Violation of Privacy Rule Leads to $800,000 HIPAA Settlement

Indiana-based Parkview Health System (“Parkview”) has agreed to settle potential violations of the HIPAA Privacy Rule with the HHS Office for Civil Rights (“OCR”) by paying $800,000 and adopting a corrective action plan to address deficiencies in its HIPAA compliance program. The resolution agreement can be found here.

According to the HHS press release, the OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. It is unclear whether any of these medical records were actually viewed by anyone else.

In addition to the $800,000 payment, Parkview entered into a corrective action plan that requires them to:

  • Develop, maintain and revise, as necessary, written policies and procedures addressing requirements of the Privacy Rule and the corrective action plan (“Policies and Procedures”).  Specifically these Policies and Procedures must at a “minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.”
  • Provide Policies and Procedures to HHS within 30 days of Resolution Agreement’s Effective Date for HHS’s review and approval.
  • Distribute Policies and Procedures to all Parkview workforce members.
  • Periodically review the Policies and Procedures and update them to reflect changes in operations at Parkview, federal law, HHS guidance and/or any material compliance issues discovered by Parkview.
  • Notify HHS in writing within 30 days if Parkview determines that a workforce member has violated the Policies and Procedures (“Reportable Events”).
  • Provide general safeguards training to all workforce members who have access to PHI, as required by the Privacy Rule.
  • Provide training on its approved Policies and Procedures to all workforce members.
  • Submit to HHS a final report demonstrating Parkview’s compliance with the corrective action plan.

Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records. The OCR has provided helpful FAQs about HIPAA and the disposal of protected health information. For more information about complying with the HIPAA Privacy Rule, please contact Jefferson Lin or Elana Zana.

 

 

Rady HIPAA Breach – Access Controls & Training

Rady Children’s Hospital in San Diego announced this week that it has discovered two instances of impermissible disclosure of patient information – both disclosures arising from employees sending spreadsheets containing PHI to job applicants.  Surprisingly, Rady employees did not learn the lesson from their northern California neighbor, Stanford, which recently settled a lawsuit for $4 Million based on similar circumstances of a vendor releasing patient information to a job applicant.  In both the Rady situations (and at Stanford) identifiable patient information was sent to job applicants in order to evaluate those applicants’ skill sets.  The spreadsheets contained names, dates of birth, diagnoses, insurance carrier, claim information, and additional information.  Combined, the breach affected over 20,000 patients.

Rady has announced that it will take the following actions to prevent future events:

• Only commercially available and validated testing programs will be used to evaluate job applicants who will be tested onsite.
• We are increasing data security by further automating flagging of emails that may contain potential protected health or other sensitive information, and requiring an added level of approval before it can be sent.
• Rady Children’s is working with our email encryption provider to further strengthen our protection of sensitive data.
• Rady Children’s continually provides employees with education regarding privacy policies. We will be using these incidents as examples to better inform our leadership team and employees about the risks and the importance of the policies we have in place and train them in these new measures we are taking.

Though these steps are important, it is quite alarming that breaches such as these are still happening.  Why are job applicants receiving spreadsheets with patient information?  As Rady notes above, training exercises are commercially available.  Breaches, such as the one at Rady and at Stanford, reveal several flaws in HIPAA compliance – but two in particular rise to the surface.

1.  Access Controls.  The HIPAA Security Rule stresses the importance of access controls both internally and externally within a covered entity (and now business associates). Who gets access to the PHI, who gives that person access, and what access do they have?  The administrative, physical, and technical safeguard requirements all touch on whether access to PHI for workforce members is appropriate.  For example, a technical safeguard requirement specifically addressing access controls requires that covered entities, and business associates “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).”  45 CFR 164.312.  Covered entities and business associates alike should evaluate who within their organizations actually need access to PHI to perform job functions.  Does the HR Department or an internal/external recruiter, arguably in charge of hiring new staff, need PHI in order to perform their job duties?  (Note, I do not opine here as to whether access to PHI was properly granted to the workforce members at Rady, as I lack sufficient information to make that judgment).  Determining if access to PHI is appropriate is both a requirement of the HIPAA Security Rule (though it is “addressable” you still need to address it!) and is a good mitigation tactic to avoid impermissible breaches, such as the one here.

2.  Training.  All covered entities and business associates are responsible for HIPAA Security training for all members of the workforce.  45 CFR 164.308.  Though training may vary depending on the workforce member’s use of PHI, all staff must be trained.  Training does not end following an initial session.  Periodic security updates are specifically identified in the Security Rule as an implementation specification.  These updates do not have to be limited to information about new virus protection software installed on the system. They can include valuable tidbits like case studies, HIPAA rule reminders, and HIPAA related headlines.  For some workforce members HIPAA may not be top of mind (specifically for those in business roles that may not deal with patients or patient information on a routine basis).  Providing periodic training updates and reminders, including examples of other HIPAA breaches (i.e. Stanford here) may be very useful in driving home how easy HIPAA breaches can be…and how expensive they are.

Avoidance of HIPAA breaches altogether is nearly impossible, but proper access controls and training can help mitigate against breaches such as the one that occurred here.

For more information about HIPAA Security contact Elana Zana.