Medical Spa Lawyer
Paddy Deighan, the Premier Medical Spa Lawyer

I just had a conversation today with an IT person person from a health care provider client. he raised some valid points about a particular situation. It reminds me that HIPAA is one of the most prevalent healthcare laws as well as one of the most misunderstood. Despite years of experience, the IT person today had what I believe to be misguided notions of “protected health information (PHI)” and what is actually protected under HIPAA.

In order to determine whether something is violative of HIPAA, we need to first understand whether the situation applies TO HIPAA (or whether HIPAA applies to the situation). Frequently, the answer to this is no, so there is no reason to analyze HIPAA issues.

It is interesting that as of now in early January 2024, I read that HIPAA violations are increasing and HIPAA compliance is also increasing. This may seem contradictory. However, technology is advancing rapidly and this contributes to the apparent discrepancy. It is important to note that HIPAA has many aspects: some pertain to patients and their rights and some pertain to healthcare facilities and their obligations. It is the goal of everyone to protect PHI.

So what is reality and what is fiction? The reality is that technology as applied to healthcare is booming. artificial intelligence (AI) is fueling patient care, diagnostics and treatment. It is also creating scenarios for HIPAA violation. I frequently state that technology is always ahead of the law. the law adapts to change (technology). However, the further reality is that healthcare facilities are held to a high standard of care when trying to protect PHI.

Accordingly, healthcare facilities must constantly monitor their flow of patient information. This includes Revenue Cycle Management (RCM), Electronic health records and electronic medical records as well as staff methods of communicating with patients and other facilities. Unfortunately, there is no standard for large facilities and a simpler one for smaller facilities.

HIPAA is a moving target. Most scenarios are viewed on a case by case basis. This is the way the law in the United States is designed. It may or may not be the best system (I believe that it is because it is ore flexible). However, this makes it difficult to know whether you are in compliance.

One thing that is certain, HIPAA changes. Constantly. There are new changes for 2024. Some entities purchase software that is “HIPAA compliant”. This is not enough!

Now to the fiction. Entities and software vendors routinely advise me that they are “HIPAA compliant”. I really do no think that anyone can claim this because HIPAA is a moving target and it changes regularly. In any event, it may be troublesome to state this (perhaps equally troublesome to forego sayings it)!

The bottom line is that HIPAA should be addressed at least twice per year. If you are not equipped to do so, please bring in someone to review your operations to render an opinion. Sometimes just having an expert opinion goes a long way if you are in a compliance scenario!