HIPAA / Human Subjects Research

HIPAA, the "Health Insurance Portability and Accountability Act", was enacted relatively recently, in 1996. The main goals are to insure that medical information for patients is secure and can be transported between different institutions more effectively, ideally, electronically. All medical establishments must adhere to HIPAA. Federal oversight of laboratory management falls under CLIA '88, which is a separate issue from HIPAA.

Everyone must be constantly aware of HIPAA, so that we can maintain the privacy of patients to the best of our ability. Paper documents must be shredded and kept away from the regular garbage. Sometimes it is impossible to avoid using patient information, such as calling for a patient's name in the waiting room. If possible, address the patient with their surname only. It is dangerous to use personal email accounts instead of corporate accounts to send email. However, as long as the recipient is the intended recipient, there is no violation of HIPAA. Ideally, patients should formally designate who has HIPAA privileges, but it is reasonable to assume that if the patient is married, and has sent the spouse to pick up medication, the medication can be handed to the spouse provided that the spouse can confirm PHI regarding the patient.

Sending information to the wrong email address or wrong fax number is a common HIPAA violation. These errors can be avoided. Never type in the recipient's email address box. This will autopopulate a similar but wrong address in the address box. Instead, click on the "To:" box to access the company directory. Use speed dial if possible to send faxes to other offices. When faxing to patients, double check the number! Always use a fax cover page that has a disclaimer stating that if the recipient is not the intended recipient, the document should not be read and should be destroyed. All mistakes that are made by your support staff are your shared responsibility. Use this opportunity to educate the assistant, not blame the assistant. If the assistant faxed the report to another physician and the physician immediately recognized the error and shredded the document, that is an exception to the Breach Notification Rule and does not need to be reported.

Passwords should be difficult to guess and difficult to reconstruct. Use a password generator to make passwords that contain gibberish, and that expire periodically so that you have to change the password. Never reuse passwords. Never use the same passwords for multiple accounts. Use a password manager to store passwords, and never share your passwords with anyone or write them. Even better, use two factor authentication. Set up your account to require the use of a password and a second step that must be confirmed by your smartphone.

Awareness is necessary to prevent HIPAA violations. Ask yourself, "Do I really need this information to do my job?" "How can I protect the privacy of the patient?" If you have a cluttered desk, chances are there is PHI somewhere. Take a few minutes at the end of the day to clean your desktop and ensure that all PHI is shredded or at least hidden if necessary to retain it. Logoff and lock your computer each time you leave your workstation, so that nobody can see what is on the screen while you are away. Clever violators will use your terminal if you are away and still logged in so that you and not the actual violator, will be assessed the HIPAA violation! Leave your work at work, unless your home has been approved by CLIA '88, which means that you have a federally approved office designated solely for work that is off limits to the remainder of the family. Always talk about patients in private to other health care members, never in public. Remove all identifiers if possible when performing research. Talk to your friends and family about work so that you are not at risk of suicide, but do not share any PHI. Only speak in general terms.

Ransomware threatens to publicize stolen or locked data unless a ransom is paid. Use a wireless charger to charge your phone at work. Viruses and other malware can be transferred to and from your phone and computer via the USB cable. Worms, unlike viruses, can propagate without requiring host files. Trojan horses appear legitimate and trick users into visiting malicious websites or downloading malicious files. Examples of Trojan horses include emails with attachments or links that appear legitimate.

Unfortunately, HIPAA violations are ridiculously common. Know that the punishment for an innocent violation is $100 for the first occurrence. Intentional violations can invoke punishments that include dismissal or incarceration, depending upon the severity of the violation. It is important to document everything. Even if a physician is a patient, that physician cannot even look up their own results!

PHI stands for, "Protected Health Information", and includes anything that can reasonably used to identify a patient. There are at least 17 items, including obvious items, such as name, social security number, and medical record number, and obscure items such as accession numbers used in surgical pathology, cities, and date of birth, but not simply initials.