HIPAA Compliance Settlements – 6 to learn from

HIPAA Settlements calculation

HIPAA compliance settlements are many and expensive! As we kick off this year, there are a few things to consider from HIPAA compliance settlements, and how it is being enforced.  If it is difficult for you to address all of these, consider third-party consulting assistance.

 

HIPAA Compliance Settlement #1-Release of Information

Covered entities are coming under increased scrutiny to comply with the provisions of HIPAA requiring them to release protected health information to patients upon request.  The Office for Civil Rights (OCR) of the Health and Human Services Department has announced an initiative to vigorously enforce the rights of patients to receive copies of medical records timely and without excessive costs.

OCR reached an $85,000 resolution agreement with Bayfront Health St. Petersburg in 2019 after the hospital failed to comply with HIPAA when it refused to release medical records to a mother related to her unborn child.  It also reached an $85,000 resolution agreement with Korunda Medical, a Florida medical practice.  Korunda Medical failed to provide a copy of medical records in the format requested (electronic) despite repeated requests.

 

Compliance Settlement #2-HIPAA Risk Analysis

The requirement to conduct a HIPAA risk analysis has been around since compliance with the HIPAA Security Rule was finalized in April 2005.  Yet covered entities routinely fail to conduct such analyses, or their analyses are defective.

The OCR reached a resolution agreement in 2018 with Fresenius Medical Care North America (FMCNA) for $3.5m related to failure to perform HIPAA risk assessments at 5 of its dialysis facilities.  An investigation by OCR following unauthorized disclosures of PHI at the facilities in 2012 and 2013 showed FMCNA had failed to conduct risk assessments of its systems containing ePHI.  FMCNA did not analyze the risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.

Notice also that when the OCR comes to investigate a potential unauthorized disclosure of ePHI, it assesses the entity’s compliance with every one of the Security Rule provisions, not just the provision related to the unauthorized disclosure.  This is why the OCR was able to cite at least 6 separate failures of compliance with the Security Rule at the FMCNA facilities.

 

Compliance Settlement #3-Social Media/Email

Seven years after we first published blogs on HIPAA and Email, we still get several inquiries each month on email and HIPAA.  Many questions we addressed may be useful for you to review.

The most important advance in all that time has been the advent of several applications to encrypt email, protecting the PHI that may be mentioned or contained in the email.  We still strongly recommend that covered entities get written consent from patients before communicating with them via email.

The OCR is also keeping an eye on unauthorized disclosures via social media.  In 2019, the OCR reached a $10,000 resolution agreement with a dental practice in Dallas, TX.  The practice had responded to a patient’s social media review by publishing the patient’s name and information on health conditions.

Patients are free to disclose any information about themselves in any forum, but covered entities are bound by HIPAA – unless they get permission to release a patient’s PHI.

 

Compliance Settlement #4-Lost Laptops

Laptops and other electronic devices containing unencrypted ePHI continue to be one of the most frequent sources of unauthorized disclosures affecting large numbers of patients.

The OCR reached a $65,000 resolution agreement with an ambulance company at the end of 2019 related to its report of a lost laptop in 2013.  The laptop was unencrypted and contained ePHI about 500 patients.

 

Compliance Settlement #5-Reporting Breaches

The vast majority of breaches involve only one or a small handful of patients and their PHI.  They are only required to be reported after the end of each calendar year.  But when breaches involve a few hundred people, it behooves covered entities to review carefully the PHI that was disclosed, and the number of patients affected.  Don’t make it worse by not providing a HIPAA breach notification letter correctly.

The OCR reached a $2.175m settlement with Sentara Hospitals in 2019 related to its mistakes in reporting a breach involving sending bills to the wrong patients.  Sentara reported the issue only affected eight patients when it actually affected 577 patients.  Sentara maintained that bills only showing the names, addresses and account numbers did not constitute a reportable breach.  This investigation started with a complaint from a single patient.

 

Compliance Settlement #6-Loss of Paper Records

More and more medical records are being recorded in electronic systems, but that does not mean we should relax the maintenance and storage of paper records.  The HIPAA Privacy Rule still protects paper records, after all.

The OCR reached a $2.15m settlement with Jackson Health System in Miami after JHS reported it lost paper records of 756 patients in January 2013.  But three other boxes of records had also been lost, and that loss was not reported until June 2016.  Breaches were also reported in 2015 (a photograph was taken in surgery) and 2016 (an employee selling patient information).

The lesson is that repeated reports to HHS of unauthorized disclosures may result in an OCR investigation – even years later.

Patients, like consumers everywhere, are more and more skeptical about the ability of covered entities to safeguard their protected health information.  Like other risk management activities, it takes eternal vigilance to successfully safeguard your patient’s health information.  And if you fail, the OCR may come knocking to see just what led to the failure.  And their lessons don’t come cheap!  It is in your best interests not to end up as another provider on a list of HIPAA compliance settlements.

 

What you can do about HIPAA and Corporate Compliance

(1) Have a HIPAA Risk Analysis completed and implement the findings of the resulting Gap-Analysis report;

(2) audit your corporate compliance program now.  You may want to use this corporate compliance checklist to get started.

(3) If applicable, it may be beneficial to “outsource compliance” and ensure that it is done right.

When you need proven expertise and performance

Jim Hook, MPH

Mr. James D. Hook has over 30 years of healthcare executive management and consulting experience in medical groups, hospitals, IPA’s, MSO’s, and other healthcare organizations.