HIPAA compliance: Three cases to learn from

 

Data security experts say three HIPAA violations that resulted in significant fines by the Office for Civil Rights (OCR) in 2018 hold important lessons for health professionals about safeguarding records and training staff in HIPAA compliance.

Read on to learn how the cases unfolded and what knowledge practices can gain from the common HIPAA mistakes.

Who? Allergy Associates of Hartford, Conn.

What happened? A patient contacted a local television station to complain about a dispute between herself and a physician at Allergy Associates in Hartford, Conn. The disagreement stemmed from the office turning away the patient because she allegedly brought her service animal, according to a Nov. 26 announcement by the Department of Health & Human Services. The reporter contacted the doctor in question for a news story and, in responding, the physician disclosed protected patient information to the reporter.

razihusin/iStock/Getty Images Plus

What else? An OCR investigation determined that a privacy officer with Allergy Associates had instructed the physician not to respond to the media about the complaint or to respond with “no comment”; that advice was disregarded. The practice then failed to discipline the physician or take any corrective action following the disclosure, according to the OCR.

How much? The OCR imposed a $125,000 fine on the practice and a corrective action plan that includes 2 years of OCR monitoring.

Lessons learned: Had the practice disciplined the physician or taken corrective action after the disclosure, the OCR may not have penalized the group so severely, according to Jennifer Mitchell, a Cincinnati-based health law attorney and vice chair of the American Bar Association eHealth, Privacy, & Security Interest Group.

“In my opinion, the government levied these penalties because the provider did not sanction the doctor,” Ms. Mitchell said in an interview. “Health care entities need to take proper steps to remediate and, at a minimum, hold their workforce responsible for their behavior and ensure that it won’t happen again.”

The case emphasizes the need to train team members on media protocols and to ensure that protected health information is not mistakenly released. In addition to implementing policies and procedures, practices must also be willing to discipline health professionals when violations occur.

“A health care provider’s natural inclination is to defend themselves if they are being accused by a patient,” she said. “However, under the HIPAA rules, health care providers have to understand that they are prohibited from making such public statements about any patient.”

Who? Advanced Care Hospitalists of Lakeland, Fla.
 

What happened? Advanced Care Hospitalists (ACH) received billing services from an individual who represented himself to be affiliated with a Florida-based company named Doctor’s First Choice Billing. A local hospital later notified ACH that patient information, including names and Social Security numbers, were viewable on the First Choice website. ACH identified at least 400 patients affected by the breach and reported the breach to the OCR. However, ACH later determined that an additional 8,855 patients may have been affected and revised its OCR notification.

Kameleon007/iStock/Getty Images Plus

What else? During its investigation, the OCR found that the hospitalist group had never entered into a business associate agreement for billing services with First Choice, as required by HIPAA, and that the practice also failed to adopt any policies regarding business associate agreements until 2014, according to a Dec. 4 announcement from HHS.

How much? The OCR fined the practice $500,000 and also imposed a robust corrective action plan that includes an enterprise-wide risk analysis and the adoption of business associate agreements. Roger Severino, OCR director, called the case especially troubling because “the practice allowed the names and Social Security numbers of thousands of patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA.”

Lessons learned: The case illustrates the importance of having a business associate agreement in place for all third parties that may have access to protected health information, said Clinton Mikel, a Farmington Hills, Mich., health law attorney specializing in HIPAA compliance.

 

Under HIPAA, a business associate is defined as a person or entity, other than a member of the workforce of a covered entity, who “performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”

HIPAA requires that covered entities enter into contracts with business associates to ensure appropriate safeguarding of protected health information.

“If your business associate has a breach, your practice must report the breach to OCR and your patients,” Mr. Mikel said in an interview. “The OCR will then investigate your practice and your relationship with the business associate. Just because the breach and fault clearly happened elsewhere, you will still be investigated, and could face a penalty if HIPAA requirements weren’t met.”

Who? Filefax of Northbrook, Ill.
 

What happened? The OCR opened an investigation after receiving an anonymous complaint that medical records obtained from Filefax, a company that provided storage, maintenance, and delivery of medical records for health professionals, were left unmonitored at a shredding and recycling facility. OCR’s investigation revealed that a person left the records of 2,150 patients at the recycling plant and that the records contained protected health information, according to an HHS announcement. It is unclear if the person worked for Filefax.

MarkLevant/iStock/Getty Images Plus

What else? The OCR discovered that, in a related incident, an individual who obtained medical records from Filefax left them unattended in an unlocked truck in the Filefax parking lot.

How much? The OCR imposed a $100,000 fine on Filefax. The company is no longer in business; however, a court-appointed liquidator has agreed to properly store and dispose of the remaining records.

Lessons learned: Although the case did not involve a health provider, the circumstances are applicable to physicians, particularly when practices move or close, Mr. Mikel said. In some cases, a former patient may contact a shuttered practice only to learn their record cannot be located, or worse, that a breach has occurred.

“[Such a case is] ripe for a patient to complain to OCR,” he said. “OCR doesn’t care if you’re closed or retired, they’re going to look.”

HIPAA requires thatcovered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form when moving or closing. The safeguards must prevent prohibited uses and disclosures of protected health information in connection with the disposal of such information, according to the rule. The HHS provides guidance for the disposing of medical records; further, the American Academy of Family Physicians has created a checklist on closing a practice that addresses the transferring of medical records.

Without taking the correct measures, doctors may end up drawing scrutiny from OCR and face a potential fine if violations are found, experts said.

“Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them,” Mr. Severino of the OCR said in a statement. “HIPAA still applies.”

 

Data security experts say three HIPAA violations that resulted in significant fines by the Office for Civil Rights (OCR) in 2018 hold important lessons for health professionals about safeguarding records and training staff in HIPAA compliance.

Read on to learn how the cases unfolded and what knowledge practices can gain from the common HIPAA mistakes.

Who? Allergy Associates of Hartford, Conn.

What happened? A patient contacted a local television station to complain about a dispute between herself and a physician at Allergy Associates in Hartford, Conn. The disagreement stemmed from the office turning away the patient because she allegedly brought her service animal, according to a Nov. 26 announcement by the Department of Health & Human Services. The reporter contacted the doctor in question for a news story and, in responding, the physician disclosed protected patient information to the reporter.

razihusin/iStock/Getty Images Plus

What else? An OCR investigation determined that a privacy officer with Allergy Associates had instructed the physician not to respond to the media about the complaint or to respond with “no comment”; that advice was disregarded. The practice then failed to discipline the physician or take any corrective action following the disclosure, according to the OCR.

How much? The OCR imposed a $125,000 fine on the practice and a corrective action plan that includes 2 years of OCR monitoring.

Lessons learned: Had the practice disciplined the physician or taken corrective action after the disclosure, the OCR may not have penalized the group so severely, according to Jennifer Mitchell, a Cincinnati-based health law attorney and vice chair of the American Bar Association eHealth, Privacy, & Security Interest Group.

“In my opinion, the government levied these penalties because the provider did not sanction the doctor,” Ms. Mitchell said in an interview. “Health care entities need to take proper steps to remediate and, at a minimum, hold their workforce responsible for their behavior and ensure that it won’t happen again.”

The case emphasizes the need to train team members on media protocols and to ensure that protected health information is not mistakenly released. In addition to implementing policies and procedures, practices must also be willing to discipline health professionals when violations occur.

“A health care provider’s natural inclination is to defend themselves if they are being accused by a patient,” she said. “However, under the HIPAA rules, health care providers have to understand that they are prohibited from making such public statements about any patient.”

Who? Advanced Care Hospitalists of Lakeland, Fla.
 

What happened? Advanced Care Hospitalists (ACH) received billing services from an individual who represented himself to be affiliated with a Florida-based company named Doctor’s First Choice Billing. A local hospital later notified ACH that patient information, including names and Social Security numbers, were viewable on the First Choice website. ACH identified at least 400 patients affected by the breach and reported the breach to the OCR. However, ACH later determined that an additional 8,855 patients may have been affected and revised its OCR notification.

Kameleon007/iStock/Getty Images Plus

What else? During its investigation, the OCR found that the hospitalist group had never entered into a business associate agreement for billing services with First Choice, as required by HIPAA, and that the practice also failed to adopt any policies regarding business associate agreements until 2014, according to a Dec. 4 announcement from HHS.

How much? The OCR fined the practice $500,000 and also imposed a robust corrective action plan that includes an enterprise-wide risk analysis and the adoption of business associate agreements. Roger Severino, OCR director, called the case especially troubling because “the practice allowed the names and Social Security numbers of thousands of patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA.”

Lessons learned: The case illustrates the importance of having a business associate agreement in place for all third parties that may have access to protected health information, said Clinton Mikel, a Farmington Hills, Mich., health law attorney specializing in HIPAA compliance.

 

Under HIPAA, a business associate is defined as a person or entity, other than a member of the workforce of a covered entity, who “performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”

HIPAA requires that covered entities enter into contracts with business associates to ensure appropriate safeguarding of protected health information.

“If your business associate has a breach, your practice must report the breach to OCR and your patients,” Mr. Mikel said in an interview. “The OCR will then investigate your practice and your relationship with the business associate. Just because the breach and fault clearly happened elsewhere, you will still be investigated, and could face a penalty if HIPAA requirements weren’t met.”

Who? Filefax of Northbrook, Ill.
 

What happened? The OCR opened an investigation after receiving an anonymous complaint that medical records obtained from Filefax, a company that provided storage, maintenance, and delivery of medical records for health professionals, were left unmonitored at a shredding and recycling facility. OCR’s investigation revealed that a person left the records of 2,150 patients at the recycling plant and that the records contained protected health information, according to an HHS announcement. It is unclear if the person worked for Filefax.

MarkLevant/iStock/Getty Images Plus

What else? The OCR discovered that, in a related incident, an individual who obtained medical records from Filefax left them unattended in an unlocked truck in the Filefax parking lot.

How much? The OCR imposed a $100,000 fine on Filefax. The company is no longer in business; however, a court-appointed liquidator has agreed to properly store and dispose of the remaining records.

Lessons learned: Although the case did not involve a health provider, the circumstances are applicable to physicians, particularly when practices move or close, Mr. Mikel said. In some cases, a former patient may contact a shuttered practice only to learn their record cannot be located, or worse, that a breach has occurred.

“[Such a case is] ripe for a patient to complain to OCR,” he said. “OCR doesn’t care if you’re closed or retired, they’re going to look.”

HIPAA requires thatcovered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form when moving or closing. The safeguards must prevent prohibited uses and disclosures of protected health information in connection with the disposal of such information, according to the rule. The HHS provides guidance for the disposing of medical records; further, the American Academy of Family Physicians has created a checklist on closing a practice that addresses the transferring of medical records.

Without taking the correct measures, doctors may end up drawing scrutiny from OCR and face a potential fine if violations are found, experts said.

“Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them,” Mr. Severino of the OCR said in a statement. “HIPAA still applies.”

 

Data security experts say three HIPAA violations that resulted in significant fines by the Office for Civil Rights (OCR) in 2018 hold important lessons for health professionals about safeguarding records and training staff in HIPAA compliance.

Read on to learn how the cases unfolded and what knowledge practices can gain from the common HIPAA mistakes.

Who? Allergy Associates of Hartford, Conn.

What happened? A patient contacted a local television station to complain about a dispute between herself and a physician at Allergy Associates in Hartford, Conn. The disagreement stemmed from the office turning away the patient because she allegedly brought her service animal, according to a Nov. 26 announcement by the Department of Health & Human Services. The reporter contacted the doctor in question for a news story and, in responding, the physician disclosed protected patient information to the reporter.

razihusin/iStock/Getty Images Plus

What else? An OCR investigation determined that a privacy officer with Allergy Associates had instructed the physician not to respond to the media about the complaint or to respond with “no comment”; that advice was disregarded. The practice then failed to discipline the physician or take any corrective action following the disclosure, according to the OCR.

How much? The OCR imposed a $125,000 fine on the practice and a corrective action plan that includes 2 years of OCR monitoring.

Lessons learned: Had the practice disciplined the physician or taken corrective action after the disclosure, the OCR may not have penalized the group so severely, according to Jennifer Mitchell, a Cincinnati-based health law attorney and vice chair of the American Bar Association eHealth, Privacy, & Security Interest Group.

“In my opinion, the government levied these penalties because the provider did not sanction the doctor,” Ms. Mitchell said in an interview. “Health care entities need to take proper steps to remediate and, at a minimum, hold their workforce responsible for their behavior and ensure that it won’t happen again.”

The case emphasizes the need to train team members on media protocols and to ensure that protected health information is not mistakenly released. In addition to implementing policies and procedures, practices must also be willing to discipline health professionals when violations occur.

“A health care provider’s natural inclination is to defend themselves if they are being accused by a patient,” she said. “However, under the HIPAA rules, health care providers have to understand that they are prohibited from making such public statements about any patient.”

Who? Advanced Care Hospitalists of Lakeland, Fla.
 

What happened? Advanced Care Hospitalists (ACH) received billing services from an individual who represented himself to be affiliated with a Florida-based company named Doctor’s First Choice Billing. A local hospital later notified ACH that patient information, including names and Social Security numbers, were viewable on the First Choice website. ACH identified at least 400 patients affected by the breach and reported the breach to the OCR. However, ACH later determined that an additional 8,855 patients may have been affected and revised its OCR notification.

Kameleon007/iStock/Getty Images Plus

What else? During its investigation, the OCR found that the hospitalist group had never entered into a business associate agreement for billing services with First Choice, as required by HIPAA, and that the practice also failed to adopt any policies regarding business associate agreements until 2014, according to a Dec. 4 announcement from HHS.

How much? The OCR fined the practice $500,000 and also imposed a robust corrective action plan that includes an enterprise-wide risk analysis and the adoption of business associate agreements. Roger Severino, OCR director, called the case especially troubling because “the practice allowed the names and Social Security numbers of thousands of patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA.”

Lessons learned: The case illustrates the importance of having a business associate agreement in place for all third parties that may have access to protected health information, said Clinton Mikel, a Farmington Hills, Mich., health law attorney specializing in HIPAA compliance.

 

Under HIPAA, a business associate is defined as a person or entity, other than a member of the workforce of a covered entity, who “performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”

HIPAA requires that covered entities enter into contracts with business associates to ensure appropriate safeguarding of protected health information.

“If your business associate has a breach, your practice must report the breach to OCR and your patients,” Mr. Mikel said in an interview. “The OCR will then investigate your practice and your relationship with the business associate. Just because the breach and fault clearly happened elsewhere, you will still be investigated, and could face a penalty if HIPAA requirements weren’t met.”

Who? Filefax of Northbrook, Ill.
 

What happened? The OCR opened an investigation after receiving an anonymous complaint that medical records obtained from Filefax, a company that provided storage, maintenance, and delivery of medical records for health professionals, were left unmonitored at a shredding and recycling facility. OCR’s investigation revealed that a person left the records of 2,150 patients at the recycling plant and that the records contained protected health information, according to an HHS announcement. It is unclear if the person worked for Filefax.

MarkLevant/iStock/Getty Images Plus

What else? The OCR discovered that, in a related incident, an individual who obtained medical records from Filefax left them unattended in an unlocked truck in the Filefax parking lot.

How much? The OCR imposed a $100,000 fine on Filefax. The company is no longer in business; however, a court-appointed liquidator has agreed to properly store and dispose of the remaining records.

Lessons learned: Although the case did not involve a health provider, the circumstances are applicable to physicians, particularly when practices move or close, Mr. Mikel said. In some cases, a former patient may contact a shuttered practice only to learn their record cannot be located, or worse, that a breach has occurred.

“[Such a case is] ripe for a patient to complain to OCR,” he said. “OCR doesn’t care if you’re closed or retired, they’re going to look.”

HIPAA requires thatcovered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form when moving or closing. The safeguards must prevent prohibited uses and disclosures of protected health information in connection with the disposal of such information, according to the rule. The HHS provides guidance for the disposing of medical records; further, the American Academy of Family Physicians has created a checklist on closing a practice that addresses the transferring of medical records.

Without taking the correct measures, doctors may end up drawing scrutiny from OCR and face a potential fine if violations are found, experts said.

“Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them,” Mr. Severino of the OCR said in a statement. “HIPAA still applies.”