Written by Orlee Berlove, Director of Marketing at OnPage
American law has the well-known doctrine that ignorance of the law is no excuse. Simply put, a person who is unaware of the law may not escape liability. For HIPAA, this means that even if a hospital is unaware of HIPAA’s requirements on a subject, the entity can still be liable for violating HIPAA statutes.
At the same time, lacking knowledge of HIPAA can cause practitioners as much hassle as ignorance could. Not knowing what HIPAA allows can lead to bizarre and painful demands as well of employees. For all involved, HIPAA ignorance is not bliss.
When HIPAA confusion meets violations
So why all this delving into HIPAA legalese? It has to do with an article I read on how confusion over HIPAA leads to violations. The article cites a case where an administrator at a doctor’s office posted a message on Facebook about his neighbor, stating that the neighbor was a patient of the provider’s office.
According to a lawyer who was reviewing the incident:
The provider would have been on the hook for that [HIPAA] violation … That’s something the provider didn’t control. There’s a breach even though there’s nothing the provider could have done to prevent it. …. That’s frustrating.
You can argue that the administrator should have known better. And indeed, this person should have. But, they didn’t and as noted at the beginning: Ignorance is not an excuse.
HIPAA confusion stymies action
HIPAA’s complexities can also lead practitioners into a bit of paralysis where they make actions avoid a logical workflow based on perceived understandings of HIPAA. For example, administrators or practitioners might (incorrectly) believe, based on their understanding of HIPAA, that they:
- cannot exchange email with patient information
- cannot store records with patient artifacts
- cannot exchange text messages with a patient’s diagnosis
Indeed, all of these are possible under the right circumstances. Part of the challenge is one of education. You must know, as a practice, what HIPAA requires rather than assuming what it requires.
HIPAA compliant technologies
For example, regarding storage of patient information, you can store patient information on servers. You need to make sure though that your patients’ information is stored on HIPAA-compliant servers like those run by Atlantic.Net.
Email might also be an issue because you want to avoid unencrypted emails, particularly when the message has sensitive patient information such as test results. Best practices would have you ensure that information can only be exchanged with a pre-defined list so that you don’t accidentally send a patient’s test results to your friend. Indeed, HIPAA requires a segregation of personal and work related messages. So, it’s best to use a product like Paubox for HIPAA compliant emails.
And for secure and compliant texting, efficiency and convenience don’t need to take a back seat. HIPAA statutes regarding the exchange of patient information can be complied with and maintained with secure text messaging applications like OnPage.
HIPAA education
The truth is that HIPAA compliance needs to be thought of as more than a check box that needs to be marked off. HIPAA compliance needs to be a state of mind. Why the emphasis? Patients deserve to have their privacy held to a high standard. You would want your patient information protected, as would I.
To ensure that this state of mind is achieved, practices and hospitals need to have someone whose job it is to maintain HIPAA education standards. This means making sure all staff know what HIPAA requires of them and what technologies they can use. This training should be done frequently enough so that the message sticks and time doesn’t erode the knowledge. This special person can be an administrator or a legal consult.
The important point though is to ensure the staff has the right tools so that they aren’t worrying about HIPAA compliance. Instead, they should focus on their job of helping patients get better.
And no one can be or should be ignorant of that.
OnPage is a SaaS-based HIPAA-compliant, clinical communications platform for healthcare providers.