There have been a variety of recent developments in the area of HIPAA violations.
Recent HIPAA News February 2020
In October 2019 the Office of Civil Rights (OCR) at the Department of Health and Human Services issued a $10,000 fine against a dental practice in Dallas, Texas arising out of the disclosure of protected health information (PHI) on social media.
A patient posted a negative review of the dental practice online, and the practice responded to the review by disclosing the patient’s last name and details of his condition. The patient complained, and OCR opened an investigation. In the course of the investigation, OCR discovered that the dentistry practice had disclosed the information of multiple patients in response to Yelp reviews. The dental practice didn’t have a policy or procedure regarding disclosures of PHI to ensure that social media interactions protected the information of its patients. OCR agreed to accept a substantially reduced settlement amount in consideration of the small size of the business and its cooperation in the investigation. In addition to the fine, the dental practice will undertake a corrective action plan and two years of routine HIPAA compliance monitoring. “Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino. “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
With this enforcement action, OCR has made clear that a disclosure of PHI is unacceptable even in circumstances where the purpose was to respond to a negative review, and even though the patient may have disclosed some information about the nature of the treatment. The lesson is that even if you, as a patient, may disclose information about your health, that doesn’t permit an unauthorized disclosure by your doctor or dentist, or their social media director.
PRIVATE RIGHT OF ACTION
On January 16, 2018, the Connecticut Supreme Court issued its opinion in Byrne v. Avery Center for Obstetrics and Gynecology, (Conn. Sup. Ct., Case No. 19873, 2018). This case is notable because it is the clearest statement in the country about the ability of private individuals to sue for HIPAA violations under state law. The Connecticut Supreme Court found that a duty of confidentiality arises from the physician-patient relationship and that unauthorized disclosure of confidential information obtained for the purpose of treatment gives rise to a cause of action against the health care provider, unless the disclosure is otherwise allowed by law. The Court allowed the case to go to the jury to determine whether the Avery Center violated that duty of confidentiality when it disclosed Byrne’s medical records in response to a subpoena and found that the mere existence of a subpoena does not preclude recovery for breach of confidentiality. The Avery Center had apparently complied neither with the requirements of the subpoena nor with the federal HIPAA regulation governing responses to such subpoenas.
In May 2017 St. Luke’s-Roosevelt Hospital Center Inc. paid the U.S. Department of Health and Human Services (HHS) $387,200 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a comprehensive corrective action plan. St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (the Spencer Cox Center), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases. In September 2014, the HHS Office for Civil Rights (OCR) received a complaint alleging that a staff member from the Spencer Cox Center wrongfully disclosed the patient’s protected health information to the patient’s employer. This impermissible disclosure included sensitive information concerning HIV status, medical care, sexually transmitted diseases, medications, sexual orientation, mental health diagnosis, and physical abuse. OCR’s subsequent investigation revealed that staff at the Spencer Cox Center faxed the patient’s records to his employer rather than sending it to the requested patient’s personal post office box. Additionally, OCR discovered that the Spencer Cox Center was responsible for a related breach of sensitive information that occurred nine months prior to the aforementioned incident, but had not addressed the vulnerabilities in their compliance program to prevent improper disclosures.
Also in May 2017, Memorial Hermann Health System (MHHS) agreed to pay $2.4 million to the U.S. Department of Health and Human Services (HHS) and adopt a comprehensive corrective action plan to settle potential violations of the HIPAA Privacy Rule. MHHS is a not- for-profit health system located in Southeast Texas, comprised of 16 hospitals and specialty services in the Greater Houston area. The HHS Office for Civil Rights (OCR) initiated a compliance review of MHHS based on multiple media reports suggesting that MHHS disclosed a patient’s protected health information (PHI) without an authorization. In September 2015, a patient at one of MHHS’s clinics presented an allegedly fraudulent identification card to office staff. The staff immediately alerted appropriate authorities of the incident, and the patient was arrested. This disclosure of PHI to law enforcement was permitted under the HIPAA Rules. However, MHHS subsequently published a press release concerning the incident in which MHHS senior management approved the improper disclosure of the patient’s PHI by adding the patient’s name in the title of the press release. In addition, MHHS failed to timely document the sanctioning of its workforce members for wrongfully disclosing the patient’s information
Each of these cases make clear that the penalties associated with repeated violations of HIPAA can be incredibly expensive.
If you believe that your medical privacy has been violated, then please call us at 912-401-0121. We can help.