In August of 2022, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced a settlement with New England Dermatology and Laser Center over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA). A year prior, the dermatology clinic actually filed a breach report with OCR after it was discovered that empty specimen containers with protected health information on the labels had been thrown away in a garbage bin in the parking lot. After an investigation, it was found that the Privacy Rule had been violated. The penalty? $300,640—not a paltry sum by any means, but HIPAA fines can be much higher, too.
This incident illustrates how costly it can be for dermatology practices to neglect HIPAA compliance. Whether you operate a dermatology clinic, a medspa, a laser treatment center, or any other establishment that performs any kind of dermatological treatments on patients, you’re handling protected health information (PHI), and that makes you subject to HIPAA.
What is HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was passed in 1996 to help protect the privacy and security of individuals’ health information. HIPAA requires organizations that handle PHI to put in place physical, technical, and administrative safeguards to ensure confidentiality, integrity, and availability (CIA). It also sets limits on how and when PHI can be used or disclosed. In addition, HIPAA requires organizations to provide patients with access to their health records and the right to request corrections.
There are two main parts to HIPAA: the Privacy Rule and the Security Rule. The Privacy Rule sets standards for the use, disclosure, and protection of PHI. Essentially, It requires you to have in place policies and procedures that govern how you use, disclose, and protect PHI. The HIPAA Security Rule requires you to put in place physical, technical, and administrative safeguards in place to protect PHI. It also requires you to regularly assess your security measures and take steps to ensure they remain up-to-date and effective.
Protected Health Information
So, what exactly is PHI? It’s any information about an individual’s health, health care providers, health plan, or payment for health care services that can be used to identify an individual. PHI includes medical records, lab results, health insurance information, and any other health-related information.
There are 18 different PHI identifiers encompassing any unique characteristics that could uniquely identify an individual. These include (but aren’t limited to):
- Patient name
- Address
- Social Security number
- Date of birth
- Medical record number
- Insurance policy number
Under the HIPAA Privacy Rule, PHI identifiers can only be used or disclosed in certain circumstances. These include when the individual has given authorization or when it is necessary for treatment, payment, or health care operations. In addition, PHI can only be shared with individuals or entities that are covered by HIPAA and have agreed to abide by the HIPAA Privacy Rule.
The Cost of a HIPAA Violation
Clearly, HIPAA is a huge law containing a lot of information you have to remember if you’re a dermatology clinic or medspa of any kind, but what happens if you violate any of the rules laid out in this law? Violations of HIPAA can result in both civil and criminal penalties.
Civil penalties are administrative penalties that are imposed by HHS. These penalties are designed to punish violations of HIPAA and deter future violations. Civil penalties can include fines of up to $50,000 per violation, with a maximum of $1.5 million per year for multiple violations. Criminal penalties, on the other hand, are imposed by the courts and are more severe than civil penalties. They are designed to punish individuals who knowingly and willfully violate HIPAA and are intended to serve as a deterrent to others. Criminal penalties can include jail time as well as fines of up to $250,000. In addition, individuals who violate HIPAA may be required to pay for any damages caused by the violation.
Some of the most common HIPAA violations include: disclosing PHI without authorization; not safeguarding PHI; not providing individuals with access to their records; not protecting PHI during transmission; and not properly disposing of PHI.
Protect Yourself From HIPAA Violations
As a dermatologist or aesthetician, most of the routine tasks you carry out every day, such as taking before and after photos of patients’ skin conditions, are subject to HIPAA, so it can be difficult to always get it right all the time. What can your practice do to ensure compliance and protect patients’ privacy?
The first step you should take (if you haven’t already), is putting in place policies and procedures that govern how you use, disclose, and protect PHI. Next, you should ensure that your security measures are up-to-date and effective. Once safeguards are in place, it’s important to regularly assess these security measures to ensure they remain effective and help you maintain HIPAA compliance. Additionally, you should provide training to your employees on how to handle PHI appropriately. Whether they’re throwing away containers with patients’ names on them or talking with a patient who would like to view their medical records, it’s important that your staff always know what the proper course of action is in any scenario. After all, any breakdown in protocol could result in the loss of hundreds of thousands of dollars for your dermatology clinic.
Find the Right Equipment for Your Dermatology Clinic
Operating a dermatology clinic or medspa means you’re always striving to provide the best experience for your patients. Not only does that include ensuring patient privacy, it also means offering innovative, top-of-the-line treatments whenever possible.
If you’ve been considering investing in a new laser treatment device for your practice, you have two options. You can either buy a brand new laser machine, or you can buy a used one and save tens of thousands of dollars. Obviously, buying used is the more cost-effective option, but it’s not always easy to find a reliable reseller. Resellers will notoriously advertise lasers they don’t have in stock, send broken equipment, or even ship the entirely wrong device.
That’s not the game we’re playing at Laser Resellers. If you see a cosmetic laser on our website, it’s guaranteed to be in stock, and if you decide to invest, the laser you order will be the laser you get. We provide maintenance to every laser we sell, guaranteeing they are in perfect working condition, and if for any reason you encounter an issue, we offer a 30-day warranty so you can get your money back.
So many aspects of operating a dermatology clinic can be arduous and time-intensive, so when it comes to buying the cosmetic laser equipment you need, give yourself a break. Check out our inventory or contact us today to see how Laser Resellers can help!