NO CHANGE Even the most innocuous and well-meaning correction to a patient record could land a surgical facility and its staff in hot water.

You could be violating HIPAA and not even know it. Consider this scenario: A patient scheduled to receive an injection at 10 a.m. doesn't receive the injection until 11 a.m. Yet the nurse documents in the patient's record that the injection was administered as scheduled. Honest oversight, right? Wrong. It's a HIPAA violation that could come back to haunt you.

Ignorance is no defense against Health Insurance Portability and Accountability Act violations. Nor is a lack of training. Your staff has likely been trained in patient privacy and protected health information (PHI), but slip-ups still happens.

• A 12-physician dermatology practice group paid $150,000 for alleged HIPAA violations arising out of a lost, unencrypted flash drive containing PHI. The group also was required to implement a corrective action plan.
• A 5-physician cardiology group reached a $100,000 settlement as a result of a multiyear, ongoing failure to comply with the HIPAA privacy and security requirements by posting clinical and surgical appointments for patients on a publicly accessible Internet-based calendar.
• An orthopedic clinic agreed to pay $750,000 for potentially violating a HIPAA privacy rule by sharing PHI for about 17,300 patients to a potential business partner without first executing a business associate agreement. Under HIPAA rules, covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left patients' sensitive health information vulnerable to misuse or improper disclosure.

Protect yourself
HIPAA penalties are based on the level of negligence, with a maximum penalty of $1.5 million per violation. When determining penalties, the Office for Civil Rights takes into account the length of time a violation persisted, the number of people affected, the nature of the PHI exposed and the organization's willingness to assist with the investigation. A long-running violation could have overwhelming financial repercussions, and it may also lead to the censorship of nurses, nursing management, administrators and even physicians.

Any person who comes in contact with protected health information at your facility is required to abide by HIPAA policies. Make sure your physicians and staff know the guidelines and the risks of not adhering to them. Keep in mind that recent nursing graduates may have spent more time studying HIPAA than tenured nurses.

HIPAA gives patients more control over their health information. They can request a copy of their electronic medical record in electronic form. Patients who pay out of pocket in full can instruct their healthcare provider to refrain from sharing information about their treatment with their health plan (including Medicare). Patients can also set new limits on how information can be used and disclosed for marketing and fundraising purposes, and prohibit the sale of their health information without their permission. OSM