Data security experts say three HIPAA violations that resulted in significant fines by the Office for Civil Rights (OCR) in 2018 hold important lessons for health professionals about safeguarding records and training staff in HIPAA compliance.
Read on to learn how the cases unfolded and what knowledge practices can gain from the common HIPAA mistakes.
Who? Allergy Associates of Hartford, Conn.
What happened? A patient contacted a local television station to complain about a dispute between herself and a physician at Allergy Associates in Hartford, Conn. The disagreement stemmed from the office turning away the patient because she allegedly brought her service animal, according to a Nov. 26 announcement by the Department of Health & Human Services. The reporter contacted the doctor in question for a news story and, in responding, the physician disclosed protected patient information to the reporter.
razihusin/iStock/Getty Images Plus
What else? An OCR investigation determined that a privacy officer with Allergy Associates had instructed the physician not to respond to the media about the complaint or to respond with “no comment”; that advice was disregarded. The practice then failed to discipline the physician or take any corrective action following the disclosure, according to the OCR.
How much? The OCR imposed a $125,000 fine on the practice and a corrective action plan that includes 2 years of OCR monitoring.
Lessons learned: Had the practice disciplined the physician or taken corrective action after the disclosure, the OCR may not have penalized the group so severely, according to Jennifer Mitchell, a Cincinnati-based health law attorney and vice chair of the American Bar Association eHealth, Privacy, & Security Interest Group.
“In my opinion, the government levied these penalties because the provider did not sanction the doctor,” Ms. Mitchell said in an interview. “Health care entities need to take proper steps to remediate and, at a minimum, hold their workforce responsible for their behavior and ensure that it won’t happen again.”
The case emphasizes the need to train team members on media protocols and to ensure that protected health information is not mistakenly released. In addition to implementing policies and procedures, practices must also be willing to discipline health professionals when violations occur.
“A health care provider’s natural inclination is to defend themselves if they are being accused by a patient,” she said. “However, under the HIPAA rules, health care providers have to understand that they are prohibited from making such public statements about any patient.”
Who? Advanced Care Hospitalists of Lakeland, Fla.
What happened? Advanced Care Hospitalists (ACH) received billing services from an individual who represented himself to be affiliated with a Florida-based company named Doctor’s First Choice Billing. A local hospital later notified ACH that patient information, including names and Social Security numbers, were viewable on the First Choice website. ACH identified at least 400 patients affected by the breach and reported the breach to the OCR. However, ACH later determined that an additional 8,855 patients may have been affected and revised its OCR notification.
Kameleon007/iStock/Getty Images Plus
What else? During its investigation, the OCR found that the hospitalist group had never entered into a business associate agreement for billing services with First Choice, as required by HIPAA, and that the practice also failed to adopt any policies regarding business associate agreements until 2014, according to a Dec. 4 announcement from HHS.
How much? The OCR fined the practice $500,000 and also imposed a robust corrective action plan that includes an enterprise-wide risk analysis and the adoption of business associate agreements. Roger Severino, OCR director, called the case especially troubling because “the practice allowed the names and Social Security numbers of thousands of patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA.”
Lessons learned: The case illustrates the importance of having a business associate agreement in place for all third parties that may have access to protected health information, said Clinton Mikel, a Farmington Hills, Mich., health law attorney specializing in HIPAA compliance.