January 13, 2020
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") are two of the pillars that form the foundation of a patient's privacy rights in relation to his/her protected health information ("PHI"), as well as the obligations of covered entities, business associates, and subcontractors to ensure the confidentiality, integrity, and availability of the data.
This is also a good time to remind providers that a deceased individual's PHI is subject to HIPAA for 50 years. With the exception of reporting requirements under law or a coroner's report, a surviving family member or legally authorized executor may obtain copies of the decedent's PHI under these two conditions: (1) treatment purpose of another individual if one provider is requesting it from another provider; and (2) "treating a deceased individual's legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation." Hence, whether or not a person is deceased for less than 50 years or a person is living, there is still a requirement to disclose PHI to an appropriate and authorized person.
The purpose of this article is to highlight the variety of settlements that occurred between the U.S. Department of Health and Human Services ("HHS") and persons that violated either the Privacy Rule and/or the Security Rule.
There are three settlements of particular importance, of which covered entities and business associates alike should take notice.
Bayfront Hospital (September 2019)
In the first settlement of its kind, OCR announced a settlement with Bayfront Health (St. Petersburg, Florida) for $85,000 for denying a patient's access to her medical records.
OCR initiated its investigation based on a complaint from the mother. As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee. This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.
This serves as a wake-up call for providers. Patients have a right to their medical records and there are ramifications for not providing it.
The University of Rochester Medical Center (URMC) (November 2019)
As one of the largest providers in New York, the University of Rochester Medical Center ("URMC") should have implemented the requisite technical, administrative, and physical safeguards.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
As a result of its non-compliance, URMC settled for $3 million, primarily for not encrypting mobile devices or conducting an annual risk analysis.
The privacy and security obligations under HIPAA and the HITECH are not going away. And, as states add new laws regarding privacy and the risk assessments that go along with them, the spotlight is only going to intensify. The easiest place to start to mitigate the risk of a reportable breach and a potential monetary payment to OCR is to make sure that your organization and your business associates have the following five items in place annually: (1) risk analysis; (2) training; (3) adequate policies and procedures; (4) encryption at rest and in transit; and (5) current Business Associate Agreement. Doing so can save time, resources, and reputational costs.
Rachel V. Rose, JD, MBA Rachel V. Rose, JD is a Houston-based attorney advising on federal & state compliance and areas of liability associated with a variety of healthcare, legal and regulatory issues.