Protected Health Information Breaches: Understanding the Demands of HIPAA and HITECH
Jeannine LeCompte, Compliance Research Specialist
Protected Health Information (PHI) is the focus of both the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH). Adherence to these two laws is the key to reducing a healthcare facility’s exposure to civil and financial penalties resulting from data breaches.
In essence, PHI is any information which can lead to the identification of an individual. This can be their name, date of birth, social security number, diagnosis, medical record number, or any other clearly identifying documentation in a health record.
HIPAA has set the standard for protecting such data, and has made it a legal right of every patient or resident to demand confidentiality of his or her personal and medical records. This law places an obligation on all healthcare facilities to use “appropriate safeguards” to protect PHI.
The HITECH Rule is an expansion of the HIPAA Privacy Rule which extends the same confidentiality requirements to all contractors or other business associates of a facility who might have access to PHI. Such associates can include, for example, billing services, payment handlers, or medical staff contracted from outside.
The primary rule is that all patients or residents of healthcare facilities have the right to check the authorization rights of any individual requesting their PHI. The only time when PHI is exempt from this confidentiality requirement is when it is needed directly—and only—for treatment, payment, or other practical operational needs.
In other words, PHI can never be revealed to anyone other than those who “need to know” and, even then, the data released should never be any more than the absolute minimum required to complete that particular task. For example, a billing/payment service should only have the payee’s basic details, and not their full medical diagnosis, etc.
The maximum civil penalty for knowingly violating HIPAA is $50,000 per violation, up to a maximum of $1.5 million per violation category. A serious data breach can quickly add up to a substantial financial loss.
For example, in March 2019, California-based UCLA Health, which runs a number of hospitals and a primary care network in the Los Angeles area, was ordered to pay $7.5 million in a class-action lawsuit settlement with the 4.5 million current and former patients impacted by its May 2015 health data breach.
As severe as they are, financial penalties may not be the worst result. The Department of Health and Human Services (HHS), which enforces HIPAA’s Privacy Rule, assigns different levels of severity for criminal violations. Entities and specified individuals who “knowingly” obtain or disclose PHI face fines of up to $50,000, as well as imprisonment up to one year, while offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to 5 years in prison.
Enforcing HIPAA and HITECH are therefore not just an obligation: they are a critical necessity.
