Physicians are all too familiar with the compliance requirements of HIPAA (Health Insurance Portability and Accountability Act) and to a lesser extent, HITECH (Health Information Technology for Economic and Clinical Health). What follows are case studies based on actual complaints alleging violations of HIPAA privacy and security rules.
These case studies describe how actions by physicians or their employees led to the allegations, and how risk management techniques may have prevented the violations. The ultimate goal in publishing these studies is to help physicians comply with HIPAA standards.
Current privacy standards under HIPAA require physicians to protect the privacy of patients' protected health information (PHI). Physicians are required to control the ways in which they use and disclose PHI. In addition, patients are granted certain rights with respect to their PHI, such as the right to access and to obtain a copy of this information; the right to request amendments; and the right to request an accounting of disclosures.
Physicians are also required to have certain administrative protections in place to further protect the privacy of patients' information. HITECH expanded HIPAA privacy and security protections and offered financial incentives to promote the adoption and meaningful use of electronic medical records.
The U.S. Department of Health and Human Services, Office of Civil Rights (OCR) is responsible for administering and enforcing these standards. The OCR also conducts complaint investigations and compliance reviews. Failure to comply with HIPAA standards may result in civil monetary penalties, and in certain situations, criminal prosecution. (1)
TABLE 1. HIPAA SECURITY RULE SAFEGUARD EXAMPLES
- perform annual risk analysis
- employee security training; policies, procedures, monitoring
- business associate agreement guidelines
- access control — locked doors, cabinets
- non-public positioning of computer screens
- protection of laptops, USB drives, computers, servers, computer data backups
- unique user ID/passwords (no generic log-in to EHR)
- automatic computer log off
- identity proofing to authenticate patients
- secure online transmission of electronic PHI (encryptions or equivalent protection)
Source: U.S. Department of Health and Human Services. HIPAA Security Series. March 2007. Accessed March 29, 2012.
ALLEGED FAILURE TO VERIFY IDENTITY BEFORE ALLOWING ACCESS TO A PATIENT'S MEDICAL RECORD.
A complaint was filed against a rural family practice clinic alleging that clinic staff failed to verify the identity of a patient's father when he requested access to his minor daughter's medical record.
The physician's office explained that clinic personnel were aware of the identity of the patient's father and of his relationship to the patient. The patient's father was described as disruptive when he came to the office asking for the medical records. (He had not accompanied his daughter to the appointment.) In an effort to minimize his disruptive behavior, he was not asked for his name or photo ID when the records were given.
A complaint was filed, and the OCR alleged that the clinic was not in compliance with federal standards for privacy of PHI. Specifically, before disclosing any PHI, a physician's office must verify the identity of a person requesting the PHI and the authority of any such person to access the PHI if the identity or authority is not known. (2)
RISK MANAGEMENT CONSIDERATIONS
To comply with HIPAA privacy standards, physician practices are required to have policies and procedures in place for safeguarding patients' PHI. Among these should be a policy and procedure for verifying the identities of those requesting access to PHI and their authority to access PHI. Staff should be trained to consistently follow these policies and procedures. For patients/parents/guardians who are previously known and recognized by the physician's office staff, it is not necessary to check a photo ID before turning over copies of records. However, if there is any doubt about the person's identity or authority to obtain records, this information should be confirmed.
For additional information on the release of medical records, please see the article "Setting the record straight: dispelling 15 medical record myths," in the July-August 2008 issue of the Reporter.
PATIENT NOT GIVEN COPIES OF MEDICAL RECORDS
A complaint was filed against a nephrologist alleging that a patient requested copies of her medical records and the patient was told that she should have kept the copies she was given at each appointment.
A complaint was filed and the OCR alleged that the nephrologist's office was not in compliance with federal standards for individuals' access to PHI. (3)
RISK MANAGEMENT CONSIDERATIONS
With few exceptions, patients are granted the right to access and receive copies of their PHI. Patients must complete and sign an authorization for the release of PHI. To be acceptable under HIPAA and compliant with state law, the authorization must:
- be in writing;
- identify who is authorized to make the disclosure;
- identify who may receive the PHI;
- identify who may make the authorization;
- identify the specific information to be disclosed, particularly for sensitive information, such as HIV/AIDS testing and treatment, mental health, and substance abuse treatment;
- describe the purpose of the disclosure;
- note when the authorization expires; and
- contain a signature and date (of the patient or personal representative).
A valid authorization must also have these statements:
- the patient has the right to revoke the authorization, with instructions on how to revoke;
- clarification that under most circumstances medical care may not be conditional on the signing of the authorization; and
- a warning that the PHI may be re-disclosed by the receiving entity.
The patient must receive a copy of the authorization and the provider must also maintain a copy.
Pursuant to HIPAA regulations, if the medical record contains any notes forwarded to the physician by a mental health professional, that information cannot be re-disclosed, even under subpoena. HIPAA defines mental health professionals as psychiatrists, psychologists, and licensed professional counselors. (4) Mental health records cannot be released unless the physician receives a specific HIPAA-compliant authorization. (5)
COMPUTER CONTAINING PHI WAS STOLEN
A group practice in an urban area was burglarized and many of the practice's computers were stolen. Among the items stolen was the server that contained the practice management database. The database contained all patient demographic files, including patient names, home addresses, dates of birth, social security numbers, and diagnoses. Access to the practice management database was protected by password, but this level of security could potentially be circumvented. The practice sent letters to their patients notifying them of the breach. They also notified the OCR of the burglary and breach of PHI.
According to the OCR, the burglary and breach of PHI could be a violation of the privacy rule, specifically impermissible disclosure and safeguarding of PHI and the security rule's safeguards. (6)
RISK MANAGEMENT CONSIDERATIONS
HIPAA and HITECH require physicians to employ a series of administrative, technical, and physical safeguards to ensure the security of PHI.
Additionally, physicians are required to notify patients if there are breaches of security involving unsecured patient information. Notification must occur no more than 60 days after the breach is discovered. Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification.
If the breach involves more than 500 patients, the HHS secretary must be notified "immediately," and information about the breach will be posted on the HHS web site. Local media outlets must also be notified of breaches involving more than 500 patients.
One critical exception to the breach notification requirement — if the breach involved PHI that was secured (encrypted), then notification is not required. This rule provides a significant incentive for physicians to encrypt PHI. (7)
For additional information on encrypting PHI, please see the article "There is an 'e' in medicine" in the November-December 2010 issue of the Reporter.
Following the burglary, the practice took steps to provide better security for patient personal information. They no longer maintain personal information on a server located in the office. All personal information is stored on an off-site server, with access only allowed through a secured, encrypted virtual private network. The practice also improved physical security measures in the office.
Since 2009, more than 350 major breaches of PHI have been reported to HHS, involving health information from more than 19 million patients. (8) As the case studies described in this article demonstrate, physicians may be able to avoid such breaches and allegations related to violations of HIPAA and HITECH by:
- ensuring that appropriate administrative, technical, and physical safeguards are in place to protect PHI;
- creating and consistently following policies and procedures related to the release of PHI; and
- training staff to consistently follow practice policies and procedures.
Sidebar: Medefense offers coverage for HIPAA violations
Offered with every TMLT policy, our Medefense coverage will reimburse or pay directly the legal expenses incurred by a physician from a disciplinary proceeding, including violations of HIPAA. Fines and penalties arising out of such disciplinary proceedings are also covered on a reimbursement basis only.
To take advantage of Medefense coverage, policyholders should:
- Notify TMLT as soon as you receive written notice of a disciplinary proceeding. The policy states that a policyholder has 60 days in which to report an insured event in order to receive coverage. Call the claim department at 800-580-8658.
- Consider retaining an attorney. Upon request, TMLT can provide policyholders with a list of attorneys who have experience handling disciplinary proceedings.
Sidebar: cyber liability coverage
Now offered with every TMLT policy, our cyber liability coverage protects against claims arising from the theft, loss, or unauthorized access of both electronic and physical health information. The coverage also includes payment of regulatory fines and penalties and covers the cost of data recovery and patient notification.
Please visit www.tmlt.org to learn more or contact the underwriting department at 800-580-8658.
- Fullbright and Jaworksi. Texas Medical Jurisprudence. The HIPAA Privacy Rule. 17th edition. 2008.
- 45 Code of Federal Regulations, Section 164.514 (h)
- 45 Code of Federal Regulations, Section 164.524. (4)
- Texas Medical Association. Medical Records Release. November 2009.
- Texas Medical Liability Trust. Heath information release for ambulatory health care facilities. Available at http://www.tmlt.org/publications/riskpubs/Health_Information_Release.pdf. Accessed March 27, 2012.
- 45 Code of Federal Regulations Sections 164.502(a), 164.530(c), 164.308, 164.310, and 164.312.
- American Medical Association. What you need to know about the new HIPAA breach notification rule. September 1, 2009.
- McMillan M. IT security in a meaningful use era. November 7, 2011. Available at http://www.healthpoint.dsu.edu/Summit2011/PPTS/07_MichaelMcMillan_SecurityInTheMeaningfulUseEra.ppt . Accessed March 29, 2012.
About the Author
Laura Hale Brockway is Assistant Vice President of Marketing at TMLT and has more than 17 years of experience in communications, 15 of those years with TMLT. Ms. Brockway has also worked for Seton Healthcare Family and the Texas Academy of Family Physicians. An honors graduate of the University of Texas at Austin, Ms. Brockway holds an Editor in Life Science (ELS) certification from the Board of Editors in the Life Sciences. She is also a contributor to Ragan Communication’s PR Daily website and is the author of the blog, impertinentremarks.com. Laura Brockway can be reached at firstname.lastname@example.org.More Content by Laura Hale Brockway