HIPAA Duties of Confidentiality

Most physician practices recognize the acronym HIPAA for the Health Insurance Portability and Accountability Act. The HIPAA provides the first nationally recognizable regulations for the use and disclosure of an individual’s protected health information, or PHI.

Health plans, health care clearinghouses, and providers who transmit or maintain PHI electronically are all considered “covered entities” under this legislation and must observe the special privacy rules. As a general rule, covered entities need authorization from the patient prior to disclosing PHI unless the use or disclosure of the information is required or permitted under the statute.

In practice, HIPAA imposes a greater obligation than simply refraining from disclosing PHI. HIPAA requires certain privacy policies be put in place, documents be generated, and logs be maintained. Compliance is not always difficult but can be a tedious process. For sample forms you may find useful in your effort to comply with HIPAA, see the links below.

While individual patients cannot bring a lawsuit against a physician practice for a violation of HIPPA regulations, the Department of Health and Human Services enforces this law through the Office of Civil Rights and has the ability to impose both civil and criminal sanctions. The amount of any penalty depends on whether the covered entity knew or should have known of the failure to comply. More severe penalties are imposed on those entities who fail to comply due to willful neglect. It is important to be aware of the HIPAA regulations and set appropriate policies to comply with all aspects of the law.

Even when a practice has appropriate HIPAA policies in place, data breaches can and do occur. Knowing how to respond and who must be notified in the event of a data breach or unauthorized disclosure of PHI is important. The list of those who must be notified and steps to be taken depends on the nature of the breach. It is advisable to consult an attorney as soon as you become aware that a data breach occurred.

Additional Resources:Sample Employee Acknowledgement of Practice’s HIPAA Program Policies and Sample Business Associate Agreement


Would you like the information on this web page in a printable form? If so, click here to view the HIPPA Duties Of Confidentiality PDF document.