The Legal Repercussions Of Tech-Based HIPAA Breaches
HIPAA regulations defining the proper protocols for handling sensitive medical information have been a great boon for patients, allowing them to pursue appropriate care – confident that doctors, insurance representatives, and other involved parties will protect their privacy – but are medical professionals honoring these practices? As many within the medical field know, most offices participate in at least some practices that would be considered questionable under HIPAA, often simple things such as using public sign-in sheets. Are these habits opening you up to lawsuits? Though it’s unlikely that a single slip-up will get you in trouble, other actions, such as irresponsible social media use by medical staff or improper disclosures could result in legal ramifications. It’s your job to set the tone for your practice, so make sure to review appropriate office behaviors with staff – and know what to do if lawyers turn up. Digital Data Breaches One of the most common reasons why practices are held responsible for HIPAA violations is that office staff improperly communicate with patients or family members, whether by disclosing information to the wrong people or by sending medical information through texts on unencrypted emails. These messages can be intercepted, allowing unauthorized parties to obtain protected information, which is why it’s vital for medical offices to use only protected channels to communicate with patients. It’s also important to make sure employees are only accessing authorized, relevant data when handling patient charts. Many employees find it difficult to resist the temptation to sneak a look at files unrelated to their work, but this is an HIPAA violation. Employees should clearly understand that they could face legal repercussions if they are caught participating in such behavior. Consequences and Legal Approaches What’s the worst that can happen if a member of your practice is held responsible for an HIPAA violation? There are several factors you should be concerned about. Although medical entities technically can’t be sued for HIPAA violations, individuals can be charged in personal injury lawsuits or criminal cases. The extent of the damage is often related to the extent and personal ramifications of the violation, such as loss of employment or pain and suffering. It’s worth noting that when we say that cases are often adjudicated based on the extent of damages, it’s often, breaches that are seemingly the smallest that actually cause the greatest waves in our legal system. Take, as an example, this Indiana case in which a pharmacist disclosed protected information to a customer’s ex-boyfriend. Upon finding out, the woman in question successfully filed a $1.4 million suit against the pharmacy, making claims including insufficient supervision. These cases gain little media attention compared to major system breaches and hacks, yet those large scale invasions often cause far less personal disruption and harm. Many Cases, Few Charges HIPAA cases are also processed through the Office for Civil Rights (OCR), but very few of the approximately 30,000 reports they receive turn into lawsuits. That means there are many things you can do to prevent claims against you or your staff from turning into a legal issue. First, know that the OCR is committed to the concept of voluntary compliance; they want your practice to be doing the right thing. That means if staff members have been casually emailing patients unencrypted medical information, the OCR is likely to approach your practice with reminders of HIPAA requirements and seek a promise that you will begin using appropriate communication channels such as EHRs and patient portals. Failure to comply with this promise, however, can lead to sanctions and fines. Second, although we often discuss lawsuits tied to HIPAA as though an HIPAA violation is the underlying legal claim, patients can’t legally sue for this reason. They are now, however, prevented from seeking another related reason for a lawsuit. Understanding this can help your office understand why HIPAA compliance is so important – patients know that they are entitled to privacy, but may not know that they don’t have direct recourse to a lawsuit if they’ve been wronged. They may then look for any other potential cause, even a minor one, in order to feel that justice has been served. Ultimately, correct use of the many technological solutions available to medical professionals today can help prevent the vast majority of HIPAA violations; they’re designed to do that very thing. This is why prompt adoption of new solutions, even costly ones, is so vital. You may think your old system works just fine, but failure to join in the medical tech revolution can open the door to legal problems down the road.