Medical records – whether in handwritten or digital format – are critical for the continuity of quality healthcare delivery to patients. To get a comprehensive look at a patient, healthcare providers must have access to complete, up-to-date, and accurate medical records. The more flawless the transmission of patient data, the better it works for healthcare providers.
Regrettably, there are malicious individuals out there on the constant lookout for opportunities to intercept sensitive patient information for their own, often despicable, purposes. In an effort to promote secure transmission of patient information, the former United States President, Bill Clinton, signed into law the HIPAA regulations.
Understanding the Florida Information Protection ACT (FIPA)
While the federal government has HIPAA rules governing personal information, each state has its own set of laws regarding how patient medical data should be protected and secured. In Florida, FIPA is considered to be the state’s law counterpart of the federal government’s HIPAA. Nonetheless, FIPA is, in many respects, more far-reaching than HIPAA. For instance:
Table of Contents
- 1. Covered entity definition
- 2. Personal Information definition
- 3. Breach notification obligations
- 4. Third-Party Obligations
- 5. Disposal of Customer Records
- a. Information disclosure
- b. Inadequate PHI access controls
- c. Lack of a risk analysis policy
- d. Lack of a risk management policy
- e. Lack of HIPAA-compliant agreements
- f. Failure to PHI on Portable Devices
- g. Exceeding the deadline for issuing breach notifications
- h. Improper disposal of PHI
- i. Limiting patients from accessing their PHI
- File a Complaint with OCR
- File a complaint with the DOH
- File a Report with a Third-Party Payer
1. Covered entity definition
The FIPA definition of a “covered entity” is broader compared to that of a covered entity under HIPAA. While HIPAA affects those in the healthcare industry only, FIPA also covers commercial entities and government entities that obtain, use, store, or maintain patient data.
2. Personal Information definition
FIPA regards more information as personal information than what is considered as personal information under HIPAA. For instance, the name accompanying a credit card number is considered as personal information under FIPA.
3. Breach notification obligations
In the event of a data breach, HIPAA requires the covered entity to notify the affected individuals within 60 days. Under FIPA, a covered entity is required to notify affected individuals within 30 days.
4. Third-Party Obligations
If a third-party agent or business associate has a data breach, HIPAA requires them to notify the covered entity within 60 days. Under FIPA, a third-party agent is required to notify the covered entity of the breach within 30 days.
5. Disposal of Customer Records
While HIPAA directs that covered entities and third-party agents should take all practical measures to dispose of records containing protected health information, it doesn’t specifically reference any methods of disposal. FIPA, on the other hand, states the specific methods for disposing of customer records, including erasing, shredding, and making patient information undecipherable or unreadable.
Since FIPA regulations are far-reaching compared to the HIPAA regulations, healthcare providers and third-party agents either need to implement a FIPA policy or add the extra FIPA provisions to their HIPAA policy. A violation of FIPA is treated as a deceptive or unfair trade practice, and it could lead to a civil penalty of up to $500,000.
Who Enforces HIPAA in Florida?
Every law requires a ruling entity. HIPAA and FIPA are no exceptions. At the federal level, HIPAA is enforced by one organization, and that is the federal government through the Department of Labor.
Presently, the Medicare and Medicaid Services enforce both the Rules covering the standardization of information and the HIPAA Security Rule. As for the HIPAA Privacy Rule, the Office of Civil Rights is the enforcement entity. In Florida, the Department of Health is the HIPAA enforcing body.
Common HIPAA Violations
HIPAA violations are regular occurrences throughout the healthcare industry. The following are the most common HIPAA violations that can cause potential damage to a covered entity:
a. Information disclosure
If employees of a covered entity disclose PHI to unauthorized individuals, their employer is considered a violation of HIPAA regulations.
b. Inadequate PHI access controls
Not only are employees of covered entities barred from disclosing PHI, but they’re also prohibited from accessing patient files if they’re not authorized to. Illegal access to patient files is a serious HIPAA violation.
c. Lack of a risk analysis policy
Covered entities must conduct risk analysis regularly to determine whether PHI is vulnerable. Failure to do so is a serious HIPAA violation.
d. Lack of a risk management policy
After identifying risks, covered entities must undertake a risk management process to address those risks in a reasonable time frame. Failure to put a risk management plan in place is considered a HIPAA violation.
e. Lack of HIPAA-compliant agreements
Covered entities must enter into HIPAA-compliant agreements with third-part agents, including vendors and business associates. Failure to enter into such agreements is also considered a HIPAA violation.
f. Failure to PHI on Portable Devices
Failure to safeguard devices containing PHI, such as using strong passwords and encryption, is considered a HIPAA violation. Downloading PHI to personal and unprotected devices is also considered a gross violation.
g. Exceeding the deadline for issuing breach notifications
In Florida, covered entities must issue breach notifications within 30 days after discovering a data breach. Failure to do so is considered a HIPAA violation.
h. Improper disposal of PHI
HIPAA rules obligate covered entities to destroy PHI that’s no longer required securely. Failure to do so is a direct HIPAA violation.
i. Limiting patients from accessing their PHI
Under HIPAA, patients have a right to access their medical records and get copies on request. As such, denying patients this right is a violation of HIPPA.
Steps for Filing a HIPAA Complaint
Anyone can file a HIPAA complaint if they believe that they have been involved in an accident as a result of a HIPAA compliance violation. Here are the steps to take:
File a Complaint with OCR
The first step is to submit your complaint to the Office of Civil Rights. You can file a complaint in writing by e-mail, mail, or through the OCR Complaint Portal. Requirements for filing a HIPAA Privacy Complaint include:
- File the complaint within 180 days of when you discovered that the act you’re complaining about occurred.
- Provide details about yourself or the affected individual.
- Name the covered entitled or third-party associate involved.
- Provide details of the complaint, describing the acts you believe violate the requirements of the HIPAA rules.
After submitting your HIPAA Privacy Complaint, the OCR will go ahead and investigate the covered entity.
File a complaint with the DOH
The Florida Department of Health (DOH) is the responsible body not only for licensing all healthcare professionals practicing in the state, but also for reviewing complaints filed against them. If a FIPA-covered entity is found in violation of patient confidentiality, it’s can be held liable under the data privacy laws.
If you or someone you have been involved in an accident as a result of a HIPAA or FIPA compliance violation, you may also file a complaint with the Florida DOH against the responsible health professional. If the health professional is licensed in another state, you will have to follow that state’s procedure for filing a HIPAA complaint.
File a Report with a Third-Party Payer
Are you a Tricare, Medicare, VA, military, or Public Health Service patient? If so, you can consider submitting your complaint to the Office of the Inspector General of that particular agency.
Remember that you don’t have the luxury of time when it comes to filing your complaint after you have unearthed a HIPAA violation. As such, you should file a complaint immediately. For best outcomes, it’s best to enlist the services of a competent and experienced attorney.