Recent HIPAA Infractions

Recent fines and record retention regulations prompt a closer reading of HIPAA requirements by physicians.

In February, Health & Human Services (HHS) announced that Fresenius Medical Care North America, a company that produces medical supplies, (FMCNA) settled potential HIPAA violations of both the privacy rule and the security rule.

"FMCNA is a provider of products and services for people with chronic kidney failure with over 60,000 employees that serves over 170,000 patients. FMCNA's network is comprised of dialysis facilities, outpatient cardiac and vascular labs, and urgent care centers, as well as hospitalist and post-acute providers." In January 2013, FMCNA filed five separate breach reports for a variety of breach incidents.

Specifically, OCR's investigation revealed FMCNA failed to do the following: (1) conduct a thorough risk assessment; (2) inadequate policies and procedure; (3) have adequate authorizations for the disclosure of ePHI; and (4) inadequate removal and sanitization protocols. These infractions cost FMCNA $3.5 million.

For physicians, this underscores three important items: (1) HHS is continuing to focus on ensuring the confidentiality, integrity and availability of the data; (2) an enterprise-wide risk assessment is both essential and compulsory; and (3) the cost of non-compliance may be significant.

Another recent HIPAA issue relates to the retention of medical records. Sometimes, it is necessary to read more than one law and make sure that the more stringent law is being complied with. First, covered entities and business associates should consider whether or not they are holding minors' records. This is important because a lawsuit may be filed for a certain period of time once someone reaches the age of majority.

Here, the Medicare Manual, 42 CFR 482.24(b)(1) requires that "[m]edical records must be retained in their original or legally reproduced form for a period of at least five years." The key phrase is at least five years and it applies to hospitals. By way of contrast, the HIPAA regulations state:

Section 164.316(b)(1) HIPAA requires that organizations:

"(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment."
Section 164.316(b)(2)(i) also says:

"Retain the documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later."

The takeaways for physicians are to check the state laws and see what the requirements are for maintaining medical records. At a minimum, per HIPAA, it is six years; however, legal holds, the age of minority and litigation may play a role in changing the requirements.