While there is obvious value in health information digitization, there exists a strong question of security concerns too. Before Electronic Health Records (EHR), it had been fairly simple for healthcare organizations. All they had to do was dedicate a secure room for patient records and hire a filer! Now, with EHRs and more importantly HIEs, patient data is exposed to both physical and cyber theft or unauthorized disclosures, and such occurrences result in violations under the Health Insurance Portability and Accountability Act (HIPPA).
HIPPA was created to provide standards on secure electronic information exchange between healthcare professionals through EHRs. The act revolves around two essential objectives. The provision of personal health information to patients on request is the first, while giving patients the right to apply restrictions on the use or disclosure of patient health information is the second. Failure to comply with the aforementioned objectives on part of healthcare providers leads to HIPAA violations – ultimately resulting in penalties worth millions of dollars or even imprisonment.
According to official reports, a reputable Health Management Organization (HMO) had to pay $4.3 million in penalties as a result of HIPAA violations. It is said that the organization not only refused to provide a number of patients with their health information records, but also failed to cooperate during the investigation. Ensuring the privacy on patient information is another major concern of HIPAA. Be it a virtual breach, illegal disclosure or even physical theft of information, it is the provider or the practice that is responsible to face the consequences. According to another official report, a hospital made a settlement of $1 million for losing patient information on a subway.
Having shed some light on the financial penalties, let’s take a look at the imprisonment cases. The criminal penalties could be divided under three major categories, which are as follows:
1. Knowingly obtaining or disclosing identifiable patient information would result in one year imprisonment ($50,000 fine).
2. Gaining patient information under false facade would result in one year imprisonment ($100,000 fine).
3. Obtaining patient information for personal gain or to support malicious intent would result in ten years imprisonment ($250,000 fine).
Another incident reported in official reports states that an employee for Miami hospital was sentenced two years imprisonment as a result of stealing patient information and selling it as part of identity theft conspiracy.
The aforementioned incidents are explicit evidences of the fact that HIPAA likes to be taken seriously. While both EHR technology and information exchange standards have been around for a while now, there is much need for awareness on the use of EHRs and security of patient information.