The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal privacy law that went into effect on April 14, 2003. As of that date, health care providers, health plans, and other health businesses have been required to comply with the law.

The law is designed to provide privacy and security to citizens, to ensure their health information can’t be used against them in any way, and that their medical records can’t be accessed by another party without their permission.

HIPAA prohibits health care providers from disclosing any health information to a third party without explicit, written authorization from the patient. In order for an authorization to be considered valid under the law, the authorization must have a description of the information that is to be shared, as well as the name of the person with whom the information is to be disclosed, an expiration date, and the patient’s signature.

One major exception to the law is the sharing of information between doctor’s offices. Patient medical records can be transferred from one doctor’s office to another without patient consent for treatment purposes.

Treatment, in this case, includes consultations between different providers for the purpose of referrals and for treatment of a patient by multiple providers. This can be done by fax or other means, without patient consent.

The fact that it appears patients can't sue providers for federal HIPAA violations doesn't provide much security.  Patients have sued - and won - under different state laws, with several judgments running into the tens of millions of dollars.  Or patients can file a complaint with the Secretary of Health and Human Services by way of the Office for Civil Rights. HHS could impose civil penalties on the health care provider that might range from $100 to $25,000. It could even include criminal sanctions that could range from $50,000 to as much as $250,000, and could even include a prison sentence! With such strict rules and requirements and such stiff penalties for noncompliance (to say nothing of the negative PR), it is vital to make every effort to keep your organization in compliance.

Employees should all be thoroughly versed on the letter of the law, and should all be given very specific rules about how they should handle patient privacy. Unfortunately, rules and regulations don’t always prevent accidental leaks of information.

If employees are distracted, they might inadvertently violate a portion of the law, and put the company in violation of the law. In addition to accidental leaks through employee negligence, patient information could also be overheard by a third party when it is discussed between employees within the establishment.

For example, when a celebrity like Britney Spears goes to the hospital, the paparazzi are never far behind.  They might listen in on conversations between employees.  If that celebrity patient (with bottomless pockets and a high-power legal team) has opted out of having their information shared, they could be very upset by this, especially since reporters are not bound by HIPAA and can freely disclose any information they do manage to find out.  Even if you don't count many celebrities among your clients, legally, your clients can demand the same privacy protections.  What confidential patient information is routinely discussed in your waiting rooms or nursing stations?

A good sound masking system can help keep you in compliance. It will help your employees tune out distracting noises, making them less likely to make mistakes and inadvertently share patient information with the wrong party.

It could also help prevent third parties from accidentally - or not so accidentally - overhearing conversations about a patient’s condition, because it helps make the noise from conversations harder for the brain to distinguish unless the conversation is taking place nearby, and the person is specifically trying to listen to that conversation.