Kristin was thrilled to start her new job as an office manager at a busy internal medicine practice. Kristin is outgoing and friendly, always connecting and engaging with people on social media. One day, she snapped a heartwarming photo of a patient who had brought holiday treats for the staff. Charmed by the gesture, Kristin posted the photo on the practice’s social media page to showcase the friendly patient-doctor relationship they maintain.
Now here’s where things got a bit tricky. Kristin didn’t realize that she had just committed a HIPAA violation. She didn’t know that sharing a patient’s photo without written consent, even with the best intentions, could be a problem. When the practice’s compliance officer spotted the post, they had to discuss with Kristin how her well-intentioned post was, in fact, a breach of patient privacy. The incident served as a wake-up call for everyone in the office about the importance of HIPAA compliance, even in seemingly innocent situations. Kristin’s HIPAA refresher training started the next day.
Kristin is not alone because this is one of the most commonly misunderstood things about HIPAA – the definition of protected health information (PHI). It’s important to get right because HIPAA requires regulated entities to maintain the privacy and security of PHI. It’s the first building block to a smart HIPAA compliance program.
The General Rule is Don’t Disclose Without Patient Authorization
The HIPAA Privacy Rule does not allow covered entities and business associates to use or disclose PHI without obtaining the individual’s written authorization in advance. There are exceptions – PHI may be used or disclosed without authorization for treatment, payment, and healthcare operations. For instance, a treating physician may share patient information with a hospital for treatment purposes. Similarly, a medical practice may disclose PHI to an insurer for payment-related matters.
But every time PHI is disclosed it’s crucial to follow the “minimum necessary standard” and only disclose the minimum amount of information required for the intended purpose. Use common sense to keep information to the minimum necessary. Only answer the specific question asked and don’t volunteer extra information, or information outside of the relevant time period.
PHI Might Not Include Contain Medical Information
Many people mistakenly believe that PHI must include a medical diagnosis or specific medical details. Not true.
Protected health information is any one piece of individually identifiable information linked to the provision of past, present, or future health care or payment for health care. Interestingly, it does not need to contain specific medical information. Even a simple appointment reminder with a patient’s name on it without any medical details, is PHI.
To fully protect medical identity, regulators established eighteen separate “identifiers” under HIPAA. Note that the presence of just one identifier classifies the information as PHI.
When connected to the provision of past, present or future health care, any of the following constitutes PHI:
- Geographic information
- Dates related to an individual (birth, admission, discharge)
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account numbers
- Certificate or license number
- Vehicle identifier
- Device identifier
- Web URL
- IP address
- Biometric identifier
- Full-face photos or comparable image
- Any other unique identifying number, characteristic, or code
So, the photo Kristin took is an “identifier”. By posting it on the practice’s social media page, Kristin disclosed PHI without authorization.
Examples and Solutions for Protected Health Information
- An appointment reminder written on a business card, or sent via email.
- Solution for a written appointment reminder is to not include the patient’s name or any other identifier – simply give it to the patient with the date of the appointment.
- If sending reminders via text or email, either obtain the patient’s consent to use unencrypted messaging, OR encrypt it.
- Responding to a patient review on Google or another internet site is an impermissible disclosure of PHI.
- Solution – don’t respond to reviews, OR use a general, neutral statement that does not confirm the reviewer is a patient, such as “Our practice is committed to providing quality health care.”
- A patient testimonial on a website is PHI.
- Solution – obtain consent for use in a testimonial.
- Social conversations in person, or on social media, in which patients are identified as having received care.
- Solution – staff training.
- Staff snooping on medical records out of curiosity.
- Solution – limited access plus staff training.
Negative Consequences of Unauthorized Disclosures
Violating HIPAA can result in serious consequences including data breaches which are expensive to investigate and manage, and loss of patient trust. Another consequence is an investigation by the Office for Civil Rights (OCR) which oversees HIPAA. These can be lengthy and expensive and may result in fines or a settlement payment. Civil monetary penalties can range from $127 to $63,973 per violation, with an annual cap of $1.9 million for similar violations.
So far this year, over nine months OCR has settled nine investigations and collected over $3.3 million in settlement payments, an amount already exceeding all of last year’s enforcement payments. The types of organizations investigated range from a sole practitioner psychotherapist (paid $15,000) to a major metropolitan health plan (paid $1.3 million).
Action Steps to Avoid Unauthorized PHI Disclosures
Prevention is much less expensive. Use HIPAA compliance to defend against breaches and avoid investigations.
- Make sure your HIPAA policies are up-to-date.
- Review and update your HIPAA Risk Analysis.
- Train staff on how to maintain patient privacy; include the minimum necessary rule.
- Limit PHI access to those who need it to perform their job.
- If patient reviews or testimonials are part of your practice, obtain patient authorization in advance.
- If communicating with patients via text or email, obtain consent to use unencrypted messaging in advance, OR use encryption.
With new HIPAA training under her belt, Kristin became a lead compliance team member. She recognized that even the most commonplace pieces of information could potentially compromise patient privacy. It was an eye-opener for her, realizing that her friendly reminder emails or the occasional chitchat about upcoming appointments were handling PHI. Kristin is still the friendly face at the front desk, but with an added layer of caution to make sure she protects patient privacy.