Common HIPAA violations physicians should guard against

American Medical Association

Andis Robeznieks

From the Hippocratic Oath of ancient Greece to modern Washington’s Health Insurance Portability and Accountability Act (HIPAA), patient privacy has been a foundation of medicine and is etched into the AMA Code of Medical Ethics.

“Protecting information gathered in association with the care of the patient is a core value in health care,” states opinion 3.1.1 of the Code. “However, respecting patient privacy in other forms is also fundamental, as an expression of respect for patient autonomy and a prerequisite for trust.”

The AMA describes HIPAA as establishing “guardrails for the sharing and use of patient health information” between health care providers. The AMA notes that HIPAA regulations are mainly “permissive” in that they allow, but don’t require, the sharing of health information. And, generally, physicians and hospitals may share patient information without explicit patient consent for treatment, payment, and business operations reasons.

Crossing the lines established by HIPAA can result in civil penalties ranging from $100 for an “unknowing” violation to $1.5 million for “willful neglect.” The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcing compliance with HIPAA privacy rules.

For more than 15 years, the OCR has tracked the most-often alleged compliance issues included in HIPAA complaints.

According to the OCR, they are:

Impermissible uses and disclosures of protected health information.

Lack of safeguards of protected health information.

Lack of...

Get the Morning Update

Thanks for subscribing!