Parkview Hospital To Pay $800K To Settle HIPAA Charges After Retiring Physician Blows The Whistle

July 6, 2014

Health care providers, health plans, heath care clearinghouses and their business associates heed both the lesson about properly protecting protected health information and the more subtle lesson about the role of employees and other whistleblowers in bringing these violations to the attention of regulators contained in the latest Health Insurance Portability & Accountability Act (HIPAA) resolution agreement.

Late last month, the Department of Health & Human Services Office of Civil Rights (HHS) announced that complaints of a retiring physician over the mishandling of her patient records by Parkview Health System, Inc. (Parkview) prompted the investigation that lead Parkview to agree to pay $800,000 to settle charges that it violated HIPAA’s Privacy Rule.

The resolution agreement settles charges lodged by HHS based on an OCR investigation into the retiring physician’s allegations that Parkview violated the HIPAA Privacy Rule by failing to properly safeguard the records when it returned them to the physician following her retirement.

As a covered entity under the HIPAA Privacy Rule, HIPAA requires that Parkview appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.

In an investigation prompted by the physician’s complaint, OCR found that Parkview breached this responsibility in its handling of certain physician patient records in helping the physician to transition to retirement.

According to OCR, in September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Subsequently on June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. OCR concluded this conduct violated the Privacy Rule.

To settle OCR’s charges that these actions violated HIPAA, OCR has agreed to pay the $800,000 resolution amount and to adopt and implement a corrective action plan requiring Parkview to revise their policies and procedures, train staff, and provide an implementation report to OCR.

The resolution agreement highlights the role that current or former physicians, employees or others can play in helping OCR to identify HIPAA violations.  Health care providers and other covered entities and their business associates should take into account the likelihood that physicians on their own or other facility medical staffs, their employees and other participants in the care delivery system often may have and be motivated to report to government sensitive information about violations of HIPAA or other laws.  Since HIPAA and most other laws prohibited covered entities from forbidding or retaliating against a person for objectiving to or reporting the concern and offer whistleblowers potential participation in the reporting and prosecution of violations, employees or other workforce members increasingly make the complaints bring violations to OCR and other regulators.

Whether from an internal employee complaint, a  patient or competitor complaint or other source, HIPAA violations carry significant liability risks.  The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.  Furthermore, enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Health Care & Other HIPAA Covered Entities Should Review New Reports As Part of HIPAA Risk Management Efforts

June 11, 2014

Health care providers, health plans and insurers, health care clearinghouses (collectively “Covered Entities”), their business associates, and others concerned about medical privacy regulations or protections should check out two new reports to Congress about breach notifications reported and other compliance data under the Health Insurance Portability & Accountability Act (HIPAA) by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).   Reviewing this data can help Covered Entities and their business associates identify potential areas of exposures and enforcement that can be helpful to minimize their HIPAA liability as well as to expect OCR enforcement and audit inquiries.

Required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the two new reports discuss various details about HIPAA compliance for calendar years 2011 and 2012.  They include the following:

  • Report to Congress on Breach Notifications, discussing the breach notification requirements and reports OCR received as a result of these breach notification requirements; and
  • Report to Congress on Compliance with the HIPAA Privacy and Security Rules, summarizing complaints received by OCR of alleged violations of the provisions of Subtitle D of the HITECH Act, as well as of the HIPAA Privacy and Security Rules at 45 CFR Parts 160 and 164 .
  • Covered entities and their business associates should review the finding reported as part of their compliance practices. Others concerned about medical or other privacy or data security regulations or events also may find the information in the reports of interest.

Under HIPAA, covered entities generally are prohibited from using, accessing or disclosing protected health information about individuals except as specifically allowed by HIPAA,  In addition, HIPAA also requires Covered Entities to establish safeguards to protect protected health information against improper access, use or destruction, to afford certain rights to individuals who are the subjects of protected information, to obtain certain written assurances from service providers who are business associates before allowing those service providers to use, access or disclose protected health information when carrying out covered functions for the Covered Entity, and meet other requirements.

The HITECH Act tightened certain rules applicable to the use, access or disclosure of protected health information by covered entities and their business associates.  In addition, the HITECH Act added breach notification rules, extended direct responsibility for compliance with HIPAA to business associates, increased penalties for noncompliance with HIPAA and made other refinements to HIPAA’s medical privacy rules and made certain other changes.

Enforcement of HIPAA and the resulting penalties have increased since the HITECH Act took effect.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the HITECH Act since March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2014 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


Health Care Providers Brace For New HIPAA Enforcement As OCR Announces Hospital Resolution Agreement Requiring $1 Million Settlement Payment

February 25, 2011

 

Announcement Made 2 Days After OCR Announces $4.3 Million HIPAA Civil Penalty Against Cignet

General Hospital Corporation and Massachusetts General Physicians Organization Inc. (Mass General) has agreed to pay the U.S. government $1,000,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  The incident giving rise to the agreement involved the loss of protected health information (PHI) of 192 patients of Mass General’s Infectious Disease Associates outpatient practice The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced the Resolution Agreement two days after announcing that its first official assessment of a civil monetary penalty CMP under HIPAA – a $4.3 million against Cignet Health of Prince George’s County, Md., (Cignet).  Read more details here

HIPAA Privacy Rule restricts the use, access and disclosure by covered entities of PHI and other individually identifiable health care information to those outlined within the Rules.  Under HIPAA covered entities also are responsible for establishing and enforcing policies and procedures that safeguard PHI against improper use, access or disclosure by employees, business associates, and other third parties. Noncompliance with the Privacy and Security Rules exposes a covered entity to criminal prosecution and penalties, civil penalties or both.  The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to safeguard the privacy of patient information, including such information during its disposal.  Under amendments to HIPAA enacted under the HITECH Act, business associates now also are accountable and subject to direct liability for failing to comply with HIPAA’s requirements. Amendments to HIPAA under the HITECH Act, further expand the risks and responsibilities of health care providers and other covered entities.

Announced just two days before the Mass General Resolution Agreement, the Cignet CMP announced February 22, 2011 is the first CMP ever assessed by OCR under the HIPAA Privacy Rule.  The assessment resulted after OCR found Cignet violated 41 patients’ HIPAA rights and committed other HIPAA violations. The $4.3 million CMP against Cignet applies the expanded HIPAA violation categories and increased HIPAA civil monetary penalty amounts authorized by HIPAA amendments made by Section 13410(d) of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Read more details.

Even before the Mass General Resolution Agreement and Cignet CMP announcements, HIPAA Privacy exposures of covered entities for failing to comply with HIPAA already had risen significantly.  While OCR had not assessed any civil monetary penalties against any covered entity for violation of HIPAA before Cignet, OCR’s collection of $1 Million from Rite Aid in a 2010 Resolution Agreement, $2.25 million from CVS Pharmacy, Inc. under a 2009 Resolution Agreement and $100,000 from Providence Health & Services under a 2008 Resolution Agreement demonstrated that covered entities could face significant civil liability for willful violations of the Privacy Rules.  In addition to these civil enforcement actions by OCR, the Department of Justice has secured several criminal convictions or pleas under HIPAA’s criminal provisions. OCR data confirms that the covered entities involved in these actions included health care providers, health plans, and others.  Coupled with the HITECH Act changes, these and other enforcement actions signal growing potential hazards for covered entities and their business associates that  fail to properly manage their HIPAA compliance obligations and risks.

The Mass General and Cignet announcements and other enforcement actions demonstrate that OCR is moving forward on its announced plans to hold health plans, health care providers, health care clearinghouses (covered entities) and their business associates that violate HIPAA accountable. Added to other recent developments, the Mass General and Cignet enforcement actions demonstrate that OCR’s commitment to enforcing HIPAA and illustrate the significant exposures that covered entities and business associates risk by disregarding their HIPAA obligations. 

As stated by OCR Director Georgina Verdugo when announcing the Mass General Resolution Agreement,  stating, “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information.”

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” Verdugo added, “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

Covered entities are urged to heed these warning by strengthening their HIPAA compliance and adopting other suitable safeguards to minimize HIPAA exposures. Health plans and other covered entities as well as their business associates should tighten privacy policies, breach and other monitoring, training and other practices to mitigate against exposures in light of recently tightened requirements and new enforcement risks.  To minimize the potential that the health plan’s sharing of information with the employer will create or spread HIPAA or other privacy risks to the employer or members of its workforce, employers and other plan sponsors and members of their workforce also should take steps to ensure not only that their health plan documents, policies and procedures, as well as those policies and practices applicable to the employer, its human resources, and benefits advisors when accessing or handling health plan or other medical information on behalf of the employer, rather than the plan, are appropriately designed and administered.

Act To Manage HIPAA Exposures

In response to these expanding exposures, covered entities and their business associates should review the adequacy of their current HIPAA Privacy and Security compliance policies, monitoring, training, breach notification and other practices taking into consideration the Cignet, Rite Aid, Provident and CVS enforcement actions, emerging litigation and other enforcement data; their own and reports of other security and privacy breaches and near misses, and other developments to determine if additional steps are necessary or advisable.  As part of these compliance and risk management efforts, most covered entities and their business associates will find it advisable to devote significant attention to the business associate relationship and its associated business associate agreements.  

For Help With Investigations, Policy Review & Updates Or Other Needs

If you need assistance in auditing or assessing, updating or defending your HIPAA, or other health or other employee benefit, labor and employment, compensation, privacy and data security, or other internal controls and practices, please contact the author of this update, attorney Cynthia Marcotte Stamer at cstamer@solutionslawyer.net or at (469)767-8872.

The Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, Government Affairs Committee Legislative Chair for the Dallas Human Resources Management Association, and past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer works, publishes and speaks extensively on HIPAA and other privacy and data security, health plan, health care and other human resources and workforce, employee benefits, compensation, internal controls and related matters.

For more than 23 years, Ms. Stamer has counseled, represented and trained employers and other employee benefit plan sponsors, plan administrators and fiduciaries, insurers and financial services providers, third party administrators, human resources and employee benefit information technology vendors and others privacy and data security, fiduciary responsibility, plan design and administration and other compliance, risk management and operations matters.  She also is recognized for her publications, industry leadership, workshops and presentations on privacy and data security and other human resources, employee benefits and health care concerns.  Her many highly regarded publications on privacy and data security concerns include “Privacy Invasions of Medical Care-An Emerging Perspective.” ERISA Litigation Manual. BNA, 2003-2009; “Privacy & Securities Standards-A Brief Nutshell.” BNA Tax Management and Compliance Journal. February 4, 2005; “Cybercrime and Identity Theft: Health Information Security beyond HIPAA.” ABA Health eSource. May, 2005 and many others.  She also regularly conducts training on HIPAA and other privacy and data security compliance and other risk management matters for a broad range of organizations including the Association of State and Territorial Healthcare Organizations (ASTHO), the Los Angeles County Health Department, a multitude of health plans and their sponsors, health care providers, the American Bar Association, SHRM, the Society for Professional Benefits Administrators and many others.  Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see www.CynthiaStamer.com or contact Ms. Stamer directly.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also may be interested reviewing some of our other Solutions Law Press resources available at http://www.solutionslawpress.com including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at www.SolutionsLawPress.com.

©2011 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.


%d bloggers like this: