First, contacting the patient over the phone due to account delinquency without patient authorization contravenes the Health Insurance Portability and Accountability Act (HIPAA). There are civil and criminal penalties accruing the contravention of HIPAA rules. HIPAA Privacy Rule allows health care providers to reach out or open communication with the patient only for treatment purposes. The rule restricts communications related to advertising, telemarketing, and solicitation. In this case, the physician is calling for solicitation purposes since the intention of calling is to request the patient to settle her delinquent account. Willful violation of HIPAA rules attracts minimum fines of $10,000 and maximum penalties of $250,000. Violating HIPAA rules for malicious gains such as solicitation can result in a maximum prison term of 10 years.
Calling the patients’ workplace is another contravention since it compromises the security or privacy of the Protected Health Information (PHI). Calling the patients’ workplace improperly disposes PHI to violate HIPAA security rules. The HIPAA security rule dictates that ePHI transfers should restrict access, recording, or reconstruction. Calling using workplace lines could result in recording and reconstruction of PHI hence not authorized by HIPAA. Health care administration should avoid using public or insecure channels of relaying PHI.
Finally, disclosing patient information without prior permission to a co-worker contradicts the Breach Notification Rule. The rule requires health entities to notify their patients when their health data is impermissibly used or disclosed in a manner that compromises the security and privacy of the PHI. Disclosure of PHI without consent is only allowed when there is sufficient risk to public health. Disclosing information to the third party is a deliberate violation of HIPAA and may result in the withdrawal of the clinics’ and the physicians’ operating licenses.