The Health Insurance Portability and Accountability Act (HIPAA) is a subject you’ve likely encountered often. As a chiropractic practice, you know it’s important to follow HIPAA, but just how important is it? Well, the obvious answer is that it’s the law. But HIPAA-compliant practices are also less likely to be breached and fined.
Looking at what caused past breaches, and why healthcare organizations were fined is a good way to learn from their mistakes.
The three main lessons learned from 2022 fines include:
- The HIPAA right of access continues to be top of mind for the HHS.
- Knowing how to properly use and disclose protected health information (PHI) can save you from an insider breach.
- Completely ignoring HIPAA requirements will get you into hot water and cost you a ton of money.
HIPAA Right of Access
In 2019, the Department of Health and Human Services (HHS) announced that it would prioritize HIPAA right of access enforcement. Since then, 43 cases have been resolved under the initiative.
The HIPAA right of access standard requires healthcare practices to meet patients’ requests for a copy of their medical records. These records must be provided to the patient, or their personal representative, within 30 days of the request (or within 60 days if an extension is applicable).
Records must be provided in the format the patient requests them in when it is reasonably appropriate. The standard also limits the cost that can be charged for providing the records.
In 2022, there were 17 healthcare organizations fined under the right of access initiative:
- Memorial Hermann Health System – $240,000
- ACPM Podiatry – $100,000
- Great Expressions Dental Center of Georgia – $80,000
- Southwest Surgical Assoc. – $65,000
- Hillcrest Commons Nursing and Rehabilitation – $55,000
- MelroseWakefield Healthcare – $55,000
- Erie County Medical Center Corporation – $50,000
- Fallbrook Family Health Center – $30,000
- Family Dental Care – $30,000
- Dr. Donald Brockley, D.D.M – $30,000
- Jacob & Associates – $28,000
- B. Steven L. Hardy, D.D.S. – $25,000
- Associated Retina Specialists – $22,500
- Health Specialists of Central Florida Inc – $20,000
- Coastal Ear, Nose, and Throat – $20,000
- Dr. Lawrence Bell, D.D.S. – $5,000
- Danbury Psychiatric Consultants, LLC – $3,500
“It should not take a federal investigation before a HIPAA-covered entity provides patients, or their personal representatives, with access to their medical records,” said Lisa J. Pino, former director of the HHS Office of Civil Rights (OCR).
Use and Disclosure of PHI
The HIPAA Privacy Rule outlines the proper use and disclosure of protected health information (PHI). In summary, PHI should only be shared with authorized individuals concerning treatment, payment, or healthcare operations. Access to PHI should be limited to only employees that need access and to the minimum necessary to perform specific job functions. Audit logs must be kept to track access to PHI to ensure compliance.
In 2022, four healthcare organizations were fined for the improper use or disclosure of PHI. One organization shared PHI with a campaign manager, two improperly responded to patient reviews, and the last improperly disposed of specimen vials.
- New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) – $300,640
- Northcutt Dental-Fairhope – $62,500
- Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. – $50,000
- New Vision Dental – $23,000
“Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO.,” said current OCR Director Melanie Fontes Rainer. “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”
Overall Lack of Compliance
On Jan. 5, 2018, OCR received a breach notification report from Oklahoma State University Center for Health Sciences (OSU-CHS), reporting a breach of PHI affecting 279,865 individuals.
On Nov. 7, 2017, an unauthorized third party accessed an OSU-CHS web server by uploading malware. OSU-CHS discovered that some of its workforce members stored folders on the web server that contained ePHI.
OSU-CHS later reported that, on Sept. 25, 2016, it discovered that an unauthorized user had previously accessed the same server, with the first date of access occurring on March 9, 2016. At the time of the 2016 incident, OSU-CHS reported that it was unaware that electronic PHI was stored on that server.
Evidence gathered by OCR indicated OSU-CHS’s noncompliance with the following provisions of the Privacy, Security, and Breach Notification Rules:
- Uses and Disclosures of PHI (45 C.F.R. § 164.502(a))
- Security Incident Response and Reporting (45 C.F.R. § 164.308(a)(6)(ii))
- Risk Analysis (45 C.F.R. § 164.308(a)(l)(ii)(A))
- Evaluation (45 C.F.R. 164 .308(a)(8))
- Audit Controls (45 C.F.R. § 164.312(b))
- Breach Notification to Individuals (45 C.F.R. § 164.404)
- Breach Notification to the Secretary (45 C.F.R. § 164.408)
As a result of the investigation’s findings, OSU-CHS was fined $875,000. While OSU-CHS was investigated as the result of a breach, the breach itself was not ultimately why a HIPAA fine was issued. HHS fined OSU-CHS for failing to implement an effective HIPAA compliance program per the law.
“HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems,” said Pino. “Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.”
Want to learn more?
The Compliancy Group, ACA’s preferred HIPAA provider, will host a webinar on May 16 at 1 p.m. ET to provide chiropractors with additional information on protecting their practices. Register today for “Simple Steps to Avoid Breaches and Fines.”
Compliancy Group gives chiropractors confidence in their compliance plan, increasing patient loyalty and the profitability of their business, while reducing risk. Their simplified software solution, and Compliance Coach® guidance, help practices achieve HIPAA compliance with ease. Get compliant today!
Image credit: Fernando Arcos