You have heard the statements. HIPAA violations happen all the time. No one ever gets caught. No one will ever discover the breach. Don’t be so sure. Privacy and Security have become huge social concerns. It is big news. HIPAA privacy and security breaches are discovered.
People are caught, fined, sued and pay a lots of money for HIPAA violations. You would be surprised by the varied ways that HIPAA violations can come to light: national news casts, police investigations, patient complaints, law suits, and public outcry. Here are a couple of true stories.
1. Drivers Notice Debris Strewn Upon the Roadway.
One driver of at the intersection of 63rd and Prospect stopped to pick up the debris he discovered in the roadway and noticed the documents contained protected health information originating from a public dumpster beyond Midwest Women’s Healthcare Specialists at Research Medical Center.
The public is always watching. Privacy and security have become a huge hot button issue. The local news broadcasts and investigative reporters are waiting to capture the story. Numerous breaches have been discovered and uncovered in headline news. Everyone likes a local small town story. A class action lawsuit has been filed against Midwest Women’s Health Specialists Jackson County Court.
2. Watchdog Group Accuses Pharmacy of Major HIPAA Violations.
The watchdog group, Change to Win, has filed a complaint with a number of states’ health departments and with the Federal Department of Health and Human Services claiming that Walgreen’s new pharmacy model violates patients’ HIPAA privacy rights. The Department of Health and Human Services is now investigating.
With the ever increasing frequency of privacy breaches being reported in the news, public sentiment is shifting; individuals are now taking the position that privacy is an entitlement and a basic right. The law is on individuals’ side. While HIPAA was enacted more than a decade ago, amendments to HIPAA and ever increasing state law enactments have made privacy and security a highly regulated area and enforcement efforts are on the rise. Advocacy groups are cropping up and demanding attention to privacy and security in very vociferous public ways.
3. Deceased’s Medical Information Shows Up on Internet Search.
Per an investigation by the New York Presbyterian Hospital, it was discovered that an inadvertent deactivation of the Hospital computer’s firewall resulted in patient information being linked to the public internet. In a settlement with HHS, New York Presbyterian Hospital agreed to pay a $4.8 million fine.
The internet is referred to as the superhighway. Information is at your fingertips. The world is quickly embracing cloud storage, internet access, file sharing. All great tools for efficiency and communication, but one wrong step and things can go very wrong. Numerous cases where private protected health information becomes displayed publically have cropped up. New York Presbyterian Hospital is just one example. Deactivation of the firewalls, information uploading errors, and unsecured networks are just some ways that information can become public.
4. Patient’s Lab Results are Posted on Team No Hoes FaceBook Page.
Patient Sues UC Medical Center. In a complaint filed with the in Hamilton County Clerk of Courts, Plaintiff alleges UC Medical Center staff improperly gave her ex-boyfriend a copy her lab results.
Medical care is local. Each patient may be someone’s daughter, mother, boyfriend, neighbor, or coworker. Patients have the expectation of privacy. They expect that information in their medical file will not be shared or looked at by others. And, if there is a privacy beach, patients are mad and indignant. If they feel they have been wronged, patients will complain to health care providers, government authorities, state licensing boards, and to lawyers and attorneys.
5. FTC charges LabMD after patient information is found in the hands of Identity Thieves.
Pursuant to a police investigation of an identity theft ring it is learned that patient information was being freely downloaded for LabMD’s open peer to peer (P2P) network. LabMD has announced it is closing its operations due to the exuberant cost of defending agents’ FTC claims. Identity thieves and hackers are criminals. They are bad people. They are ones that police and feds should be investigating.
However, not only will the police and federal agents investigate the thieves and hackers, they will investigate the providers who hold the information. They want to know how the criminals got a hold of the information in the first place. Was there anything that could or should have been done to prevent the thieves and hackers from stealing information? Providers that lack of security standards and specifications will become the subject of investigation and legal action. That is the message from the FTC and OCR.
6. Medical Records Left Abandoned near the Roadside at Physician’s Home.
An $800,000 settlement was announced by HHS after an investigation reported from a retiring physician that 71 boxes of medical records were left in her driveway, 20 feet from the road. The records were put in the physician’s driveway by Parkway Health Systems, Inc. after failed acquisition talks between the Parkway and the physician failed.
Who is most likely to file a HIPAA compliant? Somewhere at the top on the list should be unhappy or former staff members. Office staff members have a frontline view of the office. They know what is going on. They see things. They hear things. They report things. In the 2014 Ponemon Breach Survey, it was found that 46% of health care breaches were first detected and reported by staff members and employees. You would hope that if a staff member notices something, they would say something internally at the office. But, what if they are unhappy or think that they are not heard?
7. CBS News Buys Photocopier Containing Health Information.
After getting a tip that Affinity Health Insurance returned a photocopier to a leasing company without erasing the copier memory, CBS news buys the photocopier to investigate for itself. Affinity agreed to pay $1,215,780 as part of settlement with HHS.
Not only is local news reporting on the issue. The big national networks like to get in the story, too. Even in the national news, small town news becomes big time news. And, national news likes to be the one responsible for bringing the wrong doer down.
Health Providers are not required to prevent HIPAA privacy and security breaches. Health Providers are required to follow HIPAA Standards and Specifications to safeguard against privacy and security threats. There is an important distinction. There are things Health Providers should do and must do to reduce of privacy and security threats.
In the event of a privacy and security breach, a Health Providers’ best defense is compliance with HIPAA Standards and Specifications. Standards and Specifications including staff training, password protection, user-access controls, and on-going monitoring and tracking. Adherence to HIPAA Standards and Specifications is the best defense against government fines, lawsuits, and sanctions.
Guest post by: Mary Beth Gettins
Before attending law school, Mary Beth Gettins worked in the health care industry for almost a decade providing direct care services to patients. Today, as managing attorney of Gettins’ Law, she combines her more than 20 years of health care and legal experience, to provide health care privacy and security solutions for medical providers, health plans, and business associates. Gettins’ Law has developed HIPAA policies and procedures and conducted workforce trainings for small dental offices, home health agencies, direct care providers, national franchise systems, and 60+ work force member health plans. She speaks and writes widely on the topic of HIPAA privacy and security including being a featured guest columnist for the New Dentist, Physician Practice, and Blue MauMau. She maintains her own HIPAA Blog and monthly newsletter at http://gettinslaw.com/hipaa/.