Concerned about Patient Privacy? 7 Disastrous HIPAA Violations that you should avoid

You have heard the statements. HIPAA violations happen all the time.  No one ever gets caught.  No one will ever discover the breach.  Don’t be so sure.  Privacy and Security have become huge social concerns.  It is big news.  HIPAA privacy and security breaches are discovered.

People are caught, fined, sued and pay a lots of money for HIPAA violations.  You would be surprised by the varied ways that HIPAA violations can come to light: national news casts, police investigations, patient complaints, law suits, and public outcry.  Here are a couple of true stories.

hipaa1

1.  Drivers Notice Debris Strewn Upon the Roadway.

One driver of at the intersection of 63rd and Prospect stopped to pick up the debris he discovered in the roadway and noticed the documents contained protected health information originating from a public dumpster beyond Midwest Women’s Healthcare Specialists at Research Medical Center.

The public is always watching.  Privacy and security have become a huge hot button issue.  The local news broadcasts and investigative reporters are waiting to capture the story.  Numerous breaches have been discovered and uncovered in headline news.  Everyone likes a local small town story.  A class action lawsuit has been filed against Midwest Women’s Health Specialists Jackson County Court.

2.  Watchdog Group Accuses Pharmacy of Major HIPAA Violations.

The watchdog group, Change to Win, has filed a complaint with a number of states’ health departments and with the Federal Department of Health and Human Services claiming that Walgreen’s new pharmacy model violates patients’ HIPAA privacy rights. The Department of Health and Human Services is now investigating.

With the ever increasing frequency of privacy breaches being reported in the news, public sentiment is shifting; individuals are now taking the position that privacy is an entitlement and a basic right.  The law is on individuals’ side.  While HIPAA was enacted more than a decade ago, amendments to HIPAA and ever increasing state law enactments have made privacy and security a highly regulated area and enforcement efforts are on the rise.  Advocacy groups are cropping up and demanding attention to privacy and security in very vociferous public ways.

3.  Deceased’s Medical Information Shows Up on Internet Search.  

Per an investigation by the New York Presbyterian Hospital, it was discovered that an inadvertent deactivation of the Hospital computer’s firewall resulted in patient information being linked to the public internet.  In a settlement with HHS, New York Presbyterian Hospital agreed to pay a $4.8 million fine. 

hipaa2

The internet is referred to as the superhighway.  Information is at your fingertips.  The world is quickly embracing cloud storage, internet access, file sharing.  All great tools for efficiency and communication, but one wrong step and things can go very wrong.  Numerous cases where private protected health information becomes displayed publically have cropped up.  New York Presbyterian Hospital is just one example.  Deactivation of the firewalls, information uploading errors, and unsecured networks are just some ways that information can become public.

4.  Patient’s Lab Results are Posted on Team No Hoes FaceBook Page.

Patient Sues UC Medical Center.  In a complaint filed with the in Hamilton County Clerk of Courts, Plaintiff alleges UC Medical Center staff improperly gave her ex-boyfriend a copy her lab results. 

Medical care is local.  Each patient may be someone’s daughter, mother, boyfriend, neighbor, or coworker. Patients have the expectation of privacy.  They expect that information in their medical file will not be shared or looked at by others.  And, if there is a privacy beach, patients are mad and indignant.  If they feel they have been wronged, patients will complain to health care providers, government authorities, state licensing boards, and to lawyers and attorneys.

5.  FTC charges LabMD after patient information is found in the hands of Identity Thieves.  

Pursuant to a police investigation of an identity theft ring it is learned that patient information was being freely downloaded for LabMD’s open peer to peer (P2P) network.  LabMD has announced it is closing its operations due to the exuberant cost of defending agents’ FTC claims.  Identity thieves and hackers are criminals.  They are bad people.  They are ones that police and feds should be investigating. 

However, not only will the police and federal agents investigate the thieves and hackers, they will investigate the providers who hold the information.  They want to know how the criminals got a hold of the information in the first place.  Was there anything that could or should have been done to prevent the thieves and hackers from stealing information? Providers that lack of security standards and specifications will become the subject of investigation and legal action.  That is the message from the FTC and OCR. 

hipaa3

6.  Medical Records Left Abandoned near the Roadside at Physician’s Home.

An $800,000 settlement was announced by HHS after an investigation reported from a retiring physician that 71 boxes of medical records were left in her driveway, 20 feet from the road.  The records were put in the physician’s driveway by Parkway Health Systems, Inc. after failed acquisition talks between the Parkway and the physician failed.

Who is most likely to file a HIPAA compliant?  Somewhere at the top on the list should be unhappy or former staff members.  Office staff members have a frontline view of the office.  They know what is going on.  They see things.  They hear things.  They report things.  In the 2014 Ponemon Breach Survey, it was found that 46% of health care breaches were first detected and reported by staff members and employees.    You would hope that if a staff member notices something, they would say something internally at the office.  But, what if they are unhappy or think that they are not heard?

7.  CBS News Buys Photocopier Containing Health Information.

After getting a tip that Affinity Health Insurance returned a photocopier to a leasing company without erasing the copier memory, CBS news buys the photocopier to investigate for itself.  Affinity agreed to pay $1,215,780 as part of settlement with HHS. 

hipaa4

Not only is local news reporting on the issue.  The big national networks like to get in the story, too.  Even in the national news, small town news becomes big time news.  And, national news likes to be the one responsible for bringing the wrong doer down. 

Health Providers are not required to prevent HIPAA privacy and security breaches.  Health Providers are required to follow HIPAA Standards and Specifications to safeguard against privacy and security threats.  There is an important distinction.  There are things Health Providers should do and must do to reduce of privacy and security threats.

In the event of a privacy and security breach, a Health Providers’ best defense is compliance with HIPAA Standards and Specifications.  Standards and Specifications including staff training, password protection, user-access controls, and on-going monitoring and tracking.  Adherence to HIPAA Standards and Specifications is the best defense against government fines, lawsuits, and sanctions.

Guest post by: Mary Beth Gettins

Before attending law school, Mary Beth Gettins worked in the health care industry for almost a decade providing direct care services to patients.  Today, as managing attorney of Gettins’ Law, she combines her more than 20 years of health care and legal experience, to provide health care privacy and security solutions for medical providers, health plans, and business associates. Gettins’ Law has developed HIPAA policies and procedures and conducted workforce trainings for small dental offices, home health agencies, direct care providers, national franchise systems, and 60+ work force member health plans.  She speaks and writes widely on the topic of HIPAA privacy and security including being a featured guest columnist for the New Dentist, Physician Practice, and Blue MauMau.  She maintains her own HIPAA Blog and monthly newsletter at http://gettinslaw.com/hipaa/.

12 responses to “Concerned about Patient Privacy? 7 Disastrous HIPAA Violations that you should avoid”

  1. Recently I moved to Florida from the NY/NJ area and was transitioning my pain management care to FL. Each doctor knew about the transition, and there was a short period where both were writing controlled substance scripts. Well, the office manager in the FL office decided one day to look at I-STOP/PMP, and had seen scripts written across each state, going back to 2008, but they were all legit because I had 11 surgeries, including 6 surgeries on the left shoulder (including 3 total replacements because the first 2 failed) and major back surgery. Well, this office manager notified their practice’s attornies, and the attornies advised the doctor to drop me for “medical non-compliance”, and the manager also contacted my doctor in NY, and that practice’s attornies advised the same. What are patient rights with respect to I-STOP/PMP data being shared? Can it be accessed outside of a clinical interaction with the patient? Aren’t physicians required to access it prior to writing scripts for CS? in this case the data was accessed outside of a clinical setting and and each had written scripts in the past, obviously not checking PMP before writing the scripts. It just seems like I-STOP/PMP completely eradicate patient privacy and risk destroying reputations. This FL office manager told my wife, not me, that she was going to notify all my previous physicians and pharmacies.

    • I am sorry to hear about your struggles, It is a common issue we hear from many patients every year, and a very unfortunate one to say the least.

      Were you able to find a better doctor after this all transpired?

      • Yes I did, ty for asking. I found a wonderful pain management physician in FL, who is working with my orthopedists on strategies for managing my pain (thru a combination of surgical procedures (such as scraping of collar bone where it meets the shoulder joint), anti-inflammatory injections, and pain medicine. The new physician realized that I was caught up in the hysteria over Pill Mills, where legit patients are being subjected to criticisms and scoldings from the very physicians who prescribed narcotics to begin with but who were now being disingenuous because their legal council started advising them to drop patients with long histories of narcotic use, no matter how legit the use was. Reputations and quality of life for chronic pain patients are serious concerns because of this mindset. Even the FL Attorney General’s office called me after I wrote them a letter explaining my situation, and they told me that I had done nothing wrong and they advised me to contact a HIPAA attorney, which I am considering.

        It should not be this hard to get proper pain care. We are victims of draconian laws designed to address a tiny fraction of the population. Not only must we suffer from pain, but we need to worry about actually getting the meds because of FDA quotas, we get the “guilty look” when we present our scripts at pharmacies, and we have to “know” the pharmacist, as though we were in the movie “The French Connection”. More people die from NSAIDS, Acetametaphine, car accidents, slips in the tub, alcohol and other ways than via opiates properly prescribed and used. Instead, we have a general warrant in the form of I-STOP which assumes all users of pain meds are guilty, and the information is readily available to any physician, or office administrator so designated, or any pharmacist or pharmacy clerk so designated. The next logical extension of this madness is use of I-STOP WHEN YOU GO TO UR CORNER LIQUOR STORE.

        MADNESS!

  2. Recently I moved to Florida from the NY/NJ area and was transitioning my pain management care to FL. Each doctor knew about the transition, and there was a short period where both were writing controlled substance scripts. Well, the office manager in the FL office decided one day to look at I-STOP/PMP, and had seen scripts written across each state, going back to 2008, but they were all legit because I had 11 surgeries, including 6 surgeries on the left shoulder (including 3 total replacements because the first 2 failed) and major back surgery. Well, this office manager notified their practice’s attornies, and the attornies advised the doctor to drop me for “medical non-compliance”, and the manager also contacted my doctor in NY, and that practice’s attornies advised the same. What are patient rights with respect to I-STOP/PMP data being shared? Can it be accessed outside of a clinical interaction with the patient? Aren’t physicians required to access it prior to writing scripts for CS? in this case the data was accessed outside of a clinical setting and and each had written scripts in the past, obviously not checking PMP before writing the scripts. It just seems like I-STOP/PMP completely eradicate patient privacy and risk destroying reputations. This FL office manager told my wife, not me, that she was going to notify all my previous physicians and pharmacies.

    • I am sorry to hear about your struggles, It is a common issue we hear from many patients every year, and a very unfortunate one to say the least.

      Were you able to find a better doctor after this all transpired?

      • Yes I did, ty for asking. I found a wonderful pain management physician in FL, who is working with my orthopedists on strategies for managing my pain (thru a combination of surgical procedures (such as scraping of collar bone where it meets the shoulder joint), anti-inflammatory injections, and pain medicine. The new physician realized that I was caught up in the hysteria over Pill Mills, where legit patients are being subjected to criticisms and scoldings from the very physicians who prescribed narcotics to begin with but who were now being disingenuous because their legal council started advising them to drop patients with long histories of narcotic use, no matter how legit the use was. Reputations and quality of life for chronic pain patients are serious concerns because of this mindset. Even the FL Attorney General’s office called me after I wrote them a letter explaining my situation, and they told me that I had done nothing wrong and they advised me to contact a HIPAA attorney, which I am considering.

        It should not be this hard to get proper pain care. We are victims of draconian laws designed to address a tiny fraction of the population. Not only must we suffer from pain, but we need to worry about actually getting the meds because of FDA quotas, we get the “guilty look” when we present our scripts at pharmacies, and we have to “know” the pharmacist, as though we were in the movie “The French Connection”. More people die from NSAIDS, Acetametaphine, car accidents, slips in the tub, alcohol and other ways than via opiates properly prescribed and used. Instead, we have a general warrant in the form of I-STOP which assumes all users of pain meds are guilty, and the information is readily available to any physician, or office administrator so designated, or any pharmacist or pharmacy clerk so designated. The next logical extension of this madness is use of I-STOP WHEN YOU GO TO UR CORNER LIQUOR STORE.

        MADNESS!

  3. I know a doctor who allowed a “friend” (who he is not paying as a contractor or employee) to sit in his office and listen to his patient phone calls and consultations. These patients don’t know the “friend” is present in the room and can hear them and they openly discuss their sexual health issues, including being HIV positive, with the doctor. The “friend” thought she was doing this for job training, however the doctor never paid her or acknowledged her time working for him and no HIPAA or confidentiality paperwork was ever done.

    • Hello Iris,

      There are plenty of examples of these types of breaches, but it’s hard to train offices on what are the right ways to manage patient information. It usually takes a problem to arise before changes are made.

  4. I know a doctor who allowed a “friend” (who he is not paying as a contractor or employee) to sit in his office and listen to his patient phone calls and consultations. These patients don’t know the “friend” is present in the room and can hear them and they openly discuss their sexual health issues, including being HIV positive, with the doctor. The “friend” thought she was doing this for job training, however the doctor never paid her or acknowledged her time working for him and no HIPAA or confidentiality paperwork was ever done.

    • Hello Iris,

      There are plenty of examples of these types of breaches, but it’s hard to train offices on what are the right ways to manage patient information. It usually takes a problem to arise before changes are made.

  5. So where I work we use electronic tracking systems for our emergency room. A patient came in and was also an employee who had not come into work that day. I noticed the name on our phlebotomy list, and I opened the chart to make sure the tests were times correctly. I accidently went into the notes instead of the orders and someone sitting next to me noticed I was in said patient’s chart. They had told the patient what I did and now am being investigated…… Did I really violate HIPAA?????

Leave a Reply

Your email address will not be published.

Request a Demo

See how ReferralMD delivers a better experience for providers, staff, and patients.

Learn More