Spring Showers Bring HIPAA Breaches

April 26, 2016 | By Lawrence J. Tabas

OCR has announced several recent settlement agreements to resolve violations of the Health Insurance Portability and Accountability Act (“HIPAA”). These settlement amounts range from $25,000 to $3.9 million dollars and illustrate a range of mistakes that health care providers make with respect to their HIPAA compliance. This post briefly summarizes OCR’s findings with respect to each settlement agreement. Based on OCR’s findings, the Health Law Gurus provide steps that your organization can take to reduce its risk of a HIPAA breach.

Physical Therapy Provider – Impermissible Disclosure of PHI

Complete P.T., Pool & Land Physical Therapy, Inc. (“PT”), a physical therapy practice located in Los Angeles, agreed to pay $25,000 and enter into a corrective action plan as a result of an impermissible disclosure of protected health information (“PHI”). PT posted patient testimonials on its website without obtaining valid authorizations as required by HIPAA. The patient authorizations included full names and full facial images of the patients. OCR discovered through its investigation that PT had not reasonably safeguarded PHI, had disclosed PHI without valid HIPAA authorizations, and had failed to implement policies and procedures for PHI regarding authorization.

To read the Press Release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.

Health Care System – No Risk Analysis or Business Associate Agreement

North Memorial Health Care (“North Memorial”), a non-profit health care system in Minnesota, agreed to pay $1,550,000 and enter into a corrective action plan due to the theft of an unencrypted, password-protected laptop from a member of its business associate’s workforce. The laptop contained the electronic protected health information (“ePHI”) of 9,497 individuals. OCR’s investigation of the breach revealed that North Memorial failed to execute a business associate agreement (“BAA”) with its revenue cycle management company before giving the company access to its database, and failed to conduct a risk analysis to address potential risks and vulnerabilities of the ePHI on its IT infrastructure.

To read the Press Release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.

Research Institute – Lack of Policies and Procedures

Feinstein Institute for Medical Research (“Feinstein”), a biomedical research institute in New York, agreed to pay a whopping $3.9 million and to enter into a corrective action plan after a laptop computer containing the ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. OCR determined that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks to the security of ePHI. OCR found that Feinstein lacked necessary policies and procedures, including those authorizing access to ePHI by its employees and those governing the receipt and removal of laptops containing ePHI into and out of its facilities. Furthermore, OCR determined that Feinstein failed to implement safeguards to restrict access to unauthorized users. In response to OCR’s investigation of Feinstein, OCR Director Jocelyn Samuels stated, “[r]esearch institutions subject to HIPAA must be held to the same compliance standards as all other HIPAA-covered entities.”

To read the Press Release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.

Group Practice – No Business Associate Agreement

Raleigh Orthopaedic Clinic, P.A. of North Carolina (“Raleigh Orthopaedic Clinic”), a provider group practice in North Carolina that operates clinics and an orthopaedic surgery center, agreed to pay $750,000 and enter into a corrective action plan to settle charges that it violated HIPAA by providing x-ray films and other related PHI to a potential business partner without first executing a BAA. OCR Director Jocelyn Samuels explained that BAAs are required whenever PHI is shared because “it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” In addition to the settlement, Raleigh Orthopaedic Clinic is required to revise its policies and procedures to establish a process for assessing whether entities are business associates, to designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate, to create a standard template BAA, to establish a standard process for maintaining documentation of a BAA for at least six years beyond the date of termination of the business associate relationship, and to limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

To read the Press Release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.

Hospital – Lack of Patient Authorization

New York Presbyterian Hospital (“NYP”) agreed to pay $2.2 million and enter into a corrective action plan to settle charges after it allowed film crews from the ABC television show “NY Med” to film two patients without the patients’ authorization. NYP allowed the disclosure of the individuals’ images and other PHI without their consent, in violation of HIPAA. NYP allowed the television crew to film an individual who was dying and another individual who was in significant distress. The OCR investigation found that NYP failed to safeguard PHI by allowing the film crew unfettered access to its facility.

To read the Press Release, click here.

To read the Resolution Agreement and Corrective Action Plan, click here.

Steps to Take this Spring

What steps should you take this spring to reduce your organization’s risk of a HIPAA breach? We recommend the following – think of it as your HIPAA spring cleaning:

  • Update policies and procedures, including those authorizing access to PHI and those pertaining to equipment containing PHI;
  • Train employees on updated policies and procedures;
  • Ensure your organization has a policy and procedure for obtaining an individual’s written authorization before using or disclosing PHI for marketing or other purposes (consider website and social media uses) ;
  • Review authorization forms and confirm with legal counsel that they comply with HIPAA requirements as well as state law requirements;
  • Review BAAs. Confirm that there is an updated and executed BAA with each business associate;
  • Ensure organization has an updated and documented risk analysis; and
  • Ensure that only authorized users have access to PHI.

DISCLAIMER: This post is only intended to provide a brief overview of common mistakes in HIPAA compliance as well as a brief summary of necessary policies and procedures. It does not constitute legal advice. Please consult a health law attorney for advice specific to individual circumstances.

About the Authors

Lawrence J. Tabas

Partner

Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author