HIPAA and the Medical Assistant

Article Categories: Medical Law and Ethics & Administration

Every day you have dozens of patient encounters. You greet them, weigh them, record their vital signs, listen to their current complaints, assist with their procedures, document their provider’s treatments, and schedule their next appointment. Every single step of every single patient visit is regulated by the Health Insurance Portability and Accountability Act, or HIPAA.

HIPAA has been in place since 1996, when paper medical records were starting to be placed online. Having Protected Health Information (PHI) available on computers led to concerns about privacy of sensitive information. In 2003, anyone who could have access to your PHI had to prove that they had a plan to protect that information. If you work for any organization or company that keeps medical records, you must also show proof of HIPAA training. Another layer of protection was added in 2013, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was put into place to prevent data breaches from electronic health records.

HIPAA regulations apply to all healthcare professionals in every setting. For the Medical Assistant, this means constant attention to every patient interaction. Basics of HIPAA for healthcare professionals include:

1. PHI is restricted to those who need it for patient treatment, or for purposes such as accounting or billing. No matter who uses it, only the minimum amount of information necessary to accomplish the task should be available.

2. Every facility and provider must do a risk assessment to prevent a data breach. Servers and electronic equipment should be secure, with firewalls, as well as the ability to recover records in the event of a disaster. Paper documents must be kept in locked cabinets or rooms, with limited personnel access.

3. Policies and procedures to protect PHI must be in place, including use of all digital and electronic equipment, such as shared computers, laptops, cell phones, and other devices.

4. Every person who uses PHI must have a unique password that is changed on a regular basis. Passwords may never be shared or borrowed. Computers and other devices should be shut down between users and not allowed to remain accessible.

5. All staff must be trained in HIPAA, with ongoing and annual updates.

6. Discussion of patients and their diagnoses, conditions, or treatments may never take place outside of the need to share information with appropriate providers. Nor may information be shared with anyone, even a family member, who is not on a patient’s approved list.

Patients also have rights regarding HIPAA. Patients may:

• Inspect and copy all records
• Request that PHI be amended or changed
• Limit how PHI is used or shared with others
• Determine how they wish to be contacted, such as at work/home or by email/phone
• Find out who has requested or accessed their records

You likely already know about HIPAA, both from a professional and personal standpoint. Yet reminders keep us all on track, especially when we’re feeling tired or overwhelmed. It can be tempting to let a co-worker use our computer, rather than log out, complain about a difficult patient on the way to lunch, or to give information about a patient over the phone without verifying the caller’s identity. But….don’t. Each fine for violating HIPAA can be as much as $50,000. And you could lose your job. HIPAA is important and it’s here to stay. Do your part to protect your patients’ PHI. That’s what you would want, too!

Back to Top