A major topic in the healthcare industry is the increasing focus on enforcement of HIPAA law and the matter of scale. Let’s look at how a Tennessee hospice serves as an example of making the news even when just a few records are compromised:
- Setting an example
- HIPAA on the highway
- Act locally first
- Don’t be an example.
Setting an example
In what seems to be a similar pattern to the DOT National Highway Traffic Safety Administration’s incredible uptick in car recalls during 2014, the HHS Office of Civil Rights legal team publicly predicted that the number and dollar amount of healthcare settlements would be increasing through this summer.
Specifically, Chief Regional Civil Rights Counsel Jerome B. Meites said that the degree of enforcement that had occurred between June 2013 and June 2014 – which totaled $10 million in settlements, including a record $4.8 million agreement – would “pale in comparison to the next 12 months.”
Many of the high-profile cases investigated by the federal government are featured on a public webpage that some healthcare technologists now call the “HIPAA Wall of Shame.” In that way, organizations that experience large-volume breaches (affecting 500 or more people) serve as examples of what not to do.
However, sometimes a TV news report serves as a Wall of Shame, even for small breaches.
HIPAA on the highway
An ex-employee of a hospice did not destroy protected health information as the law demands, resulting in a critical investigative news segment.
When Sandra Rambo found medical records while walking with her daughter at the side of a highway, she knew immediately that it violated patient healthcare protections. The pair found almost two dozen hard-copy documents from Amedisys, representing 17 different patients. Rambo called her local news station, WJHL, to discuss the documents – which included name and contact information; medical diagnoses and symptoms; and various “other private patient details regarding hospice visits.” The documents were from 2010.
A spokesperson for Amedisys, also interviewed by WJHL, said that a previous staff member hadn’t destroyed the documents per the hospice’s policy.
Act locally first
The news show also reached out to Rachel Seeger, senior advisor for public affairs and outreach at the HHS Department (which oversees the OCR). Seeger said that typically when an organization is found to be noncompliant with healthcare law, the OCR helps guide them toward solutions that will actually keep their patient data secure.
It is rare that a settlement must be signed between HHS and the violating party, but that does sometimes occur – see the $10 million of settlements indicated above. In these cases, a resolution agreement is signed by HHS and the healthcare company, stating that the latter will conduct specific tasks (such as employee education) and give updates regularly to the agency, typically for 36 months. Throughout that probationary window, the OCR carefully determines if the firm is taking proper steps toward compliance. Additionally, “a resolution agreement likely would include the payment of a resolution amount,” commented Seeger. “These agreements are reserved to settle investigations with more serious outcomes.”
Although typically the government focuses on cases in which hundreds or thousands of records are exposed, Rambo did not think that the seemingly accidental misplacement of a few files was trivial. She was especially passionate about the issue because one of the 17 files was that of a man who lived nearby and had recently passed away.
Rambo told the news reporter that HIPAA was put into effect so that medical establishments would become hyper-aware of privacy and security, preventing these types of incidents. Referring to healthcare practices, she said, “They’re supposed to prevent this from getting in the public’s grasp.”
According to a representative for Amedisys, the company gathered all the files in Rambo’s possession and is conducting a review of how the breach occurred to avoid additional exposure.
The representative told WJHL that the organization is abreast of HIPAA law, with all medical records digitally encrypted since 2012. As healthcare security consultants advise, the hospice also has comprehensive data policies and procedures in place.
The policy that is currently in writing at Amedisys demands that all paperwork is immediately shredded by employees following any visit. The person who dumped the documents at the side of the road was acting in a rogue fashion, as could be guessed. Amedisys said, “It does not appear that this former employee followed our normal protocols.”
The facility is giving patients affected by the breach free subscriptions to credit tracking services. They are also retraining their staff.
Although the notion of a data breach may sound initially complex, like hackers carefully working their way into a system, HIPAA violations are often the result of simple, day-to-day mistakes. If a disgruntled staffer’s employment has been terminated, they may accidentally still be able to log in or otherwise access records. Alternately, someone who is still on staff may just not understand the need to shred immediately and completely.
Don’t be an example
You may want your company to be an example of healthcare success, but you don’t want it to be an example of healthcare violation, like a system of Minnesota healthcare providers that exposed almost 2000 identities after records were accidentally dumped in the trash rather than being shredded.
Partner with a knowledgeable business associate, now fully responsible for compliance as of the 2013 Final Omnibus Rule, for your HIPAA Compliant Hosting. We also offer many popular additional hosting options like Windows Cloud Hosting or Dedicated Hosting.