The 10 Biggest Legal Mistakes Physicians Make in HIPAA Compliance for Group Practices

By Neville M. Bilimoria, Esq.

Executive Summary

Many physician groups believe that complying with the privacy rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an arduous task. They may therefore think that noncompliance is their best route or that being overprotective of information is an easy way to avoid the rule. However, as patients become more educated on the requirements of the rule and on the rights of individual patients regarding protected health information (PHI), patients could file complaints against the physician group, a covered entity under the HIPAA privacy rule. The rule subjects providers to stiff penalties, including $100 per violation up to a maximum of $25,000 per year, or even as much as $250,000 for a violation that is knowingly done with the intent to sell, transfer, or use PHI for commercial, personal, or malicious advantage, plus imprisonment of not more than 10 years. Given the complexity of the rule, many physician groups have not taken the time to understand the purposes of HIPAA or undertaken HIPAA compliance in a serious manner. Such mistakes can lead to costly results and could compromise the goodwill of the physician group in the eyes of their patients.

Mistake 1        Believing That HIPAA Enforcement Will Never Happen to the Physician Group

Mistake 2        Having a Compliance Plan in Form Only

Mistake 3        Believing That Health Care Providers Must Have HIPAA Authorization Before Disclosing PHI to Other Health Care Providers

Mistake 4        Believing That the Minimum Necessary Standard Applies to All Disclosures

Mistake 5        Believing That PHI Cannot Be E-Mailed or Faxed under the HIPAA Privacy Rule

Mistake 6        Believing That Physician Groups Should Have a Business Associate Agreement with Anyone Who Might Have Access to PHI

Mistake 7        Believing That Patients Must Sign the Notice of Privacy Practices for the Physician Group

Mistake 8        Believing That Physician Groups and Their Employees May Not Discuss the Care of a Patient with Family Members

Mistake 9        Believing That Storage of PHI Must Be under Lock and Key, with an Armed Guard, and Appropriate Alarm System

Mistake 10      Believing That the HIPAA Privacy Rule Prevents the Use of Sign-in Sheets, Calling Out the Names of Patients in Waiting Rooms, and Appointment Reminders

The above has been excerpted from the SEAK text, The Biggest Legal Mistakes Physicians Make and How To Avoid Them.