7 HIPAA Security Risk Myths Debunked
In place since 1996, the Health Insurance Portability and Accountability Act – otherwise known as HIPAA – still manages to confuse those working in the healthcare industry.
Healthcare providers, organizations and agencies under HIPAA must comply with certain requirements to protect the privacy and security of health information and must provide individuals with certain rights. If any rights are violated, it could lead to hefty fines (upwards of $50,000), potential loss of medical licensing, and in severe cases, criminal consequences.
As the saying goes, knowledge is power, and so here are the top 7 HIPAA security risk myths and their actual truths to improve your practice.
1. If healthcare facilities try their best to protect health information, there will be no security issues.
There is a specific regimen that needs to be followed to ensure the protection of health information. There must be documentation, dates and signatures at any time of access to protected health information or else access will not be considered legitimate – leading to risk of HIPAA violation.
2. HIPAA does not allow healthcare providers to share a patient’s information with family members or care givers.
As long as the patient has given his or her written consent, then by HIPAA standards health care providers are cleared to release this information.
3. A physician is prohibited from treating a patient if he/she does not sign the privacy acknowledgement form.
Seen as a form of discrimination, this is why this myth is false. However, if a patient does fail to sign the privacy acknowledgement form for whatever reason, there are two things they need to know about: the physician cannot be held accountable for any privacy-related issues, and the doctor is still allowed to treat him/her.
4. Healthcare providers must release all of a patient’s medical information to him or her.
There are actually two cases in which a healthcare provider can refuse a patient access to his medical information. If a healthcare provider has reason to believe that any information revealed in a patient’s medical information could lead him or her to cause self-injury, then refusal of access is permitted. Also, if any medical information request forms are not filled out by a patient when requesting access, a healthcare provider can refuse access to such information.
5. Healthcare facilities are not permitted to release health information to the press pertaining to accident or crime victims.
HIPAA permits certain health information to be released to the public and/or press from the healthcare facility. However, if a patient wants full privacy of his information, he is expected to put it in writing that all health information is forbidden to disclosure.
6. Healthcare providers cannot exchange protected health information with one another unless the patient gives his or her written consent.
False. Healthcare providers can in fact exchange protected health information as long as it pertains to the treatment of the patient. They are required to use health information exchange (HIE) to ensure the information is kept protected and secure.
7. Email exchange between doctors and patients is restricted by HIPAA.
While email exchange is acceptable, security associated with regular email is the issue. HIPAA suggests that doctors and patients find an email service that provides safeguards, for example, email encryption.
8. HIPAA does not allow healthcare facilities to use medical information for marketing reasons.
HIPAA’s restrictions pertaining to this myth are still unclear. While there are certainly cases where a patient’s HIPAA rights may be violated, a healthcare facility opening a new fundraising program could use a patient’s medical information (with consent) to raise awareness.
Schneider Electric's intelligent patient room: need to know
Schneider Electric has launched a virtual showcase that features its new "intelligent patient room". What is it exactly?
Who: Schneider Electric is a multinational that develops energy and automation solutions for many different industries - including hospitality, education, defence, and healthcare. Founded in 1836, today it is a Fortune 500 company, and it currently provides technology to 40% of hospitals around the world, among them Penn Medicine, one of the top hospitals in the US where Schneider's EcoStruxure for Healthcare is deployed, an IoT solution.
What: Schneider has launched its Innovation Experience Live Healthcare Lab, an immersive experience that takes visitors through a demonstration of a hospital, including the doctor’s office, the operating room, and the intelligent patient room.
The room features a digital patient footwall - a touchscreen that creates a single reference point for patients, families and healthcare providers, by incorporating care information, entertainment and environmental controls all in one place. A separate digital patient door display has important information for healthcare staff.
All Schneider's equipment is low-voltage, and integrated so that the patient room, clinical needs and IT are all seamlessly connected, what Schneider calls a digital “system of systems.”
Why: Mike Sanders, Customer Projects & Services in Healthcare Innovation at Schneider Electric, explains: “The hospital of the future will need to put the patient experience at the forefront, using innovative and connected systems to provide superior in-hospital care experiences.”
“With the shift to remote work and business brought forth by the pandemic, we knew that we needed to invest in a new virtual experience that showcases our vision for a truly integrated healthcare experience. We believe our intelligent patient room is the solution that our healthcare partners and customers have been looking for, and we’re excited to offer a way for them to experience it no matter where they are in the world.”
Where: The virtual experience was modelled after the new innovations installed at Penn Medicine in Philadelphia, the first real-world installation of Schneider Electric’s fully integrated intelligent patient room technology. It is currently being hosted at the company’s St. Louis Innovation Hub and Innovation Executive Briefing Center (IEBC) facility.