HIPAA violations).

A criminal HIPAA violation is when a covered entity, business associate, or a member of either´s workforce has wrongfully and knowingly accessed, obtained, or transmitted Protected Health Information without authorization for a purpose prohibited by §1320d-6 of the Social Security Act. Criminal violations of HIPAA can incur substantial fines and jail sentences.

Is a HIPAA violation a felony?

A HIPAA violation is not a felony unless it involves the knowing and willful disclosure of PHI under false pretenses and/or to sell, transfer, or use the PHI for personal gain, malicious harm, or commercial advantage. These violations were classified as felonies in an opinion published by the Attorney General´s Office of Legal Counsel in 2005.

Can a family member violate HIPAA?

A family cannot violate HIPAA because family members are not required to comply with HIPAA. However, if a family member is employed at (for example) a hospital as a member of a covered entity´s workforce; and, while performing their role as a member of a covered entity´s workforce, accesses the medical history of a patient without authorization, this is a violation of HIPAA.

How long do you have to report a HIPAA violation?

How long you have to report a HIPAA violation can vary depending on who you report it to. Usually there are three options – to a Privacy Officer, to a State Attorney General, or to HHS´ Office for Civil Rights. Privacy Officers and State Attorney General can set their own time limits for how long you have to report a HIPAA violation. HHS´ Office for Civil Rights only accepts reports for 180 days after the date on which the violation was discovered.

What are the consequences of violating HIPAA?

The consequences of violating HIPAA depend on the nature of the violation, the impact the violation has, the violator´s previous compliance history, and whether the violator is an organization or a member of an organization´s workforce.

If an organization violates HIPAA, the consequences can range from voluntary compliance to technical assistance, to a corrective action plan, to a fine. Comparatively few violations of HIPAA result in a fine. Most are resolved by voluntary compliance and technical assistance.

If a member of an organization´s workforce violates HIPAA, the consequences will be determined by the organization´s HIPAA sanctions policy. These can range from a verbal warning to retraining, to a written warning, to termination of employment and possible loss of license.

My HIPAA rights were violated. Who do I complain to?

If your HIPAA rights were violated, you should complain to the Privacy Officer at the organization where your rights were violated. The contact details of the Privacy Office are on the Notice of Privacy Practices given to you when you first enrolled as a patient of a healthcare provider or as a member of a group health plan.

If you fail to obtain a satisfactory explanation of why your HIPAA rights were violated and what the organization is doing to prevent a repeat, you can complain to HHS´ Office for Civil Rights via the complaints portal. However, please note you only have 180 days from the date your HIPAA rights were violated to file your complaint.

Is violating HIPAA illegal?

Violating HIPAA is not illegal unless it involves one of the three offences that qualify as a misdemeanor or felony under §1320d-6 of the Social Security Act. All three offences relate to the knowing and wrongful disclosure of PHI, and it is rare these offenses occur. Therefore, practically all violations of HIPAA are civil violations.

What are 3 common HIPAA violations?

The 3 most common HIPAA violations according to HHS´ Enforcement Highlights report are impermissible uses and disclosures of PHI, a lack of safeguards for PHI, and the lack of patient access to PHI. Strictly speaking, these are the 3 most common alleged HIPAA violations; but it is highly likely the majority of allegations in each category are justified.

What happens if a doctor violates HIPAA?

What happens if a doctor violates HIPAA depends on whether the doctor is a covered entity, a member of a covered entity´s workforce, or a business associate providing a service on behalf of a covered entity.

With regards to the doctor being a covered entity, it is important to be aware not all healthcare provides qualify as covered entities. Those that do not qualify as a covered entity are not required to comply with HIPAA unless they provide a service for a covered entity as a business associate.

If a doctor is a covered entity in their own right (i.e., a solo practitioner), if HHS´ Office for Civil Rights investigates and identifies a compliance issue, it will usually attempt to resolve the issue with voluntary compliance or technical assistance. If the violation is serious – or the doctor has a history of non-compliance – the agency may impose a corrective action plan or civil monetary penalty.

If the doctor is a member of a covered entity´s workforce, the likely consequences of a minor HIPAA violation is a verbal warning and refresher training. However, if the doctor has a history of non-compliance, the warning could be written, and – if the violation is repeated – the covered entity could terminate the doctor´s employment and refer them to a medical licensing board.

A doctor that does not qualify as a covered entity but provides a service on behalf of a covered entity will only be required to comply with some standards of the Privacy Rule (usually determined by the content of the Business Associate Agreement). If the doctor violates a HIPAA standard they are required to comply with, the incident should be reported to the covered entity, who will investigate the violation or refer it to HHS´ Office for Civil Rights.

What is the penalty for violating HIPAA laws?

The penalty for violating HIPAA laws can depend on multiple factors. These include – but are not limited to – who committed the violation, what the consequences of the violation were, and the previous compliance history of the person or organization that violated HIPAA.

If, for example, a member of a covered entity´s workforce accidently revealed more than the minimum necessary PHI with limited consequences and it was their first violation, the penalty will likely be a verbal warning and possible a session of refresher training.

At the other end of the scale, if an organization with a poor compliance history is responsible for the knowing disclosure of PHI for commercial advantage, it could face multimillion dollar fines from HHS´ Office for Civil Rights, State Attorneys General, and the Department of Justice – who could also pursue a criminal conviction against the perpetrators with a potential jail term of up to ten years.

How does a HIPAA Privacy Rule violation differ from a HIPAA Security Rule violation?

A HIPAA Privacy Rule violation differs from a HIPAA Security Rule violation inasmuch as the objectives of the Privacy Rule are to protect the privacy of individually identifiable health information and give individuals rights over their health information, while the objective of the Security Rule is to ensure the confidentiality, integrity, and confidentiality of electronic Protected Health Information – which is a subset of individually identifiable health information.

Consequently, a HIPAA Privacy Rule violation is most likely to be the violation of a standard relating to permissible uses and disclosures of Protected Health Information or the failure to allow individuals to exercise their rights, whereas a HIPAA Security Rule violation is most likely to the violation of a standard relating to an Administrative, Physical, or Technology Safeguard – for example, the failure to prevent members of the workforce sharing login credentials.

Can I get fired for an accidental HIPAA violation?

You can get fired for an accidental HIPAA violation if, as a member of a covered entity´s or business associate´s workforce – you have a previous history of accidental HIPAA violations with significant consequences. However, unless your first accidental HIPAA violation had particularly significant consequences, and your employer´s sanctions policy included being fired for a first offense, you will likely be sanctioned with a verbal or written warning and required to take refresher HIPAA training.

How long does a HIPAA violation investigation take?

How long a HIPAA violation investigation takes can depend on a number of factors. If, for example, a healthcare worker has accidently violated a Privacy Rule standard and the consequences were minimal, a HIPAA violation investigation may take less than thirty minutes. However, if an investigation into a data breach by HHS´ Office for Civil Rights uncovers non-compliance in multiple areas, a HIPAA investigation could take months to conclude.

Can you sue for a HIPAA violation?

You cannot sue for a HIPAA violation under HIPAA laws because the regulations do not provide for a private right of action. However, if you have suffered harm as the consequence of a HIPAA violation, there may be other consumer protection or privacy laws you may be able to use to sue for a HIPAA violation against a negligent covered entity or business associate. Ideally, you should seek advice from a legal expert who is familiar with the laws in your state.

Do I need an attorney to report a HIPAA violation?

You do not need an attorney to report a HIPAA violation because the process for filing a complaint via the OCR complaints portal is straightforward. However, if you wish to pursue a civil claim for a violation of your privacy rights, it may be a good idea to speak with a HIPAA violation attorney before filing your complaint as HIPAA does not provide for a private right of action.

The post What is a HIPAA Violation? appeared first on HIPAA Journal.

HIPAA And Social Media Guidelines

Posted by HIPAA Journal

The most important rule for any HIPAA and social media guidelines is that social media content must NEVER include protected health information (PHI). This must be front and center of any HIPAA social media policy.

HIPAA and Social Media Policy Guidelines Organizations subject to HIPAA can use our HIPAA and Social Media Checklist to understand how to avoid HIPAA violations due to misuse of social media by employees.

What Are The HIPAA And Social Media Rules?

Because HIPAA was enacted several years before social media such as Facebook, TikTok and Instagram existed, the Privacy Rule does not include any specific references to social media.

Nevertheless, the HIPAA social media rules are the standards relating to permissible uses and disclosures of PHI in the Privacy Rule.

As permissible uses and disclosures do not include publishing individuals’ PHI in the public domain, these effectively prohibit Covered Entities and Business Associates from using or disclosing PHI without an individual´s authorization.

HIPAA And Social MediaIf no PHI is disclosed – and the FTC Rules (see below) are complied with – the Privacy Rule does not apply, and Covered Entities and Business Associates can freely use social media networks to promote healthy lifestyles, market health insurance products, and promote B2B services.

However, it is important to understand what is considered PHI under HIPAA. The term PHI does not solely relate to health information, and it could be possible that – due to a lack of knowledge – a member of the workforce inadvertently discloses PHI in violation of the Privacy Rule.

Understanding Patient Authorization Rules

HIPAA And Social Media GuidelinesIn addition to understanding what is considered PHI under HIPAA, it is also important to understand the patient authorization rules which must be part of any HIPAA social media policy.

These can be found in §164.508 of the Privacy Rule and stipulate that valid authorizations must include the following core elements:

  • A meaningful description of the information to be used or disclosed
  • A meaningful description of the purpose of the use or disclosure
  • An explanation that the information may be further disclosed
  • The individual´s right to revoke the authorization
  • An expiration date for the authorization

With regards to the final core elements, it is important for the individual to be aware that a social media post containing their PHI may be widely shared, screenshot, and republished. In the event that a patient requests a revocation of their authorization, the organization may be unable to comply.

This scenario is covered in the Privacy Rule by a clause that exempts revocations in cases where “the Covered Entity has taken action in reliance thereon”. However, these core elements must be included in the authorization in order for it to be considered valid at the time it was signed.

HIPAA Social Media Violations On The Rise

Sharing too much information on social media platforms can have devastating effects on both healthcare organizations and employees if patient-specific information is shared.

With over a billion people on social networks and professional blogs, it is not surprising that HIPAA violations are on the rise and are raising major concerns among medical practices.

There are many benefits to be gained from using social media if your organization is a HIPAA Covered Entity or Business Associate. For example, healthcare providers can promote healthy lifestyles, raise awareness of emerging health issues, and make announcements when special clinics or services are available to the public.

Health plans can use social media to market health insurance products, advertise new plans and benefits, and attract new customers; while Business Associates can promote B2B services and quickly answer questions from interested parties. However, all of these uses of social media may be subject to FTC and HIPAA social media rules.

HIPAA And Social Media Cases

There are several examples of HIPAA social media cases that have resulted in disciplinary action against the offender. For example, in October 2019, a dental practice was fined $10,000 for impermissibly disclosing PHI on a social media review site; while in January 2016, a nursing assistant was fired from her job and sentenced to 30 days in jail for posting a video of a patient online.

Covered Entities, Business Associates, and members of their workforces should take steps to avoid HIPAA violations of this nature. The steps should include providing training on the organization´s social media policies, enforcing sanctions policies that prohibit impermissible uses and disclosures of PHI on social media, and implementing safeguards to prevent inadvertent disclosures.

For further information on the best ways to avoid HIPAA violations when using social media, seek professional advice from a compliance expert. Alternatively, you are invited to download our HIPAA and Social Media Checklist which contains the key points organizations may wish to consider when developing a social media policy to comply with HIPAA.

What are the FTC Social Media Rules?

The FTC social media “rules” are the regulations relating to deceptive acts or practices in Section 5 of the Federal Trade Commission Act. The regulations apply to all forms of advertising and marketing, and define an act or practice as deceptive if:

  • a representation, omission, or practice misleads or is likely to mislead the consumer;
  • a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
  • the misleading representation, omission, or practice is material.

This means any claim – whether made by an organization or on behalf of an organization, and regardless of whether Protected Health Information is disclosed to support the claim –   must not “seek to gain an advantage while avoiding competing on the merits”.

HIPAA Social Media Rules – FAQs

What do you need to know about social media and HIPAA?

What you need to know about social media and HIPAA is that posting PHI on social media is permissible under HIPAA only if you have a written authorization from the subject of the PHI. However, once something is posted on social media, you have no control over what happens to it. If the subject of the PHI subsequently wants to revoke an authorization, you cannot comply with the request because you have no control over who has seen the post or what copies have been made.

What is one reason that social media increases the risk for HIPAA violations?

One reason that social media increases the risk for HIPAA violations is that social media channels make it easy for users to take a photo and upload it with the tap of a screen. This increases the risk for HIPAA violations because members of a covered entity´s workforce can unthinkingly take a photo of something or someone they have seen and post it on the Internet within seconds. If the photo reveals a PHI identifier and health information (for example, a celebrity being brought into ER) it is a violation of HIPAA unless the written authorization of the celebrity has been obtained in advance.

What is considered a HIPAA violation with social media?

One thing considered a HIPAA violation with social media is posting any individually identifiable health information without a written authorization. If a authorization is obtained, the form on which the disclosure is authorized has to inform the subject what the disclosure is for and explain that the subject has the right to revoke the authorization. The subject should also be given the option of stipulating a time period after which the disclosure must end.

As it is impossible to control what happens to a social media post once it has been published, it is unlikely a covered entity will be able to comply with a revocation or expiration request. This is a violation of HIPAA unless the authorization form includes the “reliance upon” clause excluding covered entities from revocation and expiration requests after the event.

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information, is that a breach of the HIPAA Privacy Rule?

If an employee attaches an image of a patient’s injury to a Tweet without any other identifying information it is a breach of the HIPAA Privacy Rule if the identity of the individual can be determined from image. However, if the patient has given their written authorization for the image to be used, and the image is shared under the conditions of the authorization, there is no violation of the HIPAA Privacy Rule.

Do the HIPAA social media rules apply to all accounts or just corporate accounts?

The HIPAA social media rules apply to all accounts – not just corporate accounts. It is important to be aware that images posted on private social media accounts without patient consent are in double violation of HIPAA, as the individual has not only posted ePHI impermissibly, they have also obtained the image from a corporate source that lacked the protections of the HIPAA Security Rule.

If there are no specific social media rules, can covered entities still be fined for violations of HIPAA on social media?

If there are no specific social media rules, covered entities still be fined for violations of HIPAA on social media because in most cases unauthorized disclosures of ePHI on social media are impermissible disclosures – which is a breach of the Privacy Rule. If an employee has accessed ePHI without authorization to publish PHI on social media, the covered entity would be liable for the likely breach of the Security Rule for not protecting ePHI from unauthorized disclosure.

Do all employees have to be trained on HIPAA social media rules, or just those with access to ePHI?

All employees should be trained on HIPAA social media rules as part of their security awareness training. All members of the workforce should be aware of the organization’s policies relating to social media whether they have access to ePHI or not. Even members of the workforce without access to ePHI can disclose information on social media such as a patient’s name and what they are being treated for, so it is important they know not to disclose information without authorization through any media.

How can covered entities and business associates implement controls that flag potential HIPAA violations on social media?

Covered Entities and business associates can implement various controls that flag potential HIPAA violations on social media. For example, the simplest way to monitor social media for HIPAA violations is to search for specific hashtags relating to a healthcare facility (i.e., #nyp, #mayoclinic, #UPMC, etc.). Although a manual control rather than a technology control, reviewing what is written about a healthcare facility on social media can help facilities improve their services – and their HIPAA policies – in many different ways.

Why is posting patient information on social media a HIPAA violation?

Posting patient information on social media is a HIPAA violation if you do not have the patient’s authorization because it discloses individually identifiable health information to the public that could be used to commit fraud or identity theft. Even if you do not name the patient when you post Protected Health Information on social media, the patient can still be identified from other information included in the social media post.

What is a HIPAA compliant social media policy?

A HIPAA compliant social media policy is a policy that stipulates the circumstances under which it is allowed to post any information to social media. As social media posts can never be fully retracted (because they may have been shared, screenshot, or copied and pasted prior to retraction) , it is a best practice to prohibit any post containing individually identifiable health information and enforce tough sanctions on any member of the workforce that breaches this policy.

What is the penalty for a social media HIPAA violation?

The penalty for a social media HIPAA violation depends on who is responsible for an impermissible disclosure of PHI and what the consequences are. For example, if a Covered Entity posts PHI on a social media site without authorization for a marketing campaign, and the subject(s) of the PHI complain to HHS’ Office for Civil Rights, the penalty could be a substantial fine.

However, if a member of a Covered Entity’s workforce posts PHI on a social media site without authorization, the penalty will be whatever sanction is listed in the Covered Entity’s sanctions policy. This could range from a verbal warning and retraining to termination of contract and loss of license – a more likely outcome if the violation demeans the patient or is a repeated offense.

Is Facebook HIPAA compliant?

Facebook is not HIPAA compliant. Although social media has some mechanisms to control unauthorized access to accounts, Meta will not sign a Business Associate Agreement with Covered Entities. Indeed, under Facebook’s terms for the Workplace by Facebook service, Meta prohibits the use of the service to  “submit […] any patient, medical, or other protected health information regulated by HIPAA or any similar federal or state laws, rules, or regulations”.

Are there any examples of HIPAA violations on social media?

There are several examples of HIPAA violations on social media that have resulted in fines being issued by HHS’ Office for Civil Rights and dozens of examples of employees being fired and/or charged for HIPAA violations on social media.

  • In 2019, Elite Dental Associates was fined $10,000 for disclosing a patient’s name, details of her health condition, treatment plan, insurance, and cost information in response to a negative online review.
  • In 2022, another dental practice – Dr. U. Phillip Igbinadolor and Associates – responded to a patient complaint on social media disclosing the patient’s name and treatment. The dentist was fined $50,000.
  • In 2017, ProPublica published more than fifty examples of HIPAA violations on social media that resulted in employees being sanctioned, fired and/or charged with a criminal offense.

What are the recommended social media guidelines for healthcare professionals?

The recommended social media guidelines for health professionals are not to post anything relating to patients on social media channels. Even if you have the patient’s authorization to comment about someone you are caring for or have treated, there is no way you can fully retract the social media post if the patient decides to revoke their authorization. As well as not being able to retract the post, if a friend or family member of the patient – who does not know you have the authority to publish the patient’s PHI  – sees the post, they may file a complaint with your employer or HHS’  Office for Civil Rights.

Is posting a photo of a patient on social media considered a disclosure?

Posting a photo of a patient on social media is considered a disclosure if the photo identifies the individual and either the photo or a description of the photo implies a past, present, or future treatment relationship. However, posting a photo of a patient on social media is not necessarily an impermissible disclosure if you have obtained the patient’s written authorization.

Is it a HIPAA violation to look up a patient on Facebook?

It is not a HIPAA violation to look up a patient on Facebook because information on Facebook pages is posted by individuals who are aware – or who should be aware – they are publishing information about themselves in the public domain. However, if you are discovered looking up a patient on Facebook, it may raise concerns you could also be snooping on the patient’s medical records. Although not a HIPAA violation, it is best to avoid looking up patient information on any media for purposes not permitted by the Privacy Rule.

Who is allowed to share personal health information on social media sites?

The issue of who is allowed to share personal information on social media sites is complicated. There are guidelines in HIPAA about sharing protected health information on social media; but, if an individual or organization is not covered by the HIPAA guidelines or an employer’s social media policy, other data privacy laws may apply – and these can vary from state to state.

With regards to HIPAA and social media, Covered Entities and Business Associates can share personal health information on social media sites provided they have the patient’s authorization to do so. Employees of Covered Entities and Business Associates are advised not to share personal health information on social media sites unless they have a valid reason for doing so (i.e., marketing) and the patient’s authorization has been acquired by their employer.

What are the rules for social media and patient privacy in HIPAA?

There are no specific rules for social media and patient privacy in HIPAA because HIPAA was created many years before social media. However, each Covered Entity and Business Associate should have a social media policy that either prohibits members of the workforce from posting patient information on social media channels or that outlines the procedures to post patient information on social media channels in compliance with HIPAA. Each Covered Entity and Business Associate should also have – and enforce – a sanctions policy for patient privacy violations on social media.

The post HIPAA And Social Media Guidelines appeared first on HIPAA Journal.

What is HIPAA Certification?

Posted by HIPAA Journal

HIPAA certification for individuals is certified HIPAA training combined with testing to verify awareness of HIPAA compliance requirements, typically conducted on an annual basis. Successful trainees receive a HIPAA compliance certificate.

HIPAA Certification Requirements for Healthcare Professionals and Administrators

Certifying that an organization’s workforce is HIPAA compliant can have similar benefits to those discussed above inasmuch as a compliant workforce is less likely to violate HIPAA or make mistakes that could result in data breaches. Similarly achieving workforce HIPAA certification demonstrates a reasonable amount of care to abide by the HIPAA Rules in the event of an OCR investigation or audit.

What is HIPAA Certification for OrganizationsFor individual members of the workforce, HIPAA certification can help foster patient trust, support applications for promotion, and increase prospects in the job market. However, it is what workforce members learn during a certification program that can have the biggest impact on their professional lives, as this can help prevent unintentional violations that can have significant consequences.

Unintentional violations of HIPAA can be attributable to a lack of knowledge, shortcuts being taken “to get the job done”, or because a cultural norm of noncompliance has been allowed to develop. Whatever the reason, violations of HIPAA can result in sanctions ranging from written warnings to loss of professional accreditation – sanctions that can be avoided by applying the information learned during a certification program.

HIPAA training is not optional and “a covered entity must train all members of its workforce on policies and procedures […] as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity” as stated in §164.530(b)(1) of the HIPAA Privacy Rule. All HIPAA covered entities must  “implement a security awareness and training program for all members of its workforce including management” as stated in §164.308(a)(5) of the HIPAA Security Rule.

Who Needs HIPAA Certification?

Anyone who creates, views, sends, or stores protected health information (PHI) needs HIPAA certification.

HIPAA Certification for Clinicians and Clinical Support Staff

Physicians, nurses, advanced practice providers, therapists, pharmacists, techs, and medical assistants touch PHI all day long. The risks are not abstract, they show up in small, routine activities:

  • Clicking into the wrong chart when the waiting room is busy

  • Talking through a case a little too loudly at the nurses’ station

  • Leaving imaging results open on a workstation during a handoff

Certification for this group should reinforce habits that protect patients even on hectic days: using the minimum necessary information, double-checking patient identity before discussing results, logging out of shared devices, and knowing when a “quick favor” (for example, sharing results with a family member) actually needs an authorization.

HIPAA Certification for Administrative and Front-Office Staff

Front-desk and administrative teams often see PHI before a clinician does. They manage check-in, intake forms, insurance cards, and a constant stream of phone calls and portal messages.

Administrative roles here include:

  • Practice managers and office administrators

  • Reception and scheduling staff

  • Medical records and health information management teams

The risks are practical: reading a full diagnosis out loud at the front desk, sending an appointment reminder to the wrong number, or handing a packet of records to the wrong person in a busy waiting room. HIPAA certification should give these staff clear scripts and workflows, how to verify identity over the phone, what can and can’t go in a voicemail, how to handle walk-in record requests, and when to escalate a request to the privacy office.

Billing, Coding, and Revenue Cycle Personnel

Billing and coding teams live in the details of claims, remits, and patient balances. They may not be in the exam room, but they regularly work with diagnoses, procedures, and sensitive financial information.

The types of roles requiring HIPAA certification include:

  • Coders and charge entry staff

  • Billing and collections teams

  • Payment posting and follow-up staff

HIPAA Certification for IT, IT Security, and other Technical Staff

IT and security teams may never open a chart for treatment, but they often have broad access to systems that store PHI. A misstep in this group, like a misconfigured database or shared admin account—can expose far more data than a single wrong fax.

The IT roles that may require HIPAA certification include:

  • Network and system administrators

  • EHR and practice management system admins

  • Helpdesk and desktop support staff

  • Cybersecurity, infrastructure, and cloud teams

HIPAA Certification for Business Associate Staff

Many organizations that never see a patient face-to-face still qualify as HIPAA Business Associates because they handle PHI for a HIPAA Covered Entity. Some common examples of HIPAA Business Associates include:

  • Cloud hosting providers and EHR vendors

  • Billing and collection agencies

  • Transcription and dictation services

  • Analytics, reporting, and population health vendors

A Business Associate Agreement (BAA) sets the contract terms and should include HIPAA training and HIPAA certification for the people doing the work. Individual staff at these companies need HIPAA certification that addresses:

  • What the contract allows them to do with PHI and what’s outside scope

  • When to de-identify data and how to do it correctly

  • How to respond if they receive more PHI than they expected, or PHI from the wrong client

  • How and when they must notify their client about a potential incident or breach

Without that HIPAA training, even a well-written BAA can be undermined by day-to-day shortcuts by staff.

HIPAA Certification for Healthcare Students

Healthcare students handle PHI during clinical rotations, practicums, and administrative internships.

  • Medical, nursing, and allied health students

  • Health information management and coding students

  • Administrative and health management interns

Healthcare sector students, both clinical and administrative, should receive comprehensive HIPAA training and HIPAA certification that covers the everything they need to know about HIPAA but also covers the special circumstances of students such as using PHI in student reports.

Benefits of HIPAA Certification

IPAA certification gives employees a stronger résumé signal and marketability by showing they can handle PHI correctly, applying the HIPAA Minimum Necessary Rule, HIPAA Security Rule, and HIPAA Privacy Rule. It builds credibility with peers and employers. HIPAA certification gives employees a competitive edge for promotions. HIPAA certification gives employees peace of mind by clarifying what to do, how to document and escalate, and which safeguards to apply, so everyday decisions are confident and defensible.

HIPAA Certification FAQs

Why is HIPAA certification described as a “point in time” accreditation?

HIPAA certification is described as a “point in time” accreditation because HIPAA compliance is an on-going progress. A HIPAA certified organization may have passed a third-party company’s HIPAA compliance program and implemented mechanisms to maintain compliance, but that is no guarantee the organization will remain compliant in the future. HIPAA certification should be considered an initial objective and then an ongoing task.

Can software be certified as HIPAA compliant?

Software cannot be certified as HIPAA compliant because, while it is possible for software to have HIPAA-compliant capabilities, the way the capabilities are used determines compliance with the HIPAA Rules. It is also important to note the distinction between HIPAA compliant software and HIPAA compliance software.

What does HHS say about HIPAA certification?

What HHS says about HIPAA certification is that there is no requirement in HIPAA for a covered entity or business associate or healthcare worker to be certified as compliant. The Department warns organizations to be aware of misleading marketing claims suggesting compliance programs or material is endorsed by HHS or the Office for Civil Rights (OCR).

What is the difference between a third party audit and an HHS audit?

The difference between a third party audit and an HHS audit is that a third party audit checks a covered entity´s HIPAA compliance and, if lapses in compliance are found, the covered entity has an opportunity to address them. If lapses in compliance are found during an HHS audit, the covered entity may be fined – even if there has been no unauthorized use or disclosure of PHI. Because of the risk of a financial penalty for non-compliance, the cost of a third party audit can be a sound investment.

What is the cost of a third party compliance audit?

The cost of a third party compliance audit depends on the size of the covered entity or business associate and the nature of activities. For example, the cost of a third party audit for a major healthcare group is going to be significantly more than the cost to a sole-trader insurance broker who handles a limited number of healthcare claims each year.

How long does HIPAA certification for covered entities and business associates last?

HIPAA certification for covered entities and business associates does not “last”. A HIPAA certification indicates that a covered entity or business associate has passed a third-party company´s HIPAA compliance program and “at that point in time” was HIPAA compliant. As soon as that point in time has passed, a HIPAA certification is no guarantee of compliance. As a result, HIPAA certification has no lifespan and it is a best practice is to conduct regular compliance audits.

How long does HIPAA certification for healthcare workers last?

How long HIPAA certification for healthcare workers lasts depends on whether the certification has been achieved independently or as part of an employer’s training program. If the former, the “point in time” principle applies. If the latter, the certification should be retained for six years in compliance with the HIPAA documentation requirements. It is also recommended refresher training is provided at least annually.

How does HIPAA certification help foster patient trust?

HIPAA certification helps foster patient trust because one of the most important elements of a patient/healthcare professional relationship is trust. When patients are confident their privacy is being respected, this will help foster trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in more rewarding work experience.

Why might a healthcare professional lack knowledge of HIPAA?

A healthcare professional might lack knowledge of HIPAA because covered entities are only required to provide training relevant to a healthcare professional’s role. When a healthcare professional transfers to a new role – or is asked to substitute for a colleague in a different role – they may not immediately have the level of HIPAA knowledge relevant to the role they are performing, potentially resulting in unintentional HIPAA violations.

How are cultural norms of noncompliance allowed to develop?

Cultural norms of non-compliance are allowed to develop in the workplace because many covered entities lack the resources to monitor HIPAA compliance 24/7. It is not unusual for busy healthcare workers to take shortcuts with HIPAA compliance “to get the job done”; and, if the shortcuts become a regular occurrence, they develop into a cultural norm of noncompliance. This is why it is important for covered entities to provide refresher HIPAA training at least annually.

What does HIPAA certification signify?

HIPAA certification signifies that an organization has passed a HIPAA compliance audit. Although this may only be a point in time accreditation, the certification demonstrates the organization has effectively implemented HIPAA’s privacy provisions and security standards. Alternatively, a HIPAA certification for an individual can signify that a member of the workforce has achieved the level of HIPAA knowledge required to comply with the organization’s policies and procedures.

Is certification a requirement of HIPAA?

Certification is not a requirement of HIPAA. It is a voluntary process that organizations can undertake to validate their understanding and implementation of HIPAA’s regulations. Indeed, preparing for certification can help organizations fine-tune risk analyses to better identify gaps in compliance and make better informed decisions about how to fill the gaps.

What are the benefits of becoming HIPAA certified?

The benefits of becoming HIPAA certified include that the process of certification can help organizations adopt best privacy practices and implement the safeguards required by the HIPAA Security Rule. This can reduce the likelihood of HIPAA violations and data breaches. Also, if a violation does occur, certification may demonstrate “a reasonable amount of care” to abide by the rules, which could impact the severity of penalties.

How can HIPAA certification affect the penalties for HIPAA violations?

HIPAA certification can impact the penalties for HIPAA violations significantly if – for example – an organization that is certified experiences a HIPAA violation, and HHS’ Office for Civil Rights investigates the violation. A HIPAA certification demonstrates a good faith effort to comply with HIPAA. This could influence the decision about whether a violation is classified as a Tier 1 or Tier 2 violation, affecting the minimum penalty per violation – if a penalty is imposed at all.

Why might business associates find it beneficial to obtain HIPAA certification?

Business associates might find it beneficial to obtain HIPAA certification to demonstrate the intention to operate compliantly, making their services more appealing to prospective covered entities in a crowded marketplace. Also, if a business associate has achieved HIPAA certification, it may reduce the amount of due diligence required before a covered entity will enter into a Business Associate Agreement.

What are the key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant?

The key areas of compliance that are reviewed for a covered entity to be certified as HIPAA compliant include adherence to the HIPAA Security Rule’s administrative, technical, and physical safeguards; remediation plans for gaps identified in audits; policies and procedures for regulatory compliance; employee training; documentation management; Business Associate Agreement management; and incident management procedures for data breaches or violations.

How do HIPAA certification requirements differ for business associates compared to covered entities?

HIPAA certification requirements differ for business associates compared to covered entities by being tailored to the services being offered to or on behalf of covered entities. A key point is that business associates must implement a security and awareness training program for all members of the workforce, not just those involved in services being offered to or on behalf of covered entities.

What are the benefits of HIPAA certification for healthcare workers?

The benefits of HIPAA certification for healthcare workers are that healthcare workers achieve a deeper understanding of HIPAA beyond the basic “policy and procedure” training provided by employers. This comprehensive education covers frequently violated standards like patients’ rights, the minimum necessary standard, and allowable uses and disclosures – helping to prevent unintentional violations due to lack of knowledge.

How long does it take to achieve HIPAA certification?

The length of time it takes to achieve HIPAA certification can vary widely and is difficult to predict without knowing the level of knowledge that each organization or individual is starting from, the gaps that might be identified during audit processes and the nature of the remediation plans required to address them. The process involves thorough several audits and tests, and cannot be completed overnight.

The post What is HIPAA Certification? appeared first on The HIPAA Journal.

Is Ademero HIPAA Compliant?

Posted by HIPAA Journal

Content Central by Ademero is HIPAA compliant and organizations in the healthcare sector can use the cloud-based document management system to streamline document-intensive processes and workflows when documents contain Protected Health Information (PHI). Ademero has told us the company is willing to enter into a Business Associate Agreement with HIPAA covered entities and business associates as necessary.

What is Content Central?

Content Central is an enterprise document management system that works by capturing documents and files from scanners, network folders, and email accounts, and converting them into searchable PDF files. The PDF files can be grouped together according to administrator-defined values and are stored in a secure cloud server for remote retrieval by authorized users. The process can significantly accelerate workflows by eliminating delays attributable to searching for and retrieving documents.

Once retrieved, documents can be shared with or among other authorized users via the Content Central platform without using external solutions. Alternatively, Content Central can be integrated with collaboration and productivity suites such as Microsoft Office 365 and Google Workspace – subject to the integrations being configured to support HIPAA compliance and a Business Associate Agreement being signed with the third party service provider.

Is Content Central by Ademero HIPAA Compliant?

Ademero Software has developed Content Central with HIPAA compliance at top of mind. The system includes unique user identification controls, automatic logoff, and emergency administrator access to comply with §164.312 of the Technical Safeguards. All documents are encrypted in transit and at rest, and the system’s audit controls allow administrators to track logon and logoff activity, file access, and document histories (i.e., edits, copies, and downloads).

Other than assigning user IDs (or integrating Content Central with an existing SSO solution), applying user permissions, and enabling or disabling “system fields”, there is little administrators have to do to make Content Central by Ademero HIPAA compliant. The company is flexible about the content of optional clauses in customers’ Business Associate Agreements and are happy to speak with compliance officers or system administrators who may have operational concerns.

Considerations before Adopting a Document Management System

There are two considerations to take into account before adopting a document management system – the first being that, when paper documents are converted into digital documents, members of the workforce may initially find PHI harder to access and tempted to take compliance shortcuts “to get the job done”. This risk of non-compliance can be overcome by tailoring HIPAA training to explain the purpose of the additional security measures and why they should not be circumnavigated.

The second consideration is the compliant disposal of PHI maintained on paper once it has been scanned and converted into a digital document. HHS’ Office for Civil Rights has published a fact sheet about the compliant disposal of PHI and has fined companies who do not comply with the HIPAA disposal requirements. If your organization is unsure about how best to dispose of PHI in compliance with HIPAA, it is recommended you seek professional compliance advice.

The post Is Ademero HIPAA Compliant? appeared first on HIPAA Journal.

Does HIPAA Apply to Employers?

Posted by HIPAA Journal

HIPAA applies to employers in certain circumstances and, although HIPAA does not protect individually identifiable health information maintained by a covered entity in its role as an employer,  it is important for employers to understand what these circumstances are to avoid HIPAA violations. Employers also need  to ensure that their workforces understand whether or not health data collected and maintained by their employer is protected by the HIPAA Privacy Rule.

Does HIPAA Apply To EmployersYou can use our HIPAA Checklist For Employers to view your compliance requirements and avoid HIPAA violations.

The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and open to a number of interpretations.

Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied.

Because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.

Let´s First Discuss HIPAA-Covered Transactions

Does HIPAA Apply To Employers In HealthcareThe HIPAA Privacy Rule defines what constitutes individually identifiable health information and how it should be protected from unauthorized uses and disclosures.

It is often the case that a new employee may disclose some elements of protected health information – for example to an employer’s HR Department – when the new employee commences with the new employer.  So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.

However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. If a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA does not apply to employers in this scenario.

One factor sometimes overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “covered entity” to be subject to the regulations, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):

  • A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
  • An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
  • A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
  • The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.

For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.

Does HIPAA Apply to Employers’ Self-Insured Health Plans?

Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers, and health plans.

Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when they move to a new job), it is exempt from the Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.

However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).

What HIPAA Means to Employers

What HIPAA means to employers generally is that they do not have to implement measures to protect the privacy of individually identifiable health information in accordance with the Privacy and Security Rules, nor notify employees and HHS´ Office for Civil Rights in the event of a data breach. However, HIPAA is not the only legislation that relates to the privacy and security of employee data.

Other federal laws such as the Fair Credit Reporting Act and Fair and Accurate Credit Transaction Act govern what employers can do with certain types of employee data, while state laws such as the California Privacy Rights Act grants employees rights over what data is maintained about them similar to the patients´ right provisions of the HIPAA Privacy Rule.

Employers and Protected Health Information: Conclusion

The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.

In most cases, HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to employers should seek professional advice relevant to their specific circumstances.

Does HIPAA Apply to Employers? FAQs

If I give my employer a doctor’s note to prove I was sick, does HIPAA apply to the doctor’s note?

If you give your employer a doctor’s note to prove you were sick, HIPAA does not apply to the doctor’s note, even if you work for a covered entity or business associate. This is because the doctor’s note will not be used for a HIPAA-covered transaction. The doctor’s note is considered to be part of your employment record, like any other personal information you might provide to your employer.

If an employer phones a hospital to enquire about the wellbeing of an employee, is the information provided by the hospital covered by HIPAA?

If an employer phones a hospital to enquire about the wellbeing of an employee, the information provided by the hospital is not covered by HIPAA once it has been disclosed to the employer. by the hospital provided. However, before any information is disclosed to an employer by a hospital, the hospital must obtain the employee´s consent to disclose PHI. A disclosure to an employer without consent – other than permissible disclosures for workers’ comp purposes and to comply with OSHA –  is a violation of HIPAA.

Does HIPAA apply to employers in medical teaching institutions?

HIPAA can apply to employers in medical teaching institutions depending on the nature of medical services provided by the institution. If medical services are only available to employees and students, the institution is not a HIPAA covered entity because the provision of medical services to employees is not portable and the provision of medical services to students is covered by FERPA.

If medical services are available to the public, the institution is a hybrid entity required to comply with HIPAA for the medical services provided to members of the public, but not for non-portable medical services provided to employees or for FERPA-covered medical services provided to students. Further information about hybrid entities can be found in this HHS article.

If an employer is a federal agency, does HIPAA or the Privacy Act apply?

If an employer is a federal agency that qualifies as a covered entity and engages in HIPAA-covered transactions, HIPAA preempts the Privacy Act. In most other circumstances, federal agencies have to comply with the Privacy Act – the exceptions being when state or local laws offer greater protections to health information than HIPAA or the Privacy Act.

Does HIPAA apply to employers that are business associates of a covered entity?

HIPAA does not apply to employers that are business associates of a covered entity if a business associate in its role as an employer maintains employee healthcare data that is not used for HIPAA-covered transactions. In such cases, the business associate is not subject to HIPAA in respect of employee data – but still subject to HIPAA in respect of any ePHI received from the covered entity with whom the employer has a Business Associate Agreement.

Can an employer ask about medical conditions under HIPAA?

An employer can ask about medical conditions under HIPAA because employers – in their role of employers – are not covered entities. In the Privacy Rule there is nothing preventing an employer asking an employee about medical conditions that would violate HIPAA. However, if an employer asks a covered entity to disclose information about an employee´s medical condition, HIPAA only permits the disclosure under certain circumstances or with the consent of the employee.

When does HIPAA apply to employers?

HIPAA applies to employers when they create, maintain, or transmit Protected Health Information in connection with a HIPAA-covered transaction. This is a rare occurrence, and usually only happens when the employer administers a self-insured health plan. In such circumstances, the Protected Health Information created, maintained, or transmitted by the self-insured health plan should be kept separate from other employee data – which is not subject to the Privacy and Security Rules.

Is a new employee’s health information disclosed to an HR department protected by HIPAA?

A new employee’s health information disclosed to an HR department is not protected by HIPAA unless the information will be disclosed in a HIPAA-covered transaction by an employer who qualifies as a HIPAA covered entity. This is an extremely rare event – even if the new employee’s role is with a healthcare facility – because employers do not ordinarily qualify as HIPAA covered entities in their role as an employer.

What does “partial compliance” mean for employers in the context of HIPAA?

What partial compliance means in the context of HIPAA is that, if an employer administers a self-insured health plan or acts as an intermediary between employees, healthcare providers, and health plans, the employer is required to safeguard the PHI they have access to in their role as an administer or intermediary and certify that PHI will be protected as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

Can an employer announce the birth of a child to a parent’s workplace colleagues without violating HIPAA?

An employer can announce the birth of a child to a parent’s workplace colleagues without violating HIPAA unless the employer administers a self-insured health plan or acts as an intermediary between the parent and a health plan and learns of the birth in their role as an administrator or intermediary. In such circumstances, it would be necessary to obtain the parent’s consent to avoid violating HIPAA.

What is a HIPAA-covered transaction?

A HIPAA-covered transaction is any transaction that the Department of Health and Human Services has developed standards for in Part 162 of the HIPAA Administrative Simplification Regulations. Most HIPAA-covered transactions relate to eligibility checks for treatment, authorizations for treatment, billing, and remittances – transactions that rarely apply to employers in their role as employers.

If an employer qualifies as a partial entity, what is the first step to take to avoid HIPAA violations?

If an employer qualifies as a partial entity, the first step to take to avoid HIPAA violations is to understand what information collected, maintained, or transmitted by the employer is protected by the Privacy Rule. Thereafter, the employer must implement safeguards to protect the privacy of individually identifiable health information and to ensure the confidentiality, integrity, and availability of electronic PHI.

The post Does HIPAA Apply to Employers? appeared first on HIPAA Journal.

HIPAA Compliance for Self-Insured Group Health Plans

Posted by HIPAA Journal

HIPAA compliance for self-insured group health plans – or self-administered health group plans – is a complicated area of HIPAA legislation due to the different ways in which self-insured group health plans can operate and due to potential exemptions from HIPAA compliance.

The Administrative Simplification Rule of the Health Insurance Portability and Accountability Act (HIPAA) imposed requirements on health care clearinghouses, certain healthcare providers, and health plans (collectively known as “covered entities”) to comply with national standards for the privacy of individually identifiable health information and the security of electronic Protected Health Information.

The standards were developed by the U.S. Department of Health & Human Services and published in 2000 (the HIPAA Privacy Rule) and 2003 (the HIPAA Security Rule). Subsequent amendments, guidelines, and companion Rules have shaped HIPAA compliance for self-insured group health plans to account for advances in technology and changes in working practices. A Breach Notification Rule was added in 2009.

Definition of a Self-Insured Group Health Plan

Due to the complicated nature of HIPAA, and to better understand what HIPAA compliance for self-insured group health plans involves, it is practical to define what a self-insured group health plan is. A self-insured group health plan is one in which an employer assumes the financial risk for providing healthcare benefits to its employees as opposed to purchasing a “fully-insured” plan from an insurance carrier.

Typically, a self-insured employer will set up a special trust fund to earmark corporate and employee contributions or use general funds to pay incurred claims, and either administer the plan themselves or – more commonly for larger employers – retain the services of a third-party administrator. A self-insured group health care plan can also include medical expense reimbursement flexible spending account plans (medical FSAs) and health reimbursement account plans (HRAs).

Exemptions from HIPAA Compliance for Self-Insured Companies

Exemptions from HIPAA compliance for self-insured companies are rare. Only if a group health plan is self-insured, self-administered, and the employer has fewer than fifty employees is the company exempt from HIPAA compliance – provided medical FSAs and HRAs are also administered by the employer and not an outside third-party administrator. Providing an employee assistance plan or wellness plan can also trigger HIPAA compliance for self-insured companies.

Not surprisingly, there is a gray area of HIPAA compliance for self-insured companies known as “partial compliance”. Partial compliance is applicable when neither the sponsor of a group health plan nor its insurance agent has any access to or transmits Protected Health Information (PHI) electronically. These “hands off” group health plans only occur in specific circumstance, and generally most self-insured group health plans will be subject to HIPAA compliance.

What Does HIPAA Compliance for Self-Insured Group Health Plans Consist Of?

There are multiple elements to HIPAA compliance for self-insured group health plans, and many do not apply in all circumstances. Compliance requirements will vary from company to company depending on factors such as its size, the nature of its business, whether it operates public-facing offices, and its internal organization. The following is a brief HIPAA compliance checklist for self-insured group health plans.

Appoint a Privacy and Security Officer

Companies with self-insured group health plans have to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. These positions can be performed by the same person and/or an existing member of the workforce, and their first role is to identify where, why, and to what extent PHI is created, received, maintained, or transmitted by the group health plan. This will likely involve many different departments such as IT, legal, payroll, and HR.

Analyze Uses and Disclosures of PHI

Once the discovery of PHI is complete, the Privacy and Security Officers should analyze uses and disclosures of PHI to ensure they fall within those permitted by the HIPAA Privacy Rule. Where necessary, the Privacy Officer may need to obtain authorizations from employees for some uses and disclosures of PHI that require them. Note: Employers are not permitted to take retaliatory action or discriminate against employees who refuse to give their authorization.

Develop HIPAA-Compliant Privacy Policies

The next stage of HIPAA compliance for self-insured group health plans is to develop HIPAA-compliant privacy policies establishing how PHI can be used and disclosed. This should take into account third-party administrators who – as business associates – also have to comply with the HIPAA Security and Breach Notification Rules and elements of the HIPAA Privacy Rule, and with whom it will be necessary to enter into a HIPAA Business Associate Agreement.

Develop HIPAA-Compliant Security Policies

One of the requirements of the HIPAA Security Rule is for covered entities to implement administrative, physical and technical safeguards to ensure the integrity of electronic PHI. In order to fulfil this requirement, Security Officers should conduct a risk assessment to identify any vulnerabilities that may lead to unauthorized access to electronic PHI, and – following a risk analysis – implement suitable measures and policies to address any vulnerabilities.

Develop a Breach Notification Policy

Despite a company’s best efforts to achieve HIPAA compliance for self-insured group health plans, they may be a time when an unauthorized disclosure of PHI occurs. Self-insured companies need to be prepared for such occurrences, and should develop a breach notification policy in order to advise employees that personal information may have been compromised. The policy should also cover notifications to HHS’ Office for Civil Right when necessary.

HIPAA Training for Self-Insured Group Health Plan Administrators

HIPAA training for self-insured group health plan administrators is mandatory because these plans handle protected health information for enrollment, eligibility, claims processing, appeals, care management activities, and plan operations. Training should explain how the HIPAA Privacy, Security, and Breach Notification Rules apply in a benefits administration context, with practical guidance on minimum necessary use, verifying identities before disclosing information, and managing routine disclosures to third parties such as TPAs, stop-loss carriers, brokers, and vendors. It should also address common risk points in plan administration, including email and file-sharing practices, access controls for HR and benefits systems, safeguarding printed materials, and recognizing phishing and social engineering attempts that target member data. Since self-insured arrangements often require close coordination between the health plan, the employer, and external service providers, training should reinforce the importance of clear internal procedures, proper handling of plan communications, prompt incident escalation, and maintaining defensible documentation of training completion for compliance purposes.

As members of a self-insured group health plan, each employee should be given a notice of the plan’s privacy practices which can be used to explain why maintaining the integrity of PHI is essential. Each employee should also be given a copy of the company’s sanctions policy that explains the consequences of failing to comply with the privacy, security, and breach notification policies.

Further Information about HIPAA Compliance for Self-Insured Companies

Although the Department of Health and Human Service provides a great deal of HIPAA information on its website, relatively little relates to HIPAA compliance for self-insured group health plans. Companies unsure about their compliance requirements should seek professional help to – first – determine their plan is subject to the HIPAA requirements, and then obtain help for ticking off the items on the HIPAA compliance checklist.

HIPAA Compliance for Self-Insured Group Health Plans: FAQs

Do the same HIPAA Rules apply if the plan is an HMO or PPO?

Regardless of whether a self-insured group health plan operates under a Health Maintenance Organization model (HMO) or Preferred Provider Organization model (PPO) the same requirements exist to ensure the privacy of employees’ individually identifiable health information and the security of electronic Protected Health Information.

What is the difference between individually identifiable health information and electronic Protected Health Information?

Individually identifiable health information is health information that alone or with other common identifiers could be used to identify a health plan member. When common identifiers such as a member’s name, date of birth, or address are stored in a designated record set with the health information, they adopt the same protections as the health information.

What if a company has nobody ready to take the roles of Privacy and/or Security Officer?

If a company does not have an existing member of the workforce with sufficient knowledge to take the roles of Privacy and/or Security Officer – and lacks the resources to employ a full-time compliance officer – it is possible to contract short-term compliancy services until such time as an existing member of the workforce has the skills and knowledge to assume the compliance roles.

What are the penalties for failing to comply with HIPAA?

The penalties for failing to comply with HIPAA varying according to such considerations as the nature of the violation(s), the number of records exposed in a data breach (if any), and the efforts made by the covered entity to reduce the risk of the violation(s) to an acceptable and reasonable level.

In most cases, HHS’ Office for Civil Rights will offer technical assistance to prevent the violation happening again or impose a corrective action plan if the violation is attributable to an underlying culture of non-compliance. Only in a minority of cases will HHS’ Office for Civil Rights impose a financial civil penalty. In such cases, the amount of the penalty (current as at December 2025) reflects the level of culpability:

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Annual Penalty Limit
Tier 1 Reasonable Efforts $141 $35,581 $35,581
Tier 2 Lack of Oversight $1,424 $71,162 $142,355
Tier 3 Neglect – Rectified within 30 days $14,232 $71,162 $355,808
Tier 4 Neglect – Not Rectified within 30 days $71,162 $2,134,831 $2,134,831

Are disclosures of PHI for workers’ comp purposes permissible under the HIPAA Privacy Rule?

Yes. However, disclosures of PHI for workers comp purposes must comply with the “minimum necessary standard”. This standard stipulates that only the minimum amount of PHI required to accomplish the intended purpose should be disclosed – unless a state-run workers´ comp program is exempted under 45 CFR §164.502(b)(2)(v) and §164.512(a)(1).

The post HIPAA Compliance for Self-Insured Group Health Plans appeared first on The HIPAA Journal.