Two recent settlements by large healthcare organizations remind us where the lines are being drawn by the Office of Civil Rights (OCR) of the US Department of Health and Human Services (HHS) with respect to HIPAA violations. Both settlements were with organizations that are considered covered entities under the HIPAA Privacy and Security rules.
Two examples of recent HIPAA violations that are raising eyebrows
Idaho State University (ISU) recently settled with HHS the on its alleged HIPAA violations concerning the Security Rule, agreeing to pay $400,000 for a breach of unsecured electronic protected health information (ePHI). The “breach” involved disabled firewalls on the servers which contained ePHI on approximately 17,500 patients. The firewall protections were not in place for at least 10 months.
The interesting thing about this “breach”, like other HIPAA violations, is that there seems to be no indication that any ePHI was misused or released publicly, but the mere fact that the firewalls were not in place was enough for OCR to consider the occurrence a breach. OCR also cited the fact that ISU did not have any procedures for periodically reviewing its information systems to ensure protections such as firewalls were not disabled.
The second settlement was entered into between the OCR and Shasta Regional Medical Center (SRMC). In this case, SRMC commented on protected health information about a patient who was alleging Medicare fraud in the news media. SRMC had no authorization from the patient to discuss the patient’s protected health information publicly, and even though the patient had publicly disclosed his or her protected health information, the institution could not rely on that disclosure to engage in disclosures or commentary of its own.
As some observers have noted, an institution has more flexibility when disclosing protected health information in an actual court proceeding, but it cannot even comment on PHI, without authorization, when trying to defend itself in the court of public opinion. And as SRMC discovered, failure to recognize that opens the door to HIPAA violations.
So what are the lessons to be learned from these two HIPAA violations and their related settlements?
First, a breach does not have to involve the actual disclosure to unauthorized parties of ePHI. A covered entity may be considered to have a breach if its protected health information is simply inadequately secured. Since risk assessments must be performed periodically, as required under the HIPAA Security Rule, organizations should take steps to ensure their protections against potential security weaknesses are in place. Furthermore, if an organization claims to be doing periodic audits of the use of its systems, it better actually perform those audits and maintain a record of the results.
Second, healthcare organizations often face what they may consider negative publicity in traditional media such as newspapers, and increasingly in social media distribution channels. The fact that a patient has disclosed his or her care and treatment at a particular healthcare organization does not give the organization permission to engage in public discussions, disclosing or even commenting on the protected health information of the patient. Covered entities must include instructions to managers and staff members on this type of activity, especially if they are active as an organization in social media.
Third, if OCR comes to investigate, it will likely look at all of your HIPAA compliance activities, and may find practices or procedures that have nothing to do with the original issue out of compliance. Every thing you do (or don’t do!) with respect to the HIPAA Security and Privacy Rules is likely to be scrutinized if you are being investigate for a breach.
Avoiding HIPAA violations in an evolving healthcare landscape
No matter what we may think about this brave new world of electronic health records and social media commentary and chatter, it is clear the OCR will continue to teach Covered Entities and Business Associates lessons about protecting the health information of their patients. Don’t be an organization that learns that lesson via a large fine!