- Understanding the proper safeguards when it comes to HIPAA compliance, following proper PHI disclosure methods, and implementing comprehensive business associate agreements are all key areas to keeping data secure, according to the 2016 OCR HIPAA settlements.
The rulings that have been instituted thus far should be strong examples for healthcare organizations, and provide lessons in what may need to be done to improve HIPAA compliance and keep patient data secure.
Basic HIPAA compliance includes proper safeguards
Implementing the necessary technical, physical, and administrative safeguards that are defined under HIPAA rules should be a top priority for covered entities and business associates. A failure to do so, or to assume that the safeguards are up-to-date, could lead to a potential healthcare data breach.
For example, an administrative law judge ruled in February that Lincare, Inc. (Lincare) would need to pay $239,800 in civil money penalties (CMPs) imposed by OCR. The OCR complaint alleged that Lincare had been responsible for the PHI disclosure of 278 patients.
An OCR investigation found that a Lincare employee had left medical files behind after moving, and had not taken proper precautions in keeping PHI secure:
OCR found that Lincare had inadequate policies and procedures in place to safeguard patient information that was taken offsite, although employees, who provide health care services in patients’ homes, regularly removed material from the business premises. Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time.
Another OCR settlement showed that research institutions are considered covered entities, and therefore, must also adhere to HIPAA rules.
In March, Feinstein Institute for Medical Research agreed to pay $3.9 million in a HIPAA settlement, following allegations of a healthcare data breach in 2012.
The incident reportedly occurred when a computer programmer’s laptop was stolen from a car, and the employee had responsible for organizing research data.
“Research institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities,” OCR Director Jocelyn Samuels said. “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”
Understanding proper PHI disclosure, authorization
There are proper methods of PHI disclosure, oftentimes requiring patient authorization for the information to potentially be disclosed. This was shown in an OCR settlement with Complete P.T., Pool & Land Physical Therapy, Inc. in February.
In that case, Complete P.T. agreed to a settlement of $25,000, following a complaint that it had inappropriately disclosed PHI when it “posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations.”
OCR explained that all covered entities must have proper policies and procedures when it comes to gathering individuals’ permission to post their information. The HIPAA Privacy Rule has limited exceptions, but requires that an individual provides written authorization before his or her PHI can be used for marketing purposes.
“At a minimum, training shall cover all of the topics that are necessary and appropriate for each member of the workforce to carry out that workforce member’s function within CPT, with respect to the use and disclosure of PHI,” the agreement read.
In April, New York Presbyterian Hospital agreed to a $2.2 million OCR HIPAA settlement after it allowed a media crew to film patients without prior authorization.
Specifically, the hospital allowed film crews and staff from ABC television to capture two patients on screen without acquiring appropriate authorization.
“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” OCR Director Jocelyn Samuels wrote in a statement at the time. “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”
Create comprehensive business associate agreements
Business associate agreements are critical for any healthcare organization, and should clearly distinguish the responsibilities of all parties and how they must ensure PHI security.
Minnesota-based North Memorial Health Care agreed to a $1.5 million HIPAA settlement in March after a security incident with one of its business associates. However, North Memorial failed to identify the other organization, Accretive Health, Inc. as a business associate.
An Accretive employee laptop was stolen in 2011, potentially compromising the information of over 6,600 individuals.
While the two organizations were working together, there was not a written business associate agreement in place until after the security incident had taken place.
Raleigh Orthopaedic Clinic, P.A. also agreed to a HIPAA settlement concerning business associate agreements in April of this year.
In that case, Raleigh Orthopaedic experienced a reported healthcare data breach when x-rays that had been handled by a third-party vendor were never received by the clinic.
Raleigh Orthopaedic had allegedly contracted the vendor to convert x-ray media from film to an electronic format, and the x-rays would be transferred in exchange for harvesting the silver found in the films. However, Raleigh Orthopaedic did not receive the electronic files.
It was later discovered that Raleigh Orthopaedic had fallen for a scam, and the x-rays had been sold to a recycling company. No business associate agreement had been created between the two organizations. Approximately 17,300 individuals may have had their information exposed.