Violations of the Heath Insurance and Portability and Affordability Act (“HIPAA”) may occur unknowingly for a practice owner. While most health care practices are now very accustomed to protecting the patient records and providing the required privacy notices to their patients, there are other actions that may be taken by the health care practice through its owner or staff which result in a breach of the law and those offenders may not even be aware that the action was a violation until after the violation has occurred.
For example, responding to social medial postings from patients of the practice may create a trap for the unknowing practice owner or staff member who simply wants to set the record straight when they encounter a negative post about the practice or treatment that has been delivered. Since the use of social media is not confidential, but is considered part of the public domain, it is important to remember that even if the patient him or herself has posted something about the practice and even if they reference their own treatment, the practice, whether through its owner or a staff member, should be very careful in responding to a public post so that their comments do not lead to a violation of HIPAA by referencing the protected health information (“PHI”). It may be preferable not to respond or to simply post a simple response indicating that the practice would be happy to discuss the situation with the patient by phone.
Another action that should be avoided is sharing financial and/or treatment information about a patient with any third party including another family member of that patient. Generally speaking, if you are not providing information to the patient’s legal guardian or conservator, a person authorized by the patient to receive the information by power of attorney or consent, or another health care provider involved in the care of the patient, then it should not be shared. Even if the information sharing was only about the balance on a patient’s bill, if the source of the information is related to PHI it is protected under HIPAA.
The use of e-mail, text, and facsimile communications with patients should continue to be used with caution as these communications can quickly include PHI. If that is the case, the message should be encrypted.
While this is not an exhaustive list of the possible ways in which a practice, its owner and/or its staff can violate HIPAA, all such violations may lead to sanctions under the law and may also be actionable by the patient who has a claim for the breach of their privacy. Continuing to stay educated about HIPAA, its requirements, and best practices is a prudent step in the practice’s risk management plan. Such education should include regular staff training as well as a regular review of the practices’ current policies.
Contact the attorneys at Thomas Law Group if you have questions or concerns about HIPAA violations or potential violations.