In the age of digital and electronic everything, many people have concerns over how their personal and medical information may be shared, accessed, or saved. This has led to a constantly changing landscape of requirements to keep up with technological changes. If you want to avoid liability exposure as a healthcare provider, it’s crucial that you recognize these changes.
MehaffyWeber prioritizes an advanced and proactive approach to law, providing exceptional legal representation. We offer this guide on how the increase in privacy laws is pushing healthcare providers to protect their patients’ personal information to avoid liability claims.
Legislation Regulating Protected Information
Federal and state laws regulate medical and personal health information. The Health Insurance Portability and Accountability Act (HIPAA) sets the federal standard for managing client/patient health information. Texas has passed the Medical Records Privacy Act (TMRPA), providing additional procedures and policies that ensure federal compliance.
There are several key rights these laws provide regarding patient privacy, including:
- to know how your information will be shared
- to obtain a copy of your health records from most providers and insurance
- to request that your records be corrected
- to limit the use of your information for marketing
- some control over who your information is shared with
- to know who has seen your information
Minimum Necessary Standard
Part of the protections HIPPA grants is that your information should be shared sparingly and only when necessary. The minimum necessary requirement requires providers to share the least amount of information necessary to achieve their goal.
An example may be when providers consult each other to determine appropriate care. If a physician is consulting for an intestinal problem, sharing that the patient has had multiple STIs may not be relevant or appropriate. This situation may be considered a HIPAA violation unless there is a medically relevant reason to share that information.
Other situations that may permit sharing information may include disclosing information to the individual who is the subject of the information or sharing information per a valid authorization to disclose protected health information.
Identifying Protected Information
To minimize your liability as a healthcare provider, it is critical to ensure your providers know what information is protected and how it should be acquired, stored, and transmitted. The HIPAA Privacy Rule defines individually identifiable information as Protected Health Information(PHI).
PHI is any information that can identify the individual or may be used to identify them. Additionally, this can include information relating to the individual’s physical or mental health condition, whether past, present, or future, provision of healthcare, or payment for healthcare services.
Identifying health information to be aware of in records or conversations includes:
- Name
- Address
- Phone number
- Social Security Number
- Birthdate
- E-mail address
- Health plan policy numbers
- Photos
- Other unique characteristics
Some information regarding the care of minors may be considered PHI and should not be disclosed without consent, even to the child’s legal guardians. You should check with your state guidelines for the types of information that are protected and at what age a child may consent to treatment on their own.
Protecting Yourself From Privacy Law Violations
Protecting patient privacy is something that most parties value in the provider/patient relationship. Healthcare providers are often unable to provide quality services if the people they treat don’t trust that what they say is kept private.
A lack of privacy breaks trust in providers and establishes quality and safety concerns regarding care. Beyond understanding the laws and requirements, there are several actions our attorneys may advise a provider to do to improve fidelity to these policies.
De-Identify Health Information
Data without identifying information has no restrictions regarding privacy laws, so this is best practice when you must release information for purposes such as data collection. Removing identifiers is not always possible, but it can reduce liability risks by making it a general practice to withhold as many as possible, keeping you in compliance with the minimum necessary standard. When information is de-identified, you remove any information that may identify the individual or used to identify them.
Adequate Training
State and federal guidelines require employers to ensure their team is appropriately trained to protect PHI. According to a recent article about failures to protect personal health data, many of the common violations are due to negligence. Providing frequent training and internal audits regarding fidelity to the procedure can help keep appropriate handling as a priority.
Common Errors to Avoid
In the article cited above, several types of errors are referenced regarding violations of privacy laws. Many of the facilitators of these violations include a level of complacency and carelessness, though some are directly related to education and knowledge of appropriate procedures. Examples of these behaviors include:
- Sending information to the wrong e-mail address
- Improper disposal of PHI
- Loss of equipment with PHI on it
- Conversations in areas where PHI may be overheard
- Improperly secured information
Additional violations may often include internal but unauthorized access to PHI. Examples of this can include current employees with access to charts or information unrelated to their caseload or interns and students who gain access prior to completing the required training. Other documented cases include old employees whose access is not appropriately terminated, leaving them to access PHI.
Use of Personal Devices
In the age of electronic medical records (EMRs) and digital charts, many people may use their phones to access information simply for ease of use. This can quickly result in breaches if the phones are not adequately protected. Additional violations may also include community workers or contract workers who use services like Google Voice, which does not necessarily have the appropriate protections to comply with HIPAA guidelines.
Contact a Medical Liability Attorney Today
If you are a healthcare provider, it is best practice to be aggressively proactive in protecting clients’ PHI. Violations of these privacy laws are not only illegal and possibly expensive, but they also damage the trust your facility has with clients and stakeholders. You may take preventative action through training, internal audits, and appropriate oversight, but errors happen, and responding appropriately is crucial to managing a successful practice.
By working with a medical liability attorney, you can feel confident you are staying up to date on current requirements. If you have questions about policies or procedures you have in place or concerns regarding violations that have already occurred, call MehaffyWeber today.