Would you sell PHI as a healthcare worker? A new study reveals that many students soon to enter the workforce as a healthcare worker would. The results of the study and the permitted uses and disclosures of PHI are discussed below.
Would You Sell PHI? The Results of the Study
The healthcare study, published in July in JMIR Medical Informatics, was conducted by researchers from three universities (Florida Atlantic University, Baylor University, and the State University of New York at Buffalo). The purpose of the study was to determine whether or not students interested in working in the healthcare field could be tempted into violating the HIPAA Privacy Rule.
The study came up with five scenarios, with three earning potentials (nurse’s aides earning $30,000/year, insurance brokers earning $60,000/year, and doctors earning $200,000), to see what amount of money would entice students into selling protected health information (PHI). In three of the scenarios, the study asked the 523 participants if they would sell PHI for an amount between $1,000 to $10 million dollars. The other two scenarios asked participants if they would sell PHI if it benefited a family member or friend.
The Importance of Employee Training
Chul Woo Yoo, Ph.D., an associate professor in the information technology and operations management department within FAU’s College of Business, and one of the study’s authors commented on the overwhelming evidence pointing to the lack of HIPAA compliance.
Stating that although students are taught about HIPAA compliance, “It is not their focal interest. Therefore, developing the strong security climate among physicians and nurses should be carefully revisited by management.”
This is why employee training is a key component of HIPAA compliance. HIPAA law dictates that employees must be trained annual on HIPAA basics and their organization’s policies and procedures. Employees should also be trained on cybersecurity best practices and the proper use of social media.
What are the Permitted Uses and Disclosures of PHI
Before it is permitted for you to use or disclose PHI outside of treatment, payment, or healthcare operations, you must have written consent from the patient. Under HIPAA, the sale of PHI is permitted without prior consent in a few scenarios.
Sale of PHI without patient consent is permitted under the following circumstances:
◈ For public health purposes, as that phrase is defined in the HIPAA Privacy Rule;
◈ For research purposes, if (and only if) the remuneration constitutes a “reasonable cost-based fee to cover the cost to prepare and transmit” the PHI;
◈ For purposes of treatment and payment, as allowed under the Privacy Rule;
◈ For the sale, transfer, merger, or consolidation of all or part of a covered entity and for due diligence connected to these activities;
◈ To the patient when the patient requests the PHI (provided the fees amounts are compliant with the right of access); and
◈ Required by law.