Alleged HIPAA Privacy Violations at the Center of a Recent Physician Group Settlement with HHS

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A small physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).

The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Against PCS Stemmed from Internet Calendar Postings

OCR’s investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.

Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA’s privacy and security rules.

Are You In Compliance with HIPAA?

The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Medical Practices Should Use Caution When Working With Electronic Health Information

This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice’s risk of violating HIPAA’s Privacy Rule and Security Rule.

All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA’s violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. “HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards.” U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From
http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. “Online Calendar Mistakes Cost Doctors Group $100,000.” Information Week. (Apr. 23, 2012). From
http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. “HHS Settlement for Lack of HIPAA Safeguards.” Proskauer Privacy Law Blog. (Apr. 25, 2012). From
http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author:  George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law.  He is the President and Managing Partner of The Health Law Firm, which has a national practice.  Its main office is in the Orlando, Florida, area.  www.TheHealthLawFirm.com  The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone:  (407) 331-6620.

Are You Ready for HIPAA and HITECH Audits?

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) is launching a pilot program this month to make sure covered entities are in compliance with HIPAA privacy and security rules and breach notification standards, according to the OCR. The OCR will perform up to 150 audits to assess HIPAA compliance.

The HITECH Act requires HHS to perform periodic audits to check for HIPAA compliance. The audits will be conducted from November 2011 through December 2012. Initially these audits will likely focus on hospitals and insurance companies, but HMEs could also be a target.

Though early audits are likely to be educational, in order to get a basic assessment of where providers stand in regards to HIPAA, that doesn’t mean there won’t be repercussions for violations. Because the privacy rule has been established since 2001 and the security rule has been established since 2003, providers can not be completely excused for missteps.

HIPAA violations can result in severe penalties (per section 1177 of HIPAA) including:

• a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both; (Class 5 Felony)
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both. (Class 4 Felony)
• Civil fines can also be imposed by the Secretary of DHHS with a maximum is $100 for each violation, with the total amount not to exceed $25,0000 for all violations of an identical requirement or prohibition during a calendar year. (Class 3 Felony).

Since the final rule for the HITECH Act hasn’t been finalized, the OCR can only expect providers to make decent judgments about the provisions in the interim final rule.

Providers need to review where they’re at with privacy and security compliance and make any improvements. This pilot program of audits will likely be expanded (and the more violations the OCR encounters, the larger the likelihood of strict enforcement), so all providers should be aware of current practices and how to ensure compliance.

For more information about HIPAA and other healthcare audits, visit www.TheHealthLawFirm.com.

Patient Privacy Breach at Nemours Follows Florida Hospital Information Leak

After a patient privacy breach at Florida Hospital a few weeks ago, another patient records scare has hit Florida – this time at Nemours.

According to the Orlando Sentinel, information belonging to Central Florida patients of Nemours Children’s Health System has gone missing.

Computer back-up tapes containing old patient billing information have disappeared from the Wilmington, Del., office of Nemours. These tapes were not password protected and stored in a locked cabinet. Company officials believe the cabinet may have been removed when the office was  remodeled in August.

Stored in the missing tapes are patient names, addresses, dates of birth, social security numbers, insurance information, medical diagnoses and treatment codes, as well as bank account information. If stolen, this information could result in identity theft.

The information of more than 1 million patients treated from 1994 to 2004 by a Nemours physician or at a Nemours facility in Florida, Delaware or Pennsylvania was contained on the missing tapes. Approximately 50% of the affected patients are from Florida.

Nemours has sent letters to patients whose information may have been compromised and is offering these patients a year of free credit monitoring and identity-theft protection.

Although Nemours is taking appropriate steps in response to this situation, a major  patient privacy breach should not be happening so frequently. This is the second major privacy breach in the last few weeks in Florida, which instills little confidence in patients in the Florida health care system. Health care providers need to be proactive in maintaining patient confidentiality. Patients trust health care providers with the most personal and sensitive details and should have reassurance that unauthorized personnel will never see this information. There should never be any reason that this information gets leaked.

A privacy breach not only impacts patients, but also health care professionals (physicians, nurses, pharmacists, administrators, etc.) who come under attack. When blame is shifted around a health care facility, the work environment may become tense and stressful, especially for those who have access to patient records.

For more information about patient privacy breaches, see this article on confidential medical records.

Avoiding HIPAA Violations

By Michael L. Smith, JD, RRT

Every respiratory therapist knows that the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals and health care providers to maintain the confidentiality of their patients’ protected health information (PHI). RTs may not know that the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is investigating HIPAA violations and imposing sanctions on hospitals and other covered entities for violations. RTs also may not know that the Department of Justice is criminally prosecuting particularly egregious HIPAA violations.

HIPAA violations still occur despite the fact that we have years of training and experience in protecting patient privacy. Hospitals and health care systems take HIPAA violations seriously and frequently terminate employees for those violations. RTs can avoid violating HIPAA, and the consequences associated with a violation, by avoiding the following mistakes.

Never use a patient’s PHI for personal gain. Unfortunately, this example is not too obvious to include here. A nurse inArkansas pled guilty to criminal charges of deliberately misusing a patient’s PHI for personal gain. The nurse provided PHI on a patient to her husband so that her husband could use the information in a lawsuit involving the patient. The nurse pleaded guilty to wrongful disclosure of the patient’s health information. Another hospital employee inCalifornia pleaded guilty to selling celebrity medical information to at least one media outlet. Numerous celebrity medical records were involved, but the prosecuting attorney did not release the names of the celebrities.

Never snoop in a patient’s medical records. A hospital inHouston fired 16 employees for snooping into the medical records of an acquaintance out of curiosity. A hospital inArkansas suspended a doctor and fired two employees who snooped into the records of a local newscaster to satisfy their own curiosity. RTs should know that hospitals track the computer activity of their employees and their medical staff. Those same hospitals fire employees who inappropriately access patient records.

Never share PHI with people who have no legitimate reason to know the information. The OCR investigated a hospital and an employee in its surgical department based upon that employee providing a surgery schedule to a hospital supervisor. The surgery schedule included the name and PHI of one of the supervisor’s employees who was scheduled for surgery. The supervisor had no legitimate reason to know about his employee’s PHI.

Never share your computer passwords and log on information. Most hospitals have a policy requiring their employees to keep their computer passwords and log on information confidential. Those same hospitals are monitoring their employees’ computer activity using those same passwords and log on information. RTs who share their passwords and log on information with other people will eventually be required to explain instances of inappropriate access to PHI and the violation of their hospitals’ policies.

Never leave a computer unattended without logging off of the computer. Many hospitals have written policies requiring employees to log off their computers before leaving those computers unattended. RTs should not leave a computer unattended without logging off even if their hospital does not have a written policy.

Never communicate PHI to a patient by a method that the patient has not approved. RTs should confirm where their patients have authorized them to leave PHI. The OCR has investigated complaints against health care providers who left telephone messages including PHI at a patient’s home telephone number when the patient gave specific instructions to only be contacted through a cellular number.

Never discuss a patient’s PHI in such a manner that other individuals with no right or need to know the information can overhear the information. A hospital disciplined two of its employees for discussing a patient’s PHI with the patient in the waiting room, which allowed other patients and visitors to overhear the discussion. The patient’s complaint was investigated by the OCR, which found the hospital employees did not take reasonable efforts to avoid the disclosure of PHI. RTs are often treating patients in emergency rooms and other areas that do not provide the best privacy. Only discuss what you absolutely must discuss with the patient in order to provide care. If possible, those patients should be moved to a more private area before discussing PHI.

Never leave a patient’s paper records open and available for prying eyes. Paper records containing PHI are still common and will continue to exist for the foreseeable future. RTs need to remember that HIPAA requires hospitals and health care providers to have reasonable safeguards in place to protect patient records including paper records. RTs should follow their employer’s policies and procedures on paper records including the policies on the destruction of paper records.

RTs can avoid violating HIPAA by only accessing the records they need to provide appropriate care to their patients and by using reasonable safeguards to protect those patient records.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Florida. This article is for general information only and is not a substitute for formal legal advice.

This article was originally published in Advance for Respiratory Care and Sleep Medicine.