Is this a HIPAA Violation?

April 1, 2018

Two years ago, Dr. Beauty hired several independent contractors on an hourly basis to improve the marketing of his practice. In order to provide them easy patient demographic accessibility, he provided them full access to his patients’ electronic medical records. One patient became aware and filed a HIPAA complaint. Dr. Beauty feels that although the involved activity may represent HIPAA violations, no penalties have been assessed to small practices such as his. Is this true?

Two years ago, Dr. Beauty hired several independent contractors on an hourly basis to improve the marketing of his practice. In order to provide them easy patient demographic accessibility, he provided them full access to his patients’ electronic medical records. One patient became aware and filed a HIPAA complaint. Dr. Beauty feels that although the involved activity may represent HIPAA violations, no penalties have been assessed to small practices such as his. Is this true?

A decade ago, two Arizona-based cardiac surgeons (Covered Entity) were fined by the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) for HIPAA violations. It is OCR’s mandate to enforce the Federal Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. Sections 160 and 164), the “Privacy Rule,” and the Standards for the Protection of Electronic Protected Health Information, the “Security Rule.” OCR has the authority to conduct investigations of complaints alleging violations of the Privacy and Security Rules by covered entities, and a covered entity must cooperate with OCR’s investigation. Physicians in private practice are under OCR jurisdiction.

On Feb. 19, 2009, OCR notified the surgeons an investigation was initiated on a complaint alleging that the surgeons had impermissibly disclosed electronic protected health information (ePHI) by making it publicly available on the Internet.

The complaint alleged:

#1 that from April 14, 2003 to Oct. 21, 2009, the surgeons did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each employee;

#2 from September 1, 2005 until Nov. 1, 2009, the Covered Entity failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI.

This violation was evidenced by:

·      from July 3, 2007 until Feb. 6, 2009, the physicians posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar; and

·      from Sept. 1, 2005 until Nov. 1, 2009, they transmitted daily ePHI from an office-based email account to the employees’ personal Internet-based email accounts.

#3 From Sept. 1, 2005 until Nov. 30, 2009, the physicians did not implement the required administrative and technical security safeguards for the protection of ePHI;

#4 From Sept. 1, 2005 until Dec. 3, 2009, the physicians failed to obtain satisfactory assurances in their business associates agreements assuring that these entities would appropriately safeguard the ePHI received from Covered Entity.

Corrective Action

Because of these violations, the physicians were required to pay OCR an amount of $100,000, as well as institute a Corrective Action Plan (CAP). The CAP required the involved physicians to have Policies and Procedures that at a minimum would include:

#1 accurately and thoroughly assess the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI when it is created, received, maintained, used or transmitted by the physicians;

#2 a risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment to a reasonable and appropriate level;

#3 identify a security official who is responsible for the development and implementation of the Policies and Procedures;

#4 satisfactory assurances that each business associate that receives, maintains, stores or transmits ePHI on behalf of the Covered Entity and has access to their ePHI will appropriately safeguard that PHI;

#5 technical safeguards for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access, including, but not limited to, remote access to their electronic information systems;

#6 technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI transmitted to or from or stored on a portable device, regardless of whether the portable device is owned by the Covered Entity or a workforce member; and

#7 training for all workforce members of the office including management, who use or disclose PHI on the Covered Entity’s Privacy and Security Rule policies and procedures, as necessary and appropriate to carry out their functions within the Covered Entity.

There are now an increasing number of lawsuits over HIPAA-related issues. It is obvious that Dr. Beauty may have liability because OCR has begun to file lawsuits against private practitioners. Dr. Beauty and all dermatologists need to be certain their offices are fully HIPAA compliant.