HIPAA Guidelines for Healthcare Professionals
The HIPAA guidelines for healthcare professionals are that healthcare professionals should understand all relevant HIPAA standards and apply them in accordance with their employer’s workplace policies. Understanding the relevant standards helps prevent unintentional violations of HIPAA and the potential for sanctions.
Because healthcare professionals have different roles, work in different environments, and face different compliance challenges, there is no one-size-fits-all set of HIPAA guidelines for healthcare professionals. It is also the case that covered healthcare organizations can apply HIPAA standards in different ways depending on the nature of their operations and how they apply the “flexibility of approach” standard.
Nonetheless, there are some basic HIPAA guidelines that apply to all healthcare professionals based on the Privacy Rule standard relating to workforce sanctions (§164.530(e)). This standards states:
“A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart [the Privacy Rule] or subpart D of this part [the Breach Notification Rule].”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This standard implies that not only do members of the workforce have to comply with the covered entity’s privacy policies and procedures, but they must also comply with the requirements of the Privacy Rule and Breach Notification Rule – even if the requirements are not covered by a covered entity’s privacy policies and procedures. The secondary implication is important for determining the basic HIPAA guidelines for healthcare professionals.
Basic HIPAA Guidelines for Healthcare Professionals
The basic HIPAA guidelines for healthcare professionals are that healthcare professionals must understand concepts such as what is considered Protected Health Information (PHI) under HIPAA, what uses and disclosures of PHI are permitted by HIPAA, and what rights patients have to access, amend, and withhold PHI. It is also important to understand the minimum necessary standard and when it applies.
Covered entities should develop policies and procedures that cover permissible uses and disclosures, patients’ rights, and “outside the box” events when – for example – it may be necessary to obtain a HIPAA authorization. The policies and procedures should be explained to workforce members during HIPAA training. However, it is difficult to foresee and develop a policy for every event in which HIPAA may apply.
With regards to the HIPAA breach notification requirements, all most healthcare professionals will need to know is what constitutes a breach of unsecured PHI (§164.402) and who it should be reported to. Determining whether it is a notifiable breach and complying with the remaining requirements of the Breach Notification Rule should be the responsibility of the organization’s Privacy Officer.
Security Guidelines for Healthcare Professionals
Similar to the Privacy Rule, the Security Rule has a standard requiring covered entities to apply sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity (§164.308(a)). However, compliance with the HIPAA Security Rule is more often determined by the safeguards implemented by the covered entity rather than any individual actions by members of the workforce.
Therefore, rather than being stipulated by HIPAA, the security guidelines for healthcare professionals are best practices for ensuring the confidentiality, integrity, and availability of PHI. For example, healthcare professionals should not share passwords or download unsanctioned apps “to get the job done”. Similarly, they should not transmit PHI via personal devices unless the devices have been equipped with HIPAA-compliant software.
Thereafter, the security guidelines for healthcare professionals are not much different from the basic HIPAA guidelines for healthcare professionals – understand what is considered PHI, what use and disclosures are permitted, and when the minimum necessary standard applies. Exceptions to this generalization may apply depending on the roles of healthcare professionals, but these should be covered by the covered entity’s security policies and procedures.
The Penalties for Violating Applicable HIPAA Guidelines
The penalties for violating applicable HIPAA guidelines are set by each covered entity in their sanctions policy. In most cases, the nature of the penalty reflects the seriousness of the violation. So, for a minor violation, the sanction may be a verbal warning or refresher training; while, for a more serious or repeated violation, the sanction could be a written warning, suspension, or termination of contract.
The financial penalties for HIPAA violations most often apply to covered entities and business associates. However, if a member of the workforce violates §1177 of the Social Security Act, they could be fined up to $250,000 and/or receive a jail term. Alternatively, if a HIPAA violation is considered to violate §1128A of the Social Security Act, the individual could be fined, jailed, and prohibited from working for any organization that participates in Medicare or Medicaid.
Due to the complicated nature of HIPAA compliance and the risks of unintentional violations, it is advisable for healthcare professionals to be familiar with all relevant HIPAA standards and apply them in accordance with their employer’s workplace policies. Healthcare professionals who are unsure about which HIPAA standards apply to their roles are advised to speak with their organization’s Privacy Officer or seek independent advice from a compliance professional.
