Standing in line the other day waiting to pick up a prescription, I noticed a sign I’d never seen there before. It said: To respect our patients’ privacy, HIPAA regulations require that you stand behind this sign until called. Concerns that a pharmacist’s consultation with a patient might be overheard probably led to the creation of that sign.
These days it’s not just healthcare providers who know about HIPAA. Healthcare consumers are becoming much more aware of their right to privacy and the role that HIPAA plays in that. Today let’s take a look at what that could mean to your healthcare practice.
The infamous Wall of Shame
The HIPAA/HITECH Act requires that the Department of Health and Human Services (HHS) post — for all the world to see — a list of breaches of unsecured Protected Health Information (PHI) affecting more than 500 individuals. That website list is now known as “The Wall of Shame” and you can view it here .
Since the Breach Notification Rule went in effect in September of 2009, the Wall of Shame has listed more than 800 breaches affecting more than 30 million individuals. Experts predict an ongoing upswing in both those numbers, partly because the Omnibus Rule now contains clearer criteria for identifying and reporting breaches.
Tip of the iceberg
Compared to the total number of healthcare practices in this country, 800 breaches might seem like a small number. But I recently came across a surprising statistic that should give pause to any HIPAA-complacent (as opposed to “HIPAA compliant”) healthcare provider. In a presentation to the Hospital Council of Western Pennsylvania an official from the Office of Civil Rights (OCR) revealed that the posted breaches actually represent less than 1% of all reported breaches. Between September 2009 and March of 2012, for instance, HHS received more than 57,000 reports of breaches involving less than 500 individuals!
In other words, there’s a whole lot o’ breach reporting going on. And when a breach is reported, an investigation by the government follows — with auditors asking to see things like a practice’s policies and procedures, proof of HIPAA training, risk analysis, and mitigation plans.
When patients take matters into their own hands
As patients become more and more aware of their rights to privacy in a healthcare context, they’re increasingly likely to spot breaches and report them — whether it’s overhearing a doctor-patient conversation they weren’t supposed to hear or noticing that the front-desk computer, with its screen full of patient names and insurance numbers, can be easily seen by anyone checking in.
No one wants their PHI compromised or their identity stolen. And when it becomes obvious that a doctor or dentist isn’t taking the necessary steps to keep patient information safe, patients can’t be blamed for alerting HHS. They might even see it as their civic duty.
Don’t worry. Be HIPAA compliant.
One way to view patients who are knowledgeable about HIPAA is to see them not as a threat, but rather as a one more good reason to make compliance a top priority. As HIPAA awareness among the public grows stronger, so too should every provider’s commitment to comply.