Getting serious about HIPAA

Patient-physician communication used to be simple. The patient came into the office to speak with the doctor or the physician telephoned and spoke directly with the patient. In today’s world of electronic communications, however, the potential has increased significantly for communicating private, confidential information in an unsecured manner.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was implemented as a way to make patient information safer. The act “required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.” At the time, electronic communication was not as pervasive in the medical community as it is today.

Electronic protected health information (e-phi), such as that found in a patient’s electronic health record (EHR) is now covered under the Security Rule that was published as a Final Rule in 2003. EHR systems provide a secure way to communicate to the patient and to other providers involved in that patient’s care. The challenge comes when physicians and patients are attempting to communicate via other electronic channels.

Many patients are reaching out to their physicians via email or even social media direct messaging tools. Independent physicians must be careful when replying to these messages so they do not convey any information that is considered protected. Email systems outside of those used within EHRs, social media, texting, and other forms of unsecured communications may be easy to use but they also open up huge potential for HIPAA violations.

Online reviews may also tempt the independent physician with patient-specific information that is a violation of the privacy and security laws of the HIPAA act. For example, if a patient references the time she came to see the doctor for a knee pain, the independent physician can neither acknowledge the fact that she is a patient nor that she was seen for knee pain.

HIPAA is a serious matter. Protecting the patient’s information must be of paramount priority for the independent physician.