Five Common HIPAA Compliance Issues to Avoid

January 7, 2015

As we head into 2015, among the many items to consider is whether your medical practice’s operations are compliant with HIPAA.

In the news recently was a story about surgeons in China who were punished after taking group photos next to apparently unconscious patients.  In the photo, doctors and nurses in scrubs pose with a supposedly unconscious patient on the operating table in the operating room.  Of course, you cannot see the patient and, but for the headline, you could not tell from the photo whether it was even real or staged.  The public apparently found the #surgeryselfie unacceptable and the surgeons and nurses are now facing unknown consequences.

Violation of patient privacy rights is nothing new in the U.S.  If you look at some of the true stories that are listed on www.patientprivacyrights.org, you would be shocked at HIPAA violations that occur:

• In Florida, Walgreens Co. mailed free samples of Prozac Weekly to patients who were taking Prozac Daily.
• A Fort Lauderdale physician gave his fishing buddy, a drug company representative, a list of patients suffering from depression and the salesman arranged to send trial packages of Prozac Weekly to their homes without the patients’ knowledge or permission.
• A Pakistani woman threatened to post the entire medical files of over 300,000 patients of UC Medical Center (San Francisco) if she wasn’t paid for her medical transcribing services. The hospital was surprised to learn that the company awarded the job of transcribing the medical records had sub-contracted all those records to a company outside of the United States.
• A hospital employee easily viewed and stole Tammy Wynette’s medical records from the hospital’s databases and sold the information to the National Enquirer and Star.
• A banker who also served on his county’s health board cross-referenced customer accounts with patient information. He then called due the mortgages of anyone suffering from cancer.

Although these examples may be shocking, they are but a few of the routine HIPAA violations that occur daily across the country.   According to the Office for Civil Rights (OCR), since the compliance date of the Privacy Rule in April 2003, OCR has received over 105,960 HIPAA complaints and has initiated over 1,157 compliance reviews. 

Most HIPAA cases (23,181) have been resolved by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. 

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

Based on OCR’s report, the compliance issues investigated most (in order of frequency) were:
1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

Although most HIPAA cases appear to be resolved by the OCR, 540 referrals were made by the OCR to the Department of Justice for criminal investigation.  This would be for cases that involved the knowing disclosure or obtaining of protected health information in violation of the rules.

Finally, the most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:
1. Private practices;
2. General hospitals;
3. Outpatient facilities;
4. Pharmacies; and
5. Health plans (group health plans and health insurance issuers).

As you will note, private practice are at the top of that list!  

As we head into 2015, among the many items to consider is whether your practice’s operations are compliant with HIPAA.   Although many groups complete required training, too many have become disinterested in HIPAA over time.  It’s a good idea to remind your staff of the consequences of violating HIPAA and to emphasize that comments on Twitter about patients, posting #surgeryselfies, or otherwise allowing curiosity to lead to inappropriate records review, will not be tolerated. 

In smaller physician offices, staff can become quite lax about password access and too casual about the use of e-mail, messaging and other types of patient interactions that are not HIPAA compliant. 

All of these areas are ones that should be revisited in the New Year. Make a resolution to revisit your practice’s commitment to HIPAA in 2015!