Hipaa And Patient Deception: Who's Protected?

does the hipaa law apply if patient is lying

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes guardrails for the sharing and use of patient health information between healthcare providers. It applies to all healthcare institutions and workers who submit claims electronically. HIPAA violations can result in civil penalties ranging from $100 for an unknowing violation to $1.5 million for willful neglect.

HIPAA broadly defines protected health information (PHI) as any health information transmitted or maintained in electronic media, as well as identifiable health information in oral communications. The law outlines specific scenarios where PHI can be disclosed without patient consent, such as for healthcare operations, treatment, and payment. However, it is important to note that HIPAA does not apply when patients lie about their health information. In such cases, the law does not protect the patient from the consequences of their false statements.

Characteristics Values
What is HIPAA? Health Insurance Portability and Accountability Act
Privacy Rule A Federal law that gives individuals rights over their health information and sets rules and limits on who can look at and receive it
Security Rule A Federal law that requires security for health information in electronic form
Who Must Follow These Laws? Covered entities, including health plans, health care providers, and health care clearinghouses
Who Is Not Required to Follow These Laws? Workers compensation carriers, most schools and school districts, many state agencies, most law enforcement agencies, and many municipal offices
When Can Information Be Shared? Discussing diagnosis, workup, and treatment with other healthcare providers; performing and disclosing imaging and laboratory tests; providing imaging test results or discussing patient history when submitting surgical samples; referring a patient to another facility or obtaining a consult; calling the pharmacist to dispense medication to a patient
When is Disclosure Without Consent Permitted? When the patient cannot provide consent or is unavailable when disclosure is necessary for public health, by law, or regarding child abuse; when there is an investigation of fraud by the US Department of Health and Human Services; when a healthcare worker is trying to obtain consent over the phone when the patient is unable to provide one
When is Disclosure With Consent Permitted? For healthcare operations, treatment, and payment, including consultation between providers, referring a patient, and information required by law for public health safety and reporting
Civil Penalties Up to $1.5 million for "willful neglect"
Criminal Violations Criminal violations may include imprisonment of up to one year and fines of up to $50,000

lawshun

Does HIPAA apply to all healthcare workers?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US law that sets national standards for the protection of certain health information. The law applies to "covered entities" and their "business associates". Covered entities include health plans, health care clearinghouses, and health care providers who conduct standard healthcare transactions electronically. This means that most doctors, clinics, hospitals, pharmacies, and dentists are covered by HIPAA.

Business associates of covered entities must also follow parts of the HIPAA regulations. Business associates include contractors, subcontractors, and other outside persons or companies that are not employees of a covered entity but still need to access health information when providing services to the covered entity. Examples include companies that help process health care claims, companies that help administer health plans, and outside lawyers and IT specialists.

Therefore, while not all healthcare workers are directly covered by HIPAA, the law does apply to a wide range of healthcare workers, and many will still be indirectly affected by the regulations through their employers' contracts with business associates.

lawshun

What are the penalties for violating HIPAA?

The penalties for violating HIPAA vary depending on the nature and severity of the violation, the intent of the violator, and the corrective actions taken.

Civil Penalties

Civil penalties for HIPAA violations are financial and are determined based on a tiered structure. The penalty tiers are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, with a penalty ranging from $100 to $50,000 per violation.
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided, with a penalty ranging from $1,000 to $50,000 per violation.
  • Tier 3: A violation resulting from "willful neglect" of HIPAA rules, where an attempt has been made to correct the violation, with a penalty ranging from $10,000 to $50,000 per violation.
  • Tier 4: A violation constituting "willful neglect" of HIPAA rules, where no attempt has been made to correct the violation within 30 days, with a minimum penalty of $50,000 per violation.

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing these civil penalties. OCR considers various factors when determining the specific penalty within each tier, including the length of time the violation persisted, the number of people affected, and the nature of the data exposed.

Criminal Penalties

Criminal violations of HIPAA are handled by the Department of Justice (DOJ) and can result in fines and/or imprisonment. The criminal penalties are divided into three tiers:

  • Tier 1: Violations due to reasonable cause or no knowledge of the violation, with a penalty of up to 1 year in jail.
  • Tier 2: Obtaining protected health information under false pretenses, with a penalty of up to 5 years in jail and a fine of up to $100,000.
  • Tier 3: Obtaining protected health information for personal gain or with malicious intent, with a penalty of up to 10 years in jail and a fine of up to $250,000.

Corrective Action Plans

In addition to financial penalties, covered entities and business associates may be required to adopt corrective action plans to address compliance deficiencies and bring their policies and procedures up to the standards mandated by HIPAA.

lawshun

What are the patient's rights under HIPAA?

Patients have several rights under HIPAA, the Health Insurance Portability and Accountability Act of 1996. This legislation protects the privacy and security of individuals' identifiable health information and establishes an array of individual rights with respect to health information.

The HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for their health care providers and health plans. This includes medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used to make decisions about individuals.

Individuals have the right to:

  • Ask to see and get a copy of their health records
  • Have corrections added to their health information
  • Receive a notice that tells them how their health information may be used and shared
  • Decide if they want to give permission before their health information can be used or shared for certain purposes, such as for marketing
  • Request that a covered entity restrict how it uses or discloses their health information
  • Get a report on when and why their health information was shared for certain purposes

Additionally, patients can:

  • Stop their employer from receiving most health information about them
  • Ask their doctor or health plan to contact them only in certain ways or at certain locations
  • Ask to read the information about them in their medical records
  • Make copies of their personal health information in their medical records
  • Ask their doctor or health plan to change information about them in their medical records if it is not correct or complete

If patients believe their rights are being denied or their health information isn’t being protected, they can file a complaint with their provider or health insurer, or with the US Department of Health and Human Services.

lawshun

What are the exclusions to a patient's PHI?

The Health Insurance Portability and Accountability Act (HIPAA) ensures that patient medical data remains private and secure. There are several scenarios where disclosure of PHI may violate HIPAA, and they include the following:

  • Mental health notes, which under HIPAA, are not allowed to be shared even for treatment purposes without explicit authorization.
  • Any legal document that pertains to medical records.
  • Laboratory results, especially the results of sexually transmitted diseases.

PHI can be disclosed without consent in the following situations:

  • If the patient cannot provide consent or is unavailable when disclosure is necessary for public health, by law, or regarding child abuse.
  • When there is an investigation of fraud by the US Department of Health and Human Services.
  • When a healthcare worker is trying to obtain consent over the phone, and the patient is not able to provide it.

There are also several instances where PHI can be shared without patient authorization:

  • Treatment, Payment, and Health Care Operations (TPO): This includes consultations between doctors, referring a patient, and information required by law for public health safety and reporting.
  • Opportunity to Agree or Object: In cases where there may not be time to obtain a formal written authorization, it is permissible to obtain an informal verbal authorization from the patient or their authorized representative.
  • Incidental Use and Disclosure: It is considered permissible if the disclosure of PHI was incidental or related to another use or disclosure that the patient has given permission for.
  • Public Interest and Benefit Activities: Otherwise protected health information can be released without patient consent in 12 scenarios, which are labeled as "national priority purposes."

lawshun

What are the procedures for reporting a HIPAA violation?

If you believe your rights are being denied or your health information isn't being protected, you can file a complaint with your provider or health insurer, or with the HHS Office for Civil Rights (OCR). The OCR can investigate complaints against covered entities (health plans, health care clearinghouses, or health care providers that conduct certain transactions electronically) and their business associates.

If you are a member of a covered entity's or business associate's workforce, you should report the violation to your immediate manager or supervisor. If you feel your report is not acted on, you can escalate it to the organization's HIPAA Privacy Officer or HHS's Office for Civil Rights.

If you are a member of the public, you can raise the issue with the organization's HIPAA Privacy Officer, your state Attorney General, or HHS's Office for Civil Rights. The contact details of the organization's Privacy Officer should be on the organization's Notice of Privacy Practices and website, or you can contact HHS's Office for Civil Rights via any of the methods explained on their website.

Complaints should generally be submitted within 180 days of discovering the violation, although extensions may be granted with good cause. While anonymous complaints are accepted, it is important to note that OCR requires a name and contact information to initiate an investigation. All complaints will be reviewed, and investigations will be initiated if there are suspected violations of HIPAA Rules and the complaint is filed within the designated timeframe.

Not all HIPAA violations result in settlements or civil monetary penalties. Most often, issues are resolved through voluntary compliance, technical guidance, or if the Covered Entity or Business Associate agrees to take corrective action.

Frequently asked questions

No, HIPAA only applies to what are called "covered entities," which include health care providers, health insurers, and health care clearinghouses, as well as their "business associates," or contractors who handle medical records.

No, HIPAA only applies to health care providers who submit claims electronically.

Violating HIPAA can result in civil penalties ranging from $100 for an "unknowing" violation to $1.5 million for "willful neglect." Criminal penalties for HIPAA violations can include fines and imprisonment.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment