Atlantic.Net Blog

HIPAA on the Highway: Tennessee Hospice

Sam Guiliano
by Atlantic.Net (86posts) under HIPAA Compliant Hosting

A major topic in the healthcare industry is the increasing focus on enforcement of HIPAA law and the matter of scale. Let’s look at how a Tennessee hospice serves as an example of making the news even when just a few records are compromised:

  • Setting an example
  • HIPAA on the highway
  • Act locally first
  • Don’t be an example.

Setting an example

In what seems to be a similar pattern to the DOT National Highway Traffic Safety Administration’s incredible uptick in car recalls during 2014, the HHS Office of Civil Rights legal team publicly predicted that the number and dollar amount of healthcare settlements would be increasing through this summer.

Specifically, Chief Regional Civil Rights Counsel Jerome B. Meites said that the degree of enforcement that had occurred between June 2013 and June 2014 – which totaled $10 million in settlements, including a record $4.8 million agreement – would “pale in comparison to the next 12 months.”

Many of the high-profile cases investigated by the federal government are featured on a public webpage that some healthcare technologists now call the “HIPAA Wall of Shame.” In that way, organizations that experience large-volume breaches (affecting 500 or more people) serve as examples of what not to do.

However, sometimes a TV news report serves as a Wall of Shame, even for small breaches.

HIPAA on the highway

An ex-employee of a hospice did not destroy protected health information as the law demands, resulting in a critical investigative news segment.

When Sandra Rambo found medical records while walking with her daughter at the side of a highway, she knew immediately that it violated patient healthcare protections. The pair found almost two dozen hard-copy documents from Amedisys, representing 17 different patients. Rambo called her local news station, WJHL, to discuss the documents – which included name and contact information; medical diagnoses and symptoms; and various “other private patient details regarding hospice visits.” The documents were from 2010.

A spokesperson for Amedisys, also interviewed by WJHL, said that a previous staff member hadn’t destroyed the documents per the hospice’s policy.

Act locally first

The news show also reached out to Rachel Seeger, senior advisor for public affairs and outreach at the HHS Department (which oversees the OCR). Seeger said that typically when an organization is found to be noncompliant with healthcare law, the OCR helps guide them toward solutions that will actually keep their patient data secure.

It is rare that a settlement must be signed between HHS and the violating party, but that does sometimes occur – see the $10 million of settlements indicated above. In these cases, a resolution agreement is signed by HHS and the healthcare company, stating that the latter will conduct specific tasks (such as employee education) and give updates regularly to the agency, typically for 36 months. Throughout that probationary window, the OCR carefully determines if the firm is taking proper steps toward compliance. Additionally, “a resolution agreement likely would include the payment of a resolution amount,” commented Seeger. “These agreements are reserved to settle investigations with more serious outcomes.”

Although typically the government focuses on cases in which hundreds or thousands of records are exposed, Rambo did not think that the seemingly accidental misplacement of a few files was trivial. She was especially passionate about the issue because one of the 17 files was that of a man who lived nearby and had recently passed away.

Rambo told the news reporter that HIPAA was put into effect so that medical establishments would become hyper-aware of privacy and security, preventing these types of incidents. Referring to healthcare practices, she said, “They’re supposed to prevent this from getting in the public’s grasp.”

According to a representative for Amedisys, the company gathered all the files in Rambo’s possession and is conducting a review of how the breach occurred to avoid additional exposure.

The representative told WJHL that the organization is abreast of HIPAA law, with all medical records digitally encrypted since 2012. As healthcare security consultants advise, the hospice also has comprehensive data policies and procedures in place.

The policy that is currently in writing at Amedisys demands that all paperwork is immediately shredded by employees following any visit. The person who dumped the documents at the side of the road was acting in a rogue fashion, as could be guessed. Amedisys said, “It does not appear that this former employee followed our normal protocols.”

The facility is giving patients affected by the breach free subscriptions to credit tracking services. They are also retraining their staff.

Although the notion of a data breach may sound initially complex, like hackers carefully working their way into a system, HIPAA violations are often the result of simple, day-to-day mistakes. If a disgruntled staffer’s employment has been terminated, they may accidentally still be able to log in or otherwise access records. Alternately, someone who is still on staff may just not understand the need to shred immediately and completely.

Don’t be an example

You may want your company to be an example of healthcare success, but you don’t want it to be an example of healthcare violation, like a system of Minnesota healthcare providers that exposed almost 2000 identities after records were accidentally dumped in the trash rather than being shredded.

Partner with a knowledgeable business associate, now fully responsible for compliance as of the 2013 Final Omnibus Rule, for your HIPAA Compliant Hosting.  We also offer many popular additional hosting options like Windows Cloud Hosting or Dedicated Hosting.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom