What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996. This US federal law set a national standard for protecting patient health information from being shared or disclosed without the patient’s consent or knowledge. Its creation was in part a response to discriminatory practices by private health insurance companies. In the US, many people rely on their employer for health insurance, and prior to HIPAA, employees could be denied access to company-provided health care plans for having a pre-existing health condition. With the increase in technology and digital patient data storage, HIPAA has become associated more strongly with patient record privacy and establishing a standard of digital security to prevent the dangers of identity fraud.
What’s the difference between GDPR and HIPAA?
GDPR stands for General Data Protection Regulation, and it went into effect in the EU in May 2018. The main differences between GDPR and HIPAA lie in the intentions behind their creation and which organizations they impact. One key difference is that GDPR is much broader in scope; privacy is the driver behind the creation of the GDPR, and it impacts any organization that handles an EU citizen’s personal identifiable information. HIPAA has evolved over time to center patient privacy but began as a health care protections law. Only organizations that handle protected health information within the United States are subject to HIPAA. The main similarity between HIPAA and GDPR is that both impact how healthcare providers access and record patient information on a daily basis.
What International Nurses Working in the US Should Know About HIPAA
- As a nurse in the US, HIPAA affects you as both a healthcare provider and a healthcare patient. As a patient, you will most likely be offered a HIPAA release at some point to give written consent to information sharing between providers or to give permission to share information with specific family members, friends, or partners. HIPAA also informs your right as a patient to access your medical records. Doctors must give you copies of your health information if you request it.
- Don’t open records unrelated to your patients. As an RN, one of the most important questions to ask before opening patient records is, “Do I need to know this information?” Under HIPAA, you may only access records that are mandatory for treating your patient. If you don’t need the information to treat your patient, stay away from it.
- Don’t share your login information or use anyone else’s login to access patient records. For security purposes, your login will be tied to every mouse-click you make and audits are conducted regularly to ensure no one is accessing records that aren’t relevant to their patients.
- Be vigilant about closing windows and tabs in electronic medical records and logging out when you walk away so no one can access your patient’s information in your absence.
- When it comes to family members or friends of the patient, make sure you have the patient’s permission to share health information with them. Verbal consent counts.
- Never share patient identity outside of work. While this may seem obvious, failure to maintain patient privacy by sharing a celebrity’s presence at the facility with the press, for example, has resulted in job termination and severe penalties for some individuals.
- When consulting with other healthcare professionals, only share what’s relevant and necessary. Treat all information sharing on a need-to-know basis.
- HIPAA doesn’t bar all disclosure of patient information. Disclosing information in the right circumstances will be necessary for your job. Under HIPAA, you may disclose identifying information: in the course of medical treatment, to facilitate payment for services rendered, when authorized by the individual patient, for disaster notification purposes, for national security purposes, for law enforcement purposes, per the guidelines of a correctional facility, in cases of abuse, neglect or domestic violence, or for purposes of public safety. There are also exceptions for emergencies when the patient is unable to give consent.
- HIPAA violations, including unintentional violations, carry serious consequences. For example, healthcare facilities can be fined up to $100 for each HIPAA violation and up to $25,000 for all same-type violations within a calendar year. Consequences are more severe if the violation is found to be intentional with “commercial advantage or malicious harm.” Individuals can face criminal penalties with fines of up to $250,000 and 10 years imprisonment for willful disclosure of protected information.
- You won’t have to figure out HIPAA standards on your own. If you’re reading the above and feeling nervous or concerned about the danger of accidentally violating HIPAA, know that your US employer will provide extensive training on patient privacy protocols. It’s not a one-time thing either. You will most likely receive HIPAA training on a regular basis.
HIPAA is best understood as a work in progress. Standards change over time and adapt as the healthcare environment evolves. As a nurse adapting to the privacy practices of a different country, the most important thing to remember is to follow the guidance of your employer. Most healthcare facilities will have at least one person on staff tasked with establishing procedures relevant to HIPAA compliance and ensuring those procedures are followed. Protect your career and your patients by following the privacy and disclosure protocols of your new workplace.
Interested in expanding your nursing career in the United States? Global Nurse Partners brings internationally experienced nurses and US healthcare facilities together for permanent positions and supports their employment relationships throughout the process. Learn more about our partnership program and opportunities for international nurses here.