7 HIPAA Security Risk Myths Debunked

In place since 1996, the Health Insurance Portability and Accountability Act – otherwise known as HIPAA – still manages to confuse those working in the healthcare industry.

Healthcare providers, organizations and agencies under HIPAA must comply with certain requirements to protect the privacy and security of health information and must provide individuals with certain rights. If any rights are violated, it could lead to hefty fines (upwards of $50,000), potential loss of medical licensing, and in severe cases, criminal consequences.

As the saying goes, knowledge is power, and so here are the top 7 HIPAA security risk myths and their actual truths to improve your practice.

1. If healthcare facilities try their best to protect health information, there will be no security issues.

There is a specific regimen that needs to be followed to ensure the protection of health information. There must be documentation, dates and signatures at any time of access to protected health information or else access will not be considered legitimate – leading to risk of HIPAA violation.  

2. HIPAA does not allow healthcare providers to share a patient’s information with family members or care givers.

As long as the patient has given his or her written consent, then by HIPAA standards health care providers are cleared to release this information.

3. A physician is prohibited from treating a patient if he/she does not sign the privacy acknowledgement form.

Seen as a form of discrimination, this is why this myth is false. However, if a patient does fail to sign the privacy acknowledgement form for whatever reason, there are two things they need to know about: the physician cannot be held accountable for any privacy-related issues, and the doctor is still allowed to treat him/her.

4. Healthcare providers must release all of a patient’s medical information to him or her.

There are actually two cases in which a healthcare provider can refuse a patient access to his medical information. If a healthcare provider has reason to believe that any information revealed in a patient’s medical information could lead him or her to cause self-injury, then refusal of access is permitted. Also, if any medical information request forms are not filled out by a patient when requesting access, a healthcare provider can refuse access to such information.

5. Healthcare facilities are not permitted to release health information to the press pertaining to accident or crime victims.

HIPAA permits certain health information to be released to the public and/or press from the healthcare facility. However, if a patient wants full privacy of his information, he is expected to put it in writing that all health information is forbidden to disclosure.

6. Healthcare providers cannot exchange protected health information with one another unless the patient gives his or her written consent.

False. Healthcare providers can in fact exchange protected health information as long as it pertains to the treatment of the patient. They are required to use health information exchange (HIE) to ensure the information is kept protected and secure.

7. Email exchange between doctors and patients is restricted by HIPAA.

While email exchange is acceptable, security associated with regular email is the issue. HIPAA suggests that doctors and patients find an email service that provides safeguards, for example, email encryption.

BONUS MYTH

8. HIPAA does not allow healthcare facilities to use medical information for marketing reasons.

HIPAA’s restrictions pertaining to this myth are still unclear. While there are certainly cases where a patient’s HIPAA rights may be violated, a healthcare facility opening a new fundraising program could use a patient’s medical information (with consent) to raise awareness.