The Office for Civil Rights has highlighted recent enforcement actions. An often-asked question from clients is – what are common HIPAA violations and how can they be avoided? Because there are numerous requirements and unique situations for practices, the solution to avoiding HIPAA violations cannot be found in any one action. It is critical to implement, monitor, and maintain compliance–which is easier stated than accomplished.
Use Available Tools and Resources – As a client of Eagle Associates you may have tools available to make the process of monitoring and maintaining compliance easier (policy manuals, forms, training materials, audit plans/checklists). One of the most important resources is Live Support, available at no additional cost. The following three examples are recent enforcement actions that could have been avoided by monitoring compliance activities (see Preventive Measures, at the end of each example in this article to identify Eagle resources that may help prevent such violations).
1 – Business Associate Problem – A Florida physicians group shared protected health information (PHI) with an unknown vendor without a business associate agreement.
The physicians group agreed to pay $500,000 to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. The group provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.
Between November 2011 and June 2012, the group engaged the services of an individual that represented himself to be a representative of a Florida-based billing company. The individual provided medical billing services to the physician group using the billing company’s name and website, but allegedly without any knowledge or permission of the billing company owner.
On February 11, 2014, a local hospital notified the physician group that patient information was viewable on the billing company’s website, including name, date of birth and social security number. In response, the physician group was able to identify at least 400 affected individuals and asked the billing company to remove the PHI from its website. Recognizing this as a privacy breach, the group filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, the group filed a supplemental breach report stating that an additional 8,855 patients could have been affected.
OCR’s investigation revealed that the group never entered into a business associate agreement with the individual providing medical billing services, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014. Although the group had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerability to the confidentiality, integrity, and availability of its electronic protected health information (EPHI).
“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.
In addition to the monetary settlement, the physician group will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.
Preventive Measures – The violation could have been avoided by:
- having written policies and procedures regarding business associates
- see Section 3.17 of your HIPAA Policy Manual
- establishing Business Associate Agreements
- see Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template
- conducting regular Security Risk Analyses
- see Section 4.06 of your HIPAA Policy Manual and the Security Risk Analysis tool in the Member Services area of our web site.
2 – Access Problem – A Colorado hospital failed to terminate a former employee’s access to EPHI.
The hospital agreed to pay $111,400 to the OCR and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The hospital is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.
The settlement resolves a complaint alleging that a former hospital employee continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that the hospital impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.
Under the two-year corrective action plan, the hospital has agreed to update its security management and business associate agreements, policies and procedures, and provide security training to its workforce.
Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all entities that qualify as business associates before disclosing protected health information.
Preventive Measures – The violations could have been prevented by:
- implementing termination policies as required by HIPAA’s Security Rule
- See Section 4.08c of your HIPAA Policy Manual for termination policies.
- following policies for establishing a business associate relationship
- See Section 3.17 of your HIPAA Policy Manual for policies regarding business associates.
- obtaining a Business Associate Agreement
- See Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template.
3 – Unauthorized Disclosure of PHI – An allergy practice made an unauthorized disclosure of PHI to a news reporter.
The allergy practice agreed to pay $125,000 to the OCR and to adopt a corrective action plan to settle potential violations of HIPAA’s Privacy Rule. The practice is a health care practice that specializes in treating individuals with allergies and is comprised of three doctors at four locations across Connecticut.
In February 2015, a patient of the practice contacted a local television station to speak about a dispute that had occurred between the patient and one of the practice’s doctors. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.
OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by the practice’s Privacy Officer to either not respond to the media or respond with “no comment.”
Additionally, OCR’s investigation revealed that the practice failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.
In addition to the monetary settlement, the practice will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.
Preventive Measures – The violations could have been prevented by:
- ensuring that workforce members are trained on HIPAA requirements and follow guidance provided by compliance staff
- See the Employee HIPAA Orientation Handbook and annual HIPAA Privacy Rule training module in the April issue of the Advisor®.
- enforcing sanctions when workforce members violate policies
- See Section 1.14 of your HIPAA Policy Manual for sanction policies.
Not all potential HIPAA violations are easily identified and solved. A good rule to follow is when in doubt use caution, ask questions and get advice. Again, as a client of Eagle Associates, you have great resources available to help you avoid such problems. We invite you to call or email us with questions.