June 21st, 2019
Small Breaches Can Be Subject to Large Penalties
We may have heard about the large fines issued by the Office for Civil Rights (OCR) against big organizations like Anthem or the University of Texas MD Anderson Cancer Center. These organizations have been in the news due to privacy breaches that constituted violations of the HIPAA privacy rule. However, a recent incident reminds us that even small physician offices have fines issued by OCR for violations. For small practices, the sums involved for these fines can be considerable.
Allergy Associates of Hartford is a relatively small practice; consisting of three doctors and four offices in Connecticut. This practice recently agreed to a $125,000 settlement with OCR because of a privacy violation. The HHS statement provides an example of what not to do and what the consequences can be. A brief summary of the statement, available on the HHS website here, follows.
In February 2015, an Allergy Associates patient contacted one of the local television stations to speak about a dispute between that patient and an Allergy Associates doctor. The reporter from the station followed up with the doctor, who proceeded to impermissibly disclose protected health information about the patient.
OCR investigated this situation and found that the doctor's discussion with the reporter demonstrated "a reckless disregard for the patient's privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates' Privacy Officer to either not respond to the media or to respond with no comment." To further complicate the situation, no disciplinary action was taken against the doctor nor was there any corrective action taken following the impermissible disclosure.
The fines and publicity around this event are not meant to scare practices. It provides an opportunity for all of us working in practices to learn what not to do, and what to do, in complying with the HIPAA Privacy (and Security) rules.
What should physician practices do as a result of this incident and the OCR response? First, providers must always be diligent in protecting patient privacy in all communications, at the office or elsewhere. The HIPAA rules about privacy apply to all types of information, whether electronic, written, or spoken. Second, the OCR takes violations of the privacy rules seriously, no matter what the size of the organization. Finally, all organizations must have a disciplinary policy in place for privacy breaches. Employees should be well aware of this policy, and it must be followed when breaches occur.
Any size of practice must follow the requirements of the Privacy Rule. This includes having a designated privacy officer, a written set of privacy policies and procedures, and periodic training sessions for all employees. All of these efforts can be used to reduce, and hopefully eliminate, the possibility of a privacy breach.
Besides having to pay the $125,000, Allergy Associates will have to undertake a corrective action plan that includes two years of having the OCR monitor their HIPAA compliance. This was a further burden on the practice that could have been avoided.
Remember that the OCR does not need to wait for a patient complaint to initiate a HIPAA violation investigation. They can start investigations based on newspaper articles or television segments, Internet articles, Facebook posts, or other types of evidence.