There have been a variety of recent developments in the area of HIPAA violations.

HIPAA and Medical Industry Compliance

On December 17, 2020, the Office of Civil Rights (OCR) of the Department of Health and Human Services, the federal agency responsible for HIPAA enforcement, released its 2016-2017 HIPAA Industry Audits Report. The Report reviewed selected health care entities and business associates for compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

OCR conducted audits of 166 covered entities and 41 business associates and has notified these organizations of their findings. OCR published its overall findings on compliance with the audited provisions of the HIPAA Rules within a sample of the regulated industry.

Most of the audited covered entities were health care providers. Half were medical practitioners, most of the rest were pharmacies or hospitals.

The most notable findings of the report were as follows:

• Most covered entities failed to provide all of the required content for breach notification to individuals;
• Most covered entities failed to provide all of the required content in their Notices of Privacy Practices;
  • Only two percent of covered entities fully met this requirement, while two thirds failed to or made minimal or negligible efforts to comply with this requirement.
  • Almost all of the notices of privacy practices were missing required content, often related to individual rights.
• Most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.
  • Only 14 percent of covered entities and 17 percent of business associates were substantially fulfilling their responsibilities to safeguard electronic protected health information they hold by conducting a risk analysis.
  • Ninety-four percent of covered entities and eighty-eight percent of business associates failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

The failure to provide a complete and accurate notices of privacy practices, particularly with regard to the privacy rights of patients, is especially concerning. First, it leaves patients in the dark about their rights. Second, under circumstances that would permit the incorporation of the notice of privacy practices into the contract between the provider and the patient, it might limit the patient’s ability to assert a contract claim for a breach of his or her privacy rights.

If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.

HIPAA and COVID-19

The HIPAA Privacy Rule requires that covered entities, specifically medical providers, insurance companies and healthcare information clearinghouses, and their business associates, must keep most of your medical information private. The HIPAA Privacy Rule remains in full force and effect despite the current Coronavirus pandemic.

However, certain disclosures are allowed under HIPAA, even without any authorization from the patient. Permitted uses of a patient’s medical information include,

• Disclosures for the purpose of treatment or for coordination or management of care, consultation between healthcare providers, and referral of patients for treatment.
• Disclosures for the purpose of protecting public health, such as providing the CDC or the public health authorities of a state or city with information about Covid-19 cases. This is to allow public health authorities to prevent or control disease, injury, or disability.
• If state law permits it, then covered entities are also allowed to disclose protected health information to persons at risk of contracting or spreading a disease. This can include disclosures to police officers, EMTs, and other first responders who may be exposed to the coronavirus by virtue of contacts with a person who tested positive.
• Disclosures may be made to family, friends, and others involved in an individual’s care, if permitted by the patient, or where notifications may need to be made about a patient’s medical status or death.
• Finally, protected health information may be disclosed if, in the judgment of the provider, it is necessary to prevent a serious or imminent threat to the health or safety of an individual or the public.

Disclosures of protected health information about identifiable patients to members of the public or the media are still prohibited by the terms of the Privacy Rule, absent authorization from the patient.

The Office of Civil Rights (OCR) has issued a notice that it will not impose penalties on healthcare providers for HIPAA privacy violations in connection with good faith provision of telehealth services using communication technologies during the COVID-19 public health emergency. In addition, OCR has also indicated it will not penalize healthcare providers for violations of the HIPAA Privacy Rule that choose to participate in the operation of community based testing sites for COVID-19.

If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.

HIPAA And Social Media Reviews

In October 2019 the Office of Civil Rights (OCR) at the Department of Health and Human Services issued a $10,000 fine against a dental practice in Dallas, Texas arising out of the disclosure of protected health information (PHI) on social media.

A patient posted a negative review of the dental practice online, and the practice responded to the review by disclosing the patient’s last name and details of his condition. The patient complained, and OCR opened an investigation. In the course of the investigation, OCR discovered that the dentistry practice had disclosed the information of multiple patients in response to Yelp reviews. The dental practice didn’t have a policy or procedure regarding disclosures of PHI to ensure that social media interactions protected the information of its patients. OCR agreed to accept a substantially reduced settlement amount in consideration of the small size of the business and its cooperation in the investigation. In addition to the fine, the dental practice will undertake a corrective action plan and two years of routine HIPAA compliance monitoring. “Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

With this enforcement action, OCR has made clear that a disclosure of PHI is unacceptable even in circumstances where the purpose was to respond to a negative review, and even though the patient may have disclosed some information about the nature of the treatment. The lesson is that even if you, as a patient, may disclose information about your health, that doesn’t permit an unauthorized disclosure by your doctor or dentist, or their social media director.

If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.

PRIVATE RIGHT OF ACTION

On January 16, 2018, the Connecticut Supreme Court issued its opinion in Byrne v. Avery Center for Obstetrics and Gynecology, (Conn. Sup. Ct., Case No. 19873, 2018). This case is notable because it is the clearest statement in the country about the ability of private individuals to sue for HIPAA violations under state law. The Connecticut Supreme Court found that a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained for the purpose of treatment gives rise to a cause of action against the health care provider, unless the disclosure is otherwise allowed by law. The Court allowed the case to go to the jury to determine whether the Avery Center violated that duty of confidentiality when it disclosed Byrne’s medical records in response to a subpoena and found that the mere existence of a subpoena does not preclude recovery for breach of confidentiality. The Avery Center had apparently complied neither with the requirements of the subpoena nor with the federal HIPAA regulation governing responses to such subpoenas.

In May 2017 St. Luke’s-Roosevelt Hospital Center Inc. paid the U.S. Department of Health and Human Services (HHS) $387,200 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. In September 2014, the HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox Center wrongfully disclosed the patient’s protected health information to the patient’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that staff at the Spencer Cox Center faxed the patient’s records to his employer rather than sending it to the requested patient’s personal post office box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident, but had not addressed the vulnerabilities in their compliance program to prevent improper disclosures.

Also in May 2017, Memorial Hermann Health System (MHHS) agreed to pay $2.4 million to the U.S. Department of Health and Human Services (HHS) and adopt a comprehensive corrective action plan to settle potential violations of the HIPAA Privacy Rule. MHHS is a not- for-profit health system located in Southeast Texas, comprised of 16 hospitals and specialty services in the Greater Houston area. The HHS Office for Civil Rights (OCR) initiated a compliance review of MHHS based on multiple media reports suggesting that MHHS disclosed a patient’s protected health information (PHI) without an authorization. In September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identification card to office staff. The staff immediately alerted appropriate authorities of the incident, and the patient was arrested. This disclosure of PHI to law enforcement was permitted under the HIPAA Rules. However, MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the improper disclosure of the patient’s PHI by adding the patient’s name in the title of the press release. In addition, MHHS failed to timely document the sanctioning of its workforce members for wrongfully disclosing the patient’s information

Each of these cases make clear that the penalties associated with repeated violations of HIPAA can be incredibly expensive.

If you believe that your medical privacy or HIPAA rights have been violated then call us at 912-401-0121, or contact us here.