For allied health professionals, understanding HIPAA compliance is crucial, especially when considering the interplay between federal and state laws. Let’s simplify these concepts to better understand our obligations under HIPAA.
State Law Preemption
Primarily, the HIPAA Privacy Rule, a federal mandate, sets the standard for protecting patient health information. In many cases, these federal rules override conflicting state laws. This means if a state law contradicts HIPAA, typically, HIPAA’s rules must be followed. However, there are exceptions. If a state law offers stronger privacy protections, or if it’s about reporting diseases, abuse, or public health surveillance, that state law takes precedence. Also, state laws that regulate health plans or tackle fraud and abuse in health care are generally upheld.
Exceptions to Preemption
In certain scenarios, state laws can override HIPAA. This is especially true if a state law is necessary for public health and safety, for regulating controlled substances, or for state health care reporting requirements. The Department of Health and Human Services (HHS) may review and decide if a state law should prevail in the interest of public welfare.
Understanding Penalties
Compliance is key in avoiding penalties. For minor HIPAA violations, HHS aims to work with entities to correct issues. However, significant violations can lead to civil and criminal penalties. Civil penalties can go up to $25,000 per year for repeated violations. Criminal penalties are more severe, ranging from $50,000 fines and one-year imprisonment for basic violations, to $250,000 and ten years imprisonment for violations involving intent to sell or misuse patient information.
Common HIPAA Violations
Unauthorized Access/Disclosure: This occurs when protected health information (PHI) is accessed or disclosed without proper authorization. Those conversations you have with other providers about a mutual patient? Make sure they’re done privately and out of earshot of others.
Mishandling Records: Lock your computer screen before you step away so that unauthorized parties cannot view patient information. Make sure you get written authorization from patients before sharing their records.
Improper Disposal of Records: Failing to properly dispose of PHI can lead to unauthorized access. This applies to electronic and paper records.
Loss or Theft of Devices: Devices containing PHI being lost or stolen, especially if they are not properly encrypted.
Lack of Employee Training: Employees not trained in HIPAA compliance can inadvertently cause violations. Make HIPAA training part of your hiring process.
Failure to Conduct Risk Assessments: Not regularly reviewing potential risks to the security of PHI.
Failure to Manage Cyber Security Risks: Not having adequate security measures in place to protect PHI.
Sending PHI Unencrypted: If a client is requesting records be sent electronically, send it to them via a secure, encrypted channel. EMRs often have this capability.
Business Associate Agreements: Did you or your practice sign a BAA with your video conferencing platform? Your payment processing system? Consider the vendors you work with who have access to PHI. Make sure you have a BAA in place with all of them.
Social Media: Sharing patient photos or text information on social media. You need express written permission from the patient or their representative to do this.
As allied health practitioners, staying informed about HIPAA compliance, including the nuances of state law preemption, penalties, and potential violations is critical. Understanding these rules helps us protect our patients’ privacy and ensures that we operate within legal boundaries.
Resources
Layers Demystifying HIPAA Course
Complimentary, Customizable HIPAA Forms
Ready to Uncover your True Potential?
Explore our range of services or book a consultation to start your journey toward personal and professional growth with Layers.