Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Two recent HIPAA violations, and a looming compliance date, mean now is the time to ensure privacy and security policies are in place at your medical practice.
With the September 23, 2013, HIPAA compliance date looming - expressed in the January 2013 Omnibus Rules -now is a good time to get things in order. As a refresher, the rules, among other things, update policies and procedures and notices of privacy practices.
This month, officials at Stanford University’s Lucile Packard Children’s Hospital reported their fifth HIPAA breach. The breach, related to the taking of an unencrypted laptop containing medical information from an access-controlled area, triggered the requirement that 13,000 patients be notified. Moreover, the protected health information (PHI) identifiers included: patient and physician names, ages, medical record numbers, and procedures. The fourth HIPAA breach occurred in January 2013, where 57,000 patients were notified. In order to prevent future events, increased training and security measures have been implemented. The HITECH Act has a notification protocol, which is specific to the size of the breach involved.
Approximately one week later, HHS' Office for Civil Rights (OCR) "reached a settlement with a California medical center, [Shasta Medical Center] … stemming from alleged violations under the HIPAA Privacy Rule." OCR investigated after the Los Angeles Times ran an article about two senior leaders disclosing PHI without first obtaining the requisite written authorization. By failing to adequately safeguard patient PHI, OCR found that the impermissible disclosure, which occurred on three separate occasions, violated various HIPAA provisions.
Specifically, the medical center "impermissibly used the patient’s diagnosis, treatment, and medical condition by including it in an e-mail to its entire workforce of more than 700 people." In its press release, HHS identified key aspects of the Resolution Agreement, in addition to the $275,000 settlement agreement. Key takeaways include: designating compliance representatives, developing policies and procedures, establishing safeguards to protect PHI from disclosure, and submitting different reports to HHS.
In sum, now is a good time to make sure privacy and security policies and procedures comply with the requisite standards. Also, review business associate agreements, notice of privacy policies, and HIPAA authorization forms. Assessing the situation now can prevent adverse enforcement actions in the future.