A recent Office for Civil Rights settlement underscores the importance of HIPAA compliance and cooperation with government investigations.
In October 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that Elite Dental Associates, a dental practice located in Dallas, Texas (Elite) agreed to settle potential HIPAA violations. After the complaint was received by OCR in June 2016, the investigation lasted over two-years.
The complaint was initiated by a patient who alleged that Elite responded to a social media review by “disclosing the patient’s last name and details of the patient’s health condition.”
OCR’s investigation “found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page. Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.”
Although it is not surprising that Elite lacked an adequate policy and procedure or Notice of Privacy Practice, it underscores an important item: compliance. HIPAA, which has been around since 1996, and the subsequent Privacy Rule and Security Rule, mandate that technical, administrative and physical safeguards be assessed annually.
Had Elite been compliant, this disaster could have been avoided. And while Elite is a dental practice, all these same regulations apply to physician practices as well.
Some readers may wonder why Elite was assessed a meager $10,000. OCR indicated that it accepted a “substantially reduced settlement” for several reasons. The top three reasons include the following: cooperation with OCR’s investigation; financial circumstances; and Elite’s business size. These considerations are similar to what the U.S. Department of Justice considers in its assessment of fines.
What can be done in order to learn from Elite’s experience?
First, as OCR Director, Roger Severino noted, “[S]ocial media is not the place for providers to discuss a patient’s care.” Common sense should tell any covered entity or business associate not to post any PHI on social media.
Second, as my colleagues and I discuss regularly, conduct an annual risk analysis to assess the Security Rule’s technical, administrative and physical safeguards, which include both privacy and security components. Yes, there are a number of them but failing to conduct one can have consequences beyond an OCR investigation. For example, failing to disclose the lack of an adequate risk analysis and related items (omission) can result in potential fraudulent misrepresentation or securities lawsuits, if a company is being pitched to potential investors or is already listed on one of the Wall Street exchanges (i.e., NASDAQ).
Lastly, in the event of a government investigation, cooperation is key. These considerations can mitigate risk and help to cultivate a culture of trust between providers and patients.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.