Case briefs — HIPAA
The following case studies are based on alleged violations of HIPAA privacy rules. They describe how actions by physicians or their employees led to the allegations, and how risk management techniques may have prevented the violations. The goal in publishing these cases is to help physicians comply with privacy and security standards.
A physician discovered that his office employees had been improperly disposing of paper medical records in garbage bins without first shredding them, in violation of the HIPAA Privacy Rule.
An attorney was retained to determine the scope of the breach and to develop a breach response plan. The breach affected more than 500 patient records, so the physician was legally obligated to notify local media and the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS), in addition to the affected individuals.
The attorney worked with the physician to draft all notifications. Cyber liability insurance covered the physician’s legal expenses, notification costs, costs to provide credit monitoring to affected individuals, and costs to set up a call center to handle patient inquiries.
A staff member at a small medical group received a call from a patient requesting a blank medical records release form. The staff member emailed the form to the patient, but inadvertently attached a list of 75,000 dormant patient accounts, including names, dates of birth, and chart numbers. The patient alerted the group to the error and promised to destroy the information.
An attorney was immediately retained to assist with the breach response plan. A public relations (PR) firm was also retained to help draft a media notice, because the group was in a small town and thousands of the affected individuals resided in the area. The attorney also engaged an IT forensic investigation firm to determine if the patient list had been properly destroyed by the recipient.
Cyber liability insurance covered the group’s legal expenses and costs to notify local media, the OCR/HHS, and affected individuals, as well as PR expenses, IT forensic expenses, and the costs to provide credit monitoring to affected individuals.
A police station received a call from a hotel to investigate a room apparently filled with stolen items. Some of the items in the hotel room, including two boxes full of patient credit card receipts, employee records, and old patient records, were traced back to an orthopedic surgeon’s office.
The police investigation determined that the boxes had been stolen from the surgeon’s storage unit. The police returned the contents of the boxes to the orthopedic surgeon, but she was still legally obligated to notify local media, the OCR/HHS, and approximately 1,200 affected individuals of the breach.
An attorney worked with the orthopedic surgeon and a PR firm to draft the notifications. Cyber liability insurance covered the physician’s legal and PR expenses, notification costs, the costs to provide credit monitoring to affected individuals, and the costs to set up a call center to handle patient inquiries.
A programming error within the computer system at a large medical group erroneously allowed patient information to become publicly visible on the Internet. The OCR was alerted and launched an investigation. There were approximately 8,700 patients affected by this breach.
The group had cyber coverage on its medical professional liability insurance policy, which covered patient notification services, IT forensics, and legal counsel expenses. Counsel anticipated that the insured would also face fines and penalties by the OCR that may be covered by their policy.
The OCR was notified by a radiation oncology private physician practice regarding a breach of unsecured electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information, and clinical information of approximately 55,000 current and former patients.
OCR’s subsequent investigation found that, before the breach, the physician’s practice was in widespread non-compliance with the HIPAA Security Rule. It had not conducted an enterprise-wide risk analysis when the breach occurred, nor did they have a written policy specific to the removal of hardware and electronic media containing ePHI in and out of its facilities.
The practice agreed to settle potential HIPAA violations.
In mid-2015, a dental laboratory learned that a former employee, before his departure, accessed and copied information from a large dental group’s computer system onto his own personal data drive and online file hosting account. The information included W-2 forms for the group’s employees, together with payroll and direct deposit information, including bank accounts, routing numbers, Social Security numbers, and dates of birth. An estimated 3,400 individuals in four states were affected.
Legal counsel was retained to assist the group in responding to the breach. A call center and notification vendor were also retained in connection with the matter, due to the size of the breach.
A health care facility received an anonymous phone call from a web developer who found electronic health information of several patients on 4chan, a public Internet forum.
A forensic investigation determined that the facility’s system had been breached several months earlier, and the electronic health information had been accessible on 4chan for some time. Also, it appeared that the information had been downloaded several times outside the U.S. Approximately 8,700 individuals were affected by the breach. Due to the size of the breach, the facility notified local media and the OCR/HHS.
The OCR/HHS responded by filing a formal complaint against the facility for violations of the HIPAA Privacy and Security Rules. Cyber liability insurance covered the facility’s legal and PR expenses, notification costs, costs to provide credit monitoring to affected individuals, costs to set up a call center to handle patient inquiries, and defense fees relating to the OCR proceeding
A complaint was filed against a rural family practice clinic alleging that clinic staff failed to verify the identity of a patient's father when he requested access to his minor daughter's medical record.
The physician's office explained that clinic personnel were aware of the identity of the patient's father and of his relationship to the patient. The patient's father was described as disruptive when he came to the office asking for the medical records. (He had not accompanied his daughter to the appointment.) In an effort to minimize his disruptive behavior, he was not asked for his name or photo ID when the records were given.
A complaint was filed, and the OCR alleged that the clinic was not in compliance with federal standards for privacy of PHI. Specifically, before disclosing any PHI, a physician's office must verify the identity of a person requesting the PHI and the authority of any such person to access the PHI if the identity or authority is not known.
To comply with HIPAA privacy standards, physician practices are required to have policies and procedures in place for safeguarding patients' PHI. Among these should be a policy and procedure for verifying the identities of those requesting access to PHI and their authority to access PHI. Staff should be trained to consistently follow these policies and procedures.