The HIPAA in the Room: Mistakes & Misconceptions


Most private practices have heard the horror stories circulating regarding HIPAA violations, with particular attention to the hefty fines associated with them. Since 2009, fines issued for non-compliance have increased tremendously, and depending on the severity of the violation, practices can potentially end up owing upwards of $200,000. Perhaps more costly, though, is the damage to a practice’s reputation, something physicians and staff work tirelessly every day to preserve and enhance.

The relationship between HIPAA and independent medicine has always been prickly. Many practices operate in a constant state of confusion over compliance policies, and always seem to be playing a game of catch-up. They commit the kind of small often overlooked errors that can lead to the kind of big consequences mentioned above.

Then there are the many health professionals who have responded to the threat of violations and fines by locking patient protected health information (PHI) in a figurative safe. Fear among primary care physicians and specialists of data breaches has hindered EHR interoperability. These same practices typically also enforce incredibly restrictive office, and social media policies regarding health information. While these oversensitive responses are understandable, they are also very limiting. Today we will discuss a few overlooked HIPAA issues, and dispel a few common myths.

Yes, you can say that

Many physicians and practice managers impose stringent policies on employees regarding the discussion of patient health information. In fact, the fear of a potential HIPAA violation is so great that some go as far as to forbid the mention of PHI anywhere in the office. Such measures are unnecessary, since HIPAA does allow for incidental disclosures. These are disclosures that may happen at certain areas of the workplace (a nurse’s station, for example) that are, well…incidental to a specific job. Consistent, clear, and straight-forward communication between employees is necessary. Such “confidentiality” policies only hinder employee communication.

HIPAA fears have also stymied telephone communication between practices and patients. While it’s true that a phone message can be overheard by the wrong party, phone messages containing PHI don’t need to be made off limits. It is possible to get patients to sign a consent form indicating in what manner they prefer to be communicated with. These include mail, e-mail, text, and phone messages.

Removing EHR red tape

Fears of compromised data, and the consequences of such a breach form the major barrier to EHR interoperability. In accordance with HIPAA rules, only those who have valid reasons to view a patient’s medical record are allowed access to it. Such reasons are usually treatment, and payment related, and involve doctors and specialists in a patient’s care network, and patients themselves. Recently, paranoia has compelled many practices to demand patient authorization before every single transfer.

EHRs and the concept of interoperability were supposed to ensure that patients receive quality coordinated care, and easier access to their own health information. An EHR release policy that demands constant patient authorization can cause delays and confusion, as well as damage the patient-provider relationship. Remember, if a patient’s medical record is being sent to another party for treatment purposes specifically, then patient authorization is not needed.

Practices should place their focus on reasonable safeguards for EHRs. These include equipping them with access controls like passwords and PIN numbers to help limit access of information. Stored information should be encrypted, ensuring that health information can only be read or understood by an authorized person with a decryption key. An audit trail should also always be left. This identifies who accessed the information, what changes they may have made, and when.

An overlooked position

The measures mentioned above are just a few elements that should comprise your practice’s privacy policy. In fact, you should have someone designated to oversee the development and implementation of such a policy. This isn’t just a suggestion. It’s a HIPAA requirement, and you will be considered non-compliant if don’t have a privacy and a security officer (sometimes one and the same) on your current staff.

The security officer protects patient data that is held or transferred in electronic form by creating certain technical and non-technical defenses. It is also their job to help educate staff on any changes to HIPAA rules. While the caps of security and privacy officer are often worn by the office manager, these roles can be filled by outside consultants, attorneys, or other highly qualified parties.

Who signs what?

Written agreements between practices and other individuals regarding the handling or viewing of patient health information (officially called business associate agreements, or BAAs for short) are another commonly misunderstood HIPAA requirement. While these agreements assure that business associates will properly safeguard any PHI they receive or create on behalf of the practice, many physicians will err on the side of BAA overkill. What is overkill? Having maintenance staff, or other workers who are not actually business associates, sign the agreements.

Only health professionals dealing officially with PHI, or representatives from outside services who are given PHI for a specific reason (a lawyer, for example) need to sign a BAA. It’s true that non-business associates may happen across protected health information around the office. If this prospect is enough to keep you up at night, then have these workers sign a separate agreement stating that they may not view, alter, copy, or take any confidential patient information.

Have a great day!


Brian Torchin

HCRC Staffing

111 Forrest Ave

1st Floor

Narberth PA 19072

Office 610-660-8120

Cell: 267-251-5275

Fax 800-263-1547