HIPAA Compliance Crackdown Requires Increased Vigilance


Last month, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced two big settlements involving alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

Those cases brought to six the number of HIPAA-related cases settled since the start of 2016. It also underscores the need for healthcare providers to remain attentive to their compliance requirements to ensure they are not caught up in the OCR’s increased focus on HIPAA violations.

In its most recent case, New York Presbyterian Hospital agreed to settle potential HIPAA violations relating to the disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of a television series without first obtaining permission from the patients.

OCR found that the hospital allowed the crew to film someone who was dying and another in significant distress, even after a medical professional told them to stop. The hospital agreed to pay a $2.2 million settlement and to be monitored by OCR for two years. You can read the settlement agreement here.

It’s one thing to allow media access to your healthcare facility for a story, it’s quite another to allow them access to patients’ personal health information without the patient’s express permission. It’s a fine line that must be walked and OCR has some helpful guidelines here.

In another case settled last month, Raleigh Orthopaedic Clinic, P.A. of North Carolina agreed to settle charges that it potentially violated HIPAA rules by failing to execute a business associate agreement before turning over the private health information of 17,300 patients to a potential business partner.

Specifically, the clinic released the PHI to an entity that promised to transfer patient’s X-Ray films to electronic media in exchange for harvesting the silver from them.

HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.

The clinic agreed to pay $750,000 and is required to revise its policies and procedures. The full settlement agreement can be found here.

As we wrote about in March, Phase 2 of OCR’s long-awaited HIPAA Audit program is targeting business associates of healthcare providers, insurers and other HIPAA-covered entities. OCR is identifying pools of covered entities and business associates that represent a wide range of healthcare providers, health plans, healthcare clearinghouses and business associates.

In March, Feinstein Institute for Medical Research agreed to pay $3.9 million to settle potential HIPAA violations. In this case, the biomedical research nonprofit filed a breach report stating that a laptop containing PHI for 13,000 patients and research participants had been stolen from an employee’s car.

OCR’s investigation found that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the entity.

OCR’s director pointed out that research institutions that are subject to HIPAA have to be held to the same compliance standards as any other HIPAA-covered entity.

A day earlier, OCR announced that North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it potentially violated HIPAA requirements by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

As in the Feinstein case, North Memorial filed a breach report indicating that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle that contained the PHI of 9,497 individuals.

In addition to the fine, North Memorial was required to develop an organization-wide risk analysis and risk management plan. North Memorial also was required to train appropriate workforce members on all policies and procedures. The settlement agreement can be found here.

Providers looking to publicize patient success stories should take a cue from the case of a physical therapy practice based in Los Angeles that agreed to pay a $25,000 settlement for disclosing the PHI of patients in the form of testimonials.

Complete P.T., Pool & Land Physical Therapy, Inc. posted patient testimonials that included their full names and photos to its website without obtaining valid, HIPAA-compliant authorizations. The settlement agreement included the adoption and implementation of a corrective action plan and reporting of compliance efforts for a year.

And, in a relatively rare case, a U.S. Department of Health and Human Services Administrative Law Judge ruled in February that Lincare, Inc. violated HIPAA rules and granted OCR summary judgement on all issues requiring Lincare to pay $239,000 in civil money penalties imposed by OCR. It was only the second time in OCR’s history that it had sought and was granted civil monetary penalties for HIPAA violations.

OCR’s Director Jocelyn Samuels stated: “While OCR prefers to resolve issues through voluntary compliance, this case shows that we will take the steps necessary, including litigation, to obtain adequate remedies for violations of the HIPAA Rules.â€

It was alleged that an employee left behind documents containing the PHI of 278 patients after moving residences. The employee apparently had removed the information from the company’s office and left it in a place where anyone could see it and then abandoned it altogether.

Although Lincare argued it was not in violation of HIPAA rules because the information was stolen by the person who had found it on the premises of an employee, the ALJ rejected the argument stating that Lincare was obligated to take reasonable steps to protect the information from theft.

As you can see in each of these cases, OCR takes HIPAA compliance and the protection of patient information seriously. Providers would be well-advised to make sure they not only have a compliance plan in place, but also that everyone responsible for that information be properly trained in the handling of that information.

Since the compliance date of the Privacy Rule took effect in April 2003, OCR has received more than 130,748 HIPAA complaints and has initiated more than 885 compliance reviews, resolving 96 percent (125,472) of these cases. When it believes there is criminal wrongdoing, OCR will refer the case to the Department of Justice. As of March 31, it has made 572 referrals to DOJ.

Having a compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced professionals can help you to create a compliance program designed to meet your unique needs.

Ready to find out more?

Call 305-358-4500 to schedule a
FREE 15-minute consultation today!

Posted in

The Health Law Offices of Anthony C. Vitale

Categories