The following case studies are based on actual complaints alleging violations of HIPAA privacy and security rules. The studies describe how actions by physicians or their employees led to the allegations, and how risk management techniques may have prevented the violations. The ultimate goal in publishing these studies is to help physicians comply with HIPAA standards.
Failure to verify identity before allowing access to patient medical record
A complaint was filed against a rural family practice clinic alleging clinic staff failed to verify the identity of a patient's father when he requested access to his minor daughter's medical record.
The physician's office explained that clinic personnel were aware of the identity of the patient's father and of his relationship to the patient. The patient's father was described as disruptive when he came to the office asking for the medical records. (He had not accompanied his daughter to the appointment.) To minimize his disruptive behavior, he was not asked for his name or photo ID when the records were given.
A complaint was filed, and the OCR alleged that the clinic was not in compliance with federal standards for privacy of PHI. Specifically, before disclosing any PHI, a physician's office must verify the identity of a person requesting the PHI and the authority of any such person to access the PHI if the identity or authority is not known. (1)
Risk management considerations
To comply with HIPAA privacy standards, physician practices are required to have policies and procedures in place for safeguarding patients' PHI. Among these should be a procedure for verifying the identities of those requesting access to PHI and their authority to access PHI. Staff should be trained to consistently follow these policies and procedures. For patients/parents/guardians who are previously known and recognized by the physician's office staff, it is not necessary to check a photo ID before turning over copies of records. However, if there is any doubt about the person's identity or authority to obtain records, this information should be confirmed.
Patient not given copies of medical records
A complaint was filed against a nephrologist alleging that a patient requested copies of her medical records and the patient was told that she should have kept the copies she was given at each appointment.
A complaint was filed and the OCR alleged that the nephrologist's office was not in compliance with federal standards for individuals' access to PHI. (2)
Risk management considerations
With few exceptions, patients are granted the right to access and receive copies of their PHI. Patients must complete and sign an authorization for the release of PHI. To be acceptable under HIPAA and compliant with state law, the authorization must:
- be in writing;
- identify who is authorized to make the disclosure;
- identify who may receive the PHI;
- identify who may make the authorization;
- identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health, and substance abuse treatment;
- describe the purpose of the disclosure;
- note when the authorization expires; and
- contain a signature and date (of the patient or personal representative).
A valid authorization must also have these statements:
- the patient has the right to revoke the authorization, with instructions on how to revoke;
- clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
- a warning that the PHI may be re-disclosed by the receiving entity.
The patient must receive a copy of the authorization and the provider must also maintain a copy.
Pursuant to HIPAA regulations, if the medical record contains any notes forwarded to the physician by a mental health professional, that information cannot be re-disclosed, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors. (3) Mental health records cannot be released unless the physician receives a specific HIPAA-compliant authorization. (4)
Computer containing PHI was stolen
A group practice was burglarized and many of their computers were stolen. Among the items stolen was the server that contained the practice management database. The database contained all patient demographic files, including patient names, home addresses, dates of birth, social security numbers, and diagnoses. Access to the practice management database was protected by password, but this level of security could potentially be circumvented. The practice sent letters to their patients notifying them of the breach. They also notified the OCR of the burglary and breach of PHI.
According to the OCR, the burglary and breach of PHI could be a violation of the privacy rule, specifically impermissible disclosure and safeguarding of PHI and the security rule's safeguards. (5)
Risk management considerations
HIPAA and HITECH require physicians to employ a series of administrative, technical, and physical safeguards to ensure the security of PHI.
Additionally, physicians are required to notify patients if there are breaches of security involving unsecured patient information. Notification must occur no more than 60 days after the breach is discovered. Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification.
If the breach involves more than 500 patients, the HHS secretary must be notified "immediately," and information about the breach will be posted on the HHS web site. Local media outlets must also be notified of breaches involving more than 500 patients.
One critical exception to the breach notification requirement — if the breach involved PHI that was secured (encrypted), then notification is not required. This rule provides a significant incentive for physicians to encrypt PHI. (6)
Following the burglary, the practice took steps to provide better security for patient personal information. They no longer maintain personal information on a server located in the office. All personal information is stored on an off-site server, with access only allowed through a secured, encrypted virtual private network. The practice also improved physical security measures in the office.
Medefense offers coverage for HIPAA violations
Offered with every TMLT policy, our Medefense coverage will reimburse or pay directly the legal expenses incurred by a physician from a disciplinary proceeding, including violations of HIPAA. Fines and penalties arising out of such disciplinary proceedings are also covered on a reimbursement basis only.
To take advantage of Medefense coverage, policyholders should notify TMLT as soon as you receive written notice of a disciplinary proceeding. Call the claim department at 800-580-8658. The policy states that a policyholder has 60 days in which to report an insured event in order to receive coverage.
Cyber liability coverage
Now offered with every TMLT policy, our cyber liability coverage protects against claims arising from the theft, loss, or unauthorized access of both electronic and physical health information. The coverage also includes payment of regulatory fines and penalties and covers the cost of data recovery and patient notification.
- 45 Code of Federal Regulations, Section 164.514 (h)
- 45 Code of Federal Regulations, Section 164.524. (4)
- Texas Medical Association. Medical Records Release. November 2009.
- Texas Medical Liability Trust. Heath information release for ambulatory health care facilities
. Available at http://www.tmlt.org/publications/riskpubs/Health_Information_Release.pdf. Accessed March 27, 2012.
- 45 Code of Federal Regulations Sections 164.502(a), 164.530(c), 164.308, 164.310, and 164.312.
- American Medical Association. What you need to know about the new HIPAA breach notification rule. September 1, 2009.