HIPAA, NOT HIPPA!
Posted on 01.15.2015
Driving brings out the worst in me. Perhaps some of you can relate. I really am an even tempered—some would say “easy going”—kind of guy, but when you put me behind the wheel I can become an impatient jerkface.
Like a lot of good road rage stories begin… I got cut off in traffic the other day. This time was different because the offender was a bus. In the midst of my indignation that the bus almost obliterated my front fender, I noticed the big billboard plastered on the side and the back of the bus. The ad said something like “Are you HIPPA compliant?” (emphasis added). I completely lost what little composure I had left. Quickly memorizing the 1-800 number, I pulled into a parking lot (safety first, boys and girls) and feverishly dialed. Then I calmly and diplomatically proceeded to inform the lucky person who answered my call that a company that is selling compliance services does not look very credible when they can’t spell HIPAA correctly. It was such a thoughtful phone call; just me doing my civic duty. It didn’t really seem like they appreciated my help when they hung up on me.
HIPAA is not just another acronym. Yes, it is an acronym, but, it is an essential one. PHI is another acronym that anyone that aspires to work in a healthcare setting should be familiar with. These two acronyms go hand in hand and top the list of things you need to know working in a healthcare setting.
First things first—what do the acronyms stand for? HIPAA (that’s 1 P, 2 A’s) is Health Insurance Portability and Accountability Act. It’s a federal law that was passed in 1996 and then, moving at the speed of government, implemented and enforced in 2003. I will not attempt to break down the legislative language in the law (lucky you); you can get that info here: https://www.hhs.gov/ocr/privacy/index.html.
The most basic principle of HIPAA is the protection of PHI. PHI is Protected Health Information. PHI is any type of information that may identify a particular person on a health record. These may include: name, address, name of relatives, name of employers, date of birth, telephone number, fax number, email address, social security number, medical record/account number, health plan number, certificate/license number, any vehicle or serial number, URL, finger or voice prints, photographic images, and any other unique identifying code or characteristic (HIPAA, 1996). The key is any info that could possibly identify someone is PHI.
HIPAA legislates a series of regulations and enforcements that hold providers to a high standard of privacy in creation, use, storage, and transfer of patient records that contain PHI. The penalties for non-compliance are designed to hit providers directly in the wallet. The setting where you work should have well established policies and procedures to ensure HIPAA compliance. An essential part of your job will be to know the policies, how they relate to the law, and how you need to perform in order to comply. This may all sound like a day-to-day maze of complexities, but I assure you it all comes down to one simple idea—no one should be allowed access to PHI unless it is unquestionably a necessary part of their job function. It is strictly a “need to know” situation.
HIPAA compliance on and off the clock is fundamental to employment in healthcare. I would also highly recommend knowing how to spell it correctly, or some jerkface may pleasantly remind you one day.