Media Creates Dangerous HIPAA Violations

Social Media
Social Media on iPhone

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. 

Death of Celebrities and HIPAA

With the recent deaths of several celebrity musicians, media outlets have an ever-growing source of news and information; some of which is dug up in less than lawful ways. Unfortunately this media creates HIPAA breaches.

HIPAA Cases In Point

The UCLA Medical Center recently had to pay $865,500 in fines for the negligence of patient (mostly celebrity) health information. These breaches constitute a serious risk for hospitals and health centers because the information leaks are often times easily traceable. The demand for media to obtain this information, even through breaches, is high considering the public craves information on the lives of their favorite celebrities but the repercussions can be great.

Employees can be surprisingly negligent with celebrities’ sensitive information. Workers have caused breaches at major hospitals. Cedars-Sinai Hospital in Los Angeles fired five employees and a student assistant in 2013. The hospital traced a breach of Kim Kardashian’s pregnancy information back to them.

Prince’s Medical Information Leak

This issue becomes relevant today considering the recent passing of Prince in April. His health was relatively fine before, and his death came as a shock to many. His death was a great mystery too many. TMZ reported Prince’s medical condition before any official public health announcements. Once again media creates HIPAA breaches.

HIPAA does not apply to TMZ. An employee of the hospital leaked the information. Consequently, the hospital is responsible for a breach of private information.

Just recently it was released that Prince died of a drug overdose but sensitive information can easily be leaked and create legal issues for health providers, especially when it makes its rounds in the news.

HIPAA Breaches Result From Media Coverage

While the demand for information and gossip on celebrities is high and can cloud better judgment, celebrities have the same rights as the rest of us under HIPAA. It is important to restrict media access to a hospital or health center and to inform employees of the legal ramifications of a HIPAA breach. Training employees is crucial and HIPAA Associates can make it easier for you through our expertise on HIPAA compliance and training.

Keep your team informed on standards of HIPAA — Contact HIPAA Associates today for your HIPAA training.

New HIPAA Penalties from HHS

New HIPAA Penalties
Judge handing out New HIPAA Penalties

 

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. Currently HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

Read about Data Breaches.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In mostcases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Next, willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

To read this important notice on new HIPAA Penalties from HHS, visit the Federal Register using the link below.

Filing a HIPAA Privacy Complaint

Filing a  Privacy Complaint
How to File a Privacy Complaint.

Procedures for Making a Complaint

A covered entity must have a procedure for filing a HIPAA privacy complaint by individuals regarding its privacy practices or for an alleged violation of the Privacy Rule.  Most importantly the Notice of Privacy Practices must contain contact information for the covered entity’s privacy officer and information on how to submit a complaint to the Office for Civil Rights.  In addition,  an organization must file complaints within 180 days of when you knew the violation occurred.

Privacy Officer

The privacy officer or designee investigates all complaints involving privacy of protected health information.   The organization should maintain records on the complaints and their resolution. The Privacy Officer will determine whether or not there has been a violation or a breach of unsecured PHI.  In a filing to the OCR, there should be information about the complainant.  There should be details of the complaint and any additional information that might help OCR when reviewing the complaint.

On behalf of the covered entity, the Privacy Officer will respond to inquiries initiated by the Office for Civll Rights as it investigates complaints.

No Retaliation for Filing a Privacy Complaint

Above all an organization must not retaliate for filing a HIPAA privacy complaint under the HIPAA rules. Most importantly, an organization must encourage employees to file a complaint if they feel a violation took place. Finally, an organization must resolve and prevent them from happening again which helps protect the organization.  On the other hand, an employee may complain directly to the OCR if retaliatory action occurred.

In conclusion there must be a good process for filing a privacy complaint and there should be not retaliation for doing so.

This is your HIPAA ABCs brought to you by HIPAA Associates.  Contact us for more information on this important topic.

For more information.

Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment of the following:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Please contact us, for more information about breaches or about HIPAA. Follow us on Facebook or Twitter.

Healthcare Data Breaches Increased

Healthcare Data Breaches
Preventing Healthcare Data Breaches

Exposed PHI Remains a Problem

The Office of Civil Rights reports that healthcare data breaches increased continuously over the last few months of this year.  For example, there were a total of 41 breaches in April affecting a greater number of people than previous months.  The breaches affected a total of 894,874 records.  Unfortunately, over the years since 2009, the number of breaches of over 500 records increased from 18 to 365.  Meanwhile, 2018 was the worst in number of breaches but only the fourth in total numbers. Presently in 2020 there are many cases still under investigation.

Unauthorized Access a Cause of Breaches

The healthcare industry continues to be a big target for hackers as healthcare data breaches increase.  In 2018 there was 161% more healthcare records involved. Unauthorized access/disclosure incidents was one of the biggest cause of breaches. The mean breach size of unauthorized access increased by 115% percent. Fortunately, loss, theft and improper disposal incidents appear to have all declined.  Despite the bad news it is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.

Phishing is a Risk

Most importantly, the data from 2018 highlights the importance of increasing email security in addition to training employees.  One main cause of healthcare breaches in the month of April was due to phishing attacks.  For instance, in April nine cases of successful phishing attack related breaches were reported.  Other causes are unauthorized email access and misdirected emails.  In conclusion, it will be important to improve technology to prevent the delivery of malicious emails to inboxes of healthcare workers.

Exposed PHI Remains a Problem

In short, it appears that 75% of breaches affected healthcare providers, 14% health plans and 11% business associates of covered entities.  Most importantly, the breaches associated with business associates were the most severe and represented 42% of all exposed records.

It is in the best interest of covered entities and business associate to promote safeguards to protect PHI and train employees on this process.

SaveSave

SaveSave

Failure to Perform a Risk Analysis

Perform a Risk Analysis
Data breaches are important today

Kidney Failure Service Provider Settles for $3.5 Million

Failure to perform a risk analysis has led to a finding against Fresenius Medical Care North America (FMCNA) who has agreed to pay a $3.5 million fee to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential HIPAA violations. Consequently, this resulted in a classic example of what can go wrong.

EPHI Breaches

The potential violations stemmed from five EPHI breaches at five separate FMCNA owned covered entities. As a result, the investigation uncovered FMCNA’s failure to perform a risk analysis at each of the five locations. OCR’s investigation revealed FMCNA covered entities failed to conduct an accurate and thorough risk analysis. Consequently, they did not address potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.

Settle Potential HIPAA Violations

In addition to the $3.5 million settlement the OCR ordered FMCNA to:

  • complete a risk analysis and risk management plan,
  • revise policies and procedures on device and media controls as well as facility access controls,
  • develop an encryption report,
  • and educate its workforce members on its policies and procedures.

Failure to Perform a Risk Analysis

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” said OCR Director Roger Severino. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Certainly, this is a good example for compliant organizations as it clearly shows the risk one takes when not following the guidelines set in the HIPAA rule. Most importantly, this is an excellent reminder that the failure to perform a risk analysis can incur major penalties. Above all the Risk Analysis must be performed, used to address gaps, and updated on a regular basis.

See more from HHS

HIPAA Privacy in Emergency Situations

HIPAA Privacy in Emergency Situations
HIPAA Authorization in emergencies

OCR and Emergency Situations

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The  purpose of the bulletin was to assure that covered entities and their business associates know how protected health information.  Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe.  In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients’ protected health information (PHI).  Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern.  They want to now how to serve the communities’ healthcare needs and stay in compliance with the HIPAA rule.

Managing HIPAA Privacy in Emergency Situations

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA.  OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made.  This allows them to treat patients, protect the nation’s public health and perform other critical functions.

The OCR stated, “The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.”

The Privacy Rule allows covered entities to disclose necessary PHI without the individual’s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

Dealing with Family

Very importantly covered entities can also disclose information to family, friends and other involved in an individual’s care for notification purposes.  One may disclose information to identify, locate and notify family members, guardians or anyone responsible for the care of the patient.

HIPAA and Imminent Danger

OCR allows disclosure of information if there is imminent danger to the patient.  In addition, you may share if  the information will lessen serious or imminent threat to the health and safety of the patient.

Follow the HIPAA Privacy Rule

In any emergency situation covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations.  This will allow them to continue to protect PHI even in a catastrophic situation.

For questions on these topics always feel free to contact us for clarification.

Lack of HIPAA Policies

Lack of policies expensive

Big Settlement!

Settlement for HIPAA Violations

The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm). Most important this indicates how lack of HIPAA policies is expensive.

As a consequence, AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. In brief, AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.

Lack of Policies

This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. In addition, the covered entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities.

Lack of Risk Analysis

The OCR investigated AP Derm after it received a report of a stolen unencrypted thumb drive from a vehicle of one of its staff members containing electronic PHI. Afterward, upon investigation, it was determined the group did not conduct a risk analysis of the potential vulnerabilities, did not fully comply with the Breach Notification Rule and failed to have written policies and procedures and train its employees.

Penalties for Violations

Most importantly, if you violate HIPAA the severity of the penalty may vary. Furthermore, the OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or  issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious financial penalties may be appropriate.

HIPAA Breach Leads to Lawsuit

Breach Resulted in a Lawsuit

The Privacy Rule

They key provisions of the Privacy rule are to protect any PHI that is held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. This is the responsibility of all institutions that handle PHI. On occasion not everything goes according to plan and a breach does occur. It is important to know what to do at that time. We share with you a situation in which “HIPAA breach leads to lawsuit.”

Breach Notification

The Breach Notification rule requires covered entities to notify affected individuals, HHS and sometimes the media of the breach of unsecured PHI. In addition, notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery. Notification of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. This rule also requires business associates of covered entities to notify the covered entity of the breach. Above all, it is critical that the affected individuals be notified of the nature and extent of the breach. Our experts can provide you with important guidance on Breach Notification.

Hospital Faces Legal Battle

North Shore-Long Island Jewish Health System faced a widening legal battle over allegations that it failed to notify hundreds of patients that an identity-theft ring had stolen their unprotected confidential information. This breach resulted in a lawsuit.

Recently patients brought a lawsuit against New York State’s North Shore-Long Island Jewish Health System for $50 million for allegedly allowing a data breach that violated confidential patient information and failing to report this to the affected patients for almost a year.

Physician Files Lawsuit

The health system employs one of the people involved in the suit. She worked for North Shore-LIJ for 17 years and was a patient at a system hospital on Jan. 23, 2012, the lawsuit says.

Soon after, police in Arlington, Va., discovered the face sheet from Peterman’s procedure among a pile of documents confiscated during a routine traffic stop there. Eventually the health system learned of the discovery on Feb. 5, 2012, the lawsuit says, yet North Shore officials waited until March 20 to notify her.

In the meantime, Peterman received a bill from AT&T stating that someone had used her information to open five cell phone accounts and run up $2,292 in charges, damaging her credit rating.

Peterman works as an emergency room physician at the system’s 299-bed Huntington (N.Y.) Hospital, Lynam confirmed.

Summary of the Case

Twelve patients out of a group of 100 affected individuals filed a suit. An individual stole data from the North Shore University Hospital in Manhasset.  The information consisted of PHI including names, addresses, birthdays, phone numbers and Social Security numbers.  The health system sent letters to approximately 200 patients with compromised identity following the breach and offered them free credit monitoring.  Officials discovered and investigated the disclosure and one year after, the covered entity did the breach analysis.  Lawyers for the 12 patients say this was too little and too late to help their clients.

What you must know

The main issue, a provider must remember is to take breach reporting seriously to stay out of harms way. In today’s environment it is not whether but when a breach will affect an organization. It is important to be prepared.

HIPAA Associates is prepared to assist you with your breach reporting. We can make your job much easier.