HIPAA and you: protecting patient privacy

Maintaining patient confidentiality is no longer just a matter of keeping private information you learn on the job to yourself. The storage of individual patient records in large computer databases brings its own threats of theft, hacking, and privacy breaches.


If you want to pursue a career in healthcare, regardless of whether it is a clinical or a clerical role, you’ll need to have a sound understanding of the standards for privacy of individually identifiable health information. These standards were established by the U.S. Department of Health and Human Services (HHS) in December, 2000 to implement the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are generally referred to simply as the HIPAA Privacy Rule or HIPAA Privacy.

The purpose of HIPAA Privacy

The privacy rules established under HIPAA carefully balance two potentially conflicting goals: protecting individual’s medical information and ensuring the flow of such information when it will promote positive medical outcomes for individuals or the community.

To achieve these aims, the Privacy Rule requires healthcare providers and employees such as medical administrative assistants, billers and coders, and other health information specialists to strike a careful balance. Sharing information when necessary and permitted, while still protecting the privacy of those who seek care and healing.

Who is covered by the Privacy Rule?

HIPAA Privacy applies to a wide range of healthcare organizations and their business associates. Organizations that must adhere to the rule are referred to as ‘covered entities’. In almost any healthcare career you choose some or all of HIPAA’s privacy rules will apply, including:

  • Direct health care providers, such as hospitals, physicians practices, dental practices, community medical clinics, and so on.
  • Health plan providers including health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, and Medicare supplement insurers, and most long-term care insurers.
  • Health care clearinghouses which function as intermediaries forwarding claims information from healthcare providers to insurance payers, checking the claims for errors. Clearinghouses are covered by slightly differed rules under HIPAA Privacy, since they are only business associates of medical organisations, not health providers themselves.

What kind of information is protected?

hippaThe Privacy Rule protects all health information about patients and customers that is individually identifiable. Whether an individual’s information is simply kept on file or is transmitted – whether on paper, electronically, orally, or by any other means – their privacy must be ensured.

Individually identifiable health information can include anything that relates to:

  • An individual’s past, present or future physical or mental or physical health
  • The provision of health care to an individual
  • Information about the past, present, or future payment for the provision of their health care

where this information contains details that could identify the individual.

These details could be as obvious as the person’s name and address, or something more subtle such as demographic information which could be used to identify the patient.

HIPAA’s essential for entry-level healthcare careers

A solid understanding of HIPAA rules around privacy is very important if you want a career in the healthcare industry. Hospitals, medical clinics, dentists, and other healthcare providers know it isn’t enough simply to have management understand HIPAA Privacy, because breaches can occur at any level. Anyone working in healthcare will, at one time or another, be dealing with protected patient information. That’s why you need a solid understanding of HIPAA – and a certification that demonstrates it – before you start searching for entry-level healthcare jobs.

Why is HIPAA training highly valued in healthcare?

While the privacy rules discussed above might seem straightforward enough, proper training is required to ensure they are followed strictly. Due to the inherent vulnerability of patient information, privacy breaches can occur unintentionally. On top of that, strict protocols and intensive vigilance are required to prevent more nefarious breaches by employees or outside parties.

Isn’t common sense enough?

While the HIPAA Privacy Rule is fairly simple in principle, in practise it is easy to violate through simple carelessness or seemingly innocent behavior. A healthcare employee might feel that, so long as they are not actively sharing patient information with third parties, they are protecting patients’ privacy but this is not the case. Examples of ‘innocent’ behavior that actually constitutes privacy breaches include:

  • Grabbing a coffee or taking a bathroom break, leaving a patient file on your desk where it could be accessed improperly.
  • Emailing information relating to a patient to yourself so that you can catch up on work at home.
  • Discussing protected information with a co-worker in an area where you could easily be overheard by members of the public.
  • Forgetting to logout of a work computer that contains individually identifiable health information.

As such, it is very important to employers in the healthcare industry that all employees have a thorough understanding of the rules, to avoid such mistakes.

Is patient information vulnerable to hacking?

Clipboard with laptop, stethoscope

Healthcare IT News cites 39 examples of cyber breaches of patient privacy for 2017, up to the end of October. The threat of data theft is always presence where large amounts of personal data is collected.

Due to the necessity of storing and transmitting patient information in multiple mediums and between various organisations, this information is always vulnerable. For this reason, it’s important that the entire staff – from entry level medical assistants to doctors and management – have a thorough understanding of HIPAA Privacy.

As well as strong cyber-security systems and information sharing protocols, every member of staff must help contribute to a work culture that respects and protects patient privacy proactively at all times.

What are the financial and public relations consequences?

Another important reason employers want staff trained in HIPAA Privacy is the potential for legal and financial repercussions, as well as damage to their reputation, if breaches occur. The HHS can impose fines of $100 per offence, up to a maximum of $25,000 for multiple violations of an identical requirement. In large organisations where huge volumes of sensitive information change hands every day, even small privacy breaches can add up quickly leading to large fines.

Proving your HIPAA Privacy knowledge

Without a doubt, employers want to know that you are able to manage personal patient data responsibly and that you will adhere to the HIPAA privacy rules. But training takes time, so they would much prefer it if you already understood prior to employment. That’s why CCI Training’s Health Information and Medical Assistant programs include in-house certification and training for HIPAA Privacy in Dallas and Arlington.