24 Apr Three-Physician Practice Pays $125,000 Due to One HIPAA Violation
Everyone who has contact with the health care system in the United States, whether a provider, a patient, an administrator or a vendor, is aware of the Health Insurance Portability and Accountability Act of 1996, more commonly referred to as HIPAA. There are two primary “rules” under HIPAA – the privacy rule and the security rule. The privacy rule states that “a covered entity may not use or disclose protected health information (PHI) except as permitted or required by law.” A “covered entity” as used in HIPAA is generally defined as a health care provider that transmits any health information in electronic format, a health plan with more than fifty participants and a health care clearinghouse. Therefore, almost every participant in the health care system, except patients, is a covered entity for the purposes of HIPAA.
HIPAA generally permits the disclosure of a patient’s PHI by a covered entity without the patient’s permission for three purposes: treatment, payment, and health care operations. It also allows certain disclosures if the covered entity has given the patient an opportunity to object to the disclosure.
The provisions of HIPAA are enforced by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services. OCR vigorously enforces HIPAA through investigations into complaints of HIPAA violations and through self-disclosure to OCR of violations by a covered entity. HIPAA violations can be very costly to health care providers, so care must be taken to vigilantly safeguard PHI and make sure that all staff and providers are properly trained on HIPAA compliance.
In 2018, OCR collected more money in settlements and judgments for HIPAA violations than any year before. OCR collected $28.7 million in ten settlements and one judgment. One particularly scary case for small medical practices resulted in a $125,000 payment by a three-physician practice for a single violation of HIPAA. In that case a patient of the practice contacted a news reporter to discuss a dispute that had arisen between the patient and a physician at the practice. In turn, the reporter contacted the physician for comment on the allegations made by the patient. The physician was told by the practice’s privacy officer to respond to the reporter “no comment.” Instead of following the privacy officer’s instruction, the physician spoke to the reporter and revealed portions of the patient’s PHI to the reporter without the patient’s permission. When the practice became aware of the breach, it took no action to discipline the physician.
There are several things to learn from this hefty fine against a relatively small practice. First, no practice is too small to avoid being in the crosshairs of OCR. Second, the failure to discipline the physician who violated HIPAA was, in large part, why the settlement amount was so high. Third, when a patient reveals their own PHI to a third-party, that does not act like a waiver of the patient’s rights under HIPAA. Health care providers are bound to safeguard a patient’s PHI even if that patient discloses the information themselves. Finally, providers and staff of a practice should heed the instructions of their privacy officer when it comes to the release of information regarding patients.
It is of critical importance that every member of a medical practice, whether a provider or staff member, understand the requirements of HIPAA and abide by them. Training on HIPAA should be provided to every new hire and on at least a yearly basis thereafter. If you or your practice needs help with HIPAA training or compliance, please feel free to contact us.