Health Information Compliance Alert

Enforcement News:

Check Out The Newly Redesigned OCR Website

Plus: Collections on unpaid medical bills gets provider into HIPAA trouble.

The HHS Office for Civil Rights (OCR) website just got a little more user-friendly and easier to navigate, thanks to a months-long redesign effort.

OCR announced the launch of its newly redesigned website (www.hhs.gov/ocr) on Jan. 6. According to the announcement, OCR receives 2 million visitors to its website every year and owns eight of the top 10 most visited webpages on HHS.gov. “HIPAA” is also the most searched term on HHS.gov.

The revamped website has the following new features (among others):

  • Categorizes information and resources by “Individuals,” “Professionals,” and “Providers” for easier, quicker navigation;
  • Powerful search functionality displays OCR-specific information and resources prominently at the top of search results;
  • Most requested information prominently displayed in “I would like info on…” box located on the main homepages for Civil Rights and Health Information Privacy;
  • Optimizes access on cell phones, tablets, and other mobile devices via a mobile-first platform; and
  • Simplified and refined site navigation and content layout on the webpages.

Don’t Include Dx Codes, Treatment Lists In Collections Court Filings

Filing collection cases against patients for unpaid balances is perfectly okay under HIPAA — but be very careful what kind of information you include in the court filings.

Case in point: Simply filing for collections on unpaid patient services turned into a HIPAA complaint and a counter claim for one healthcare provider — and the case even made the New York Times, according to a Dec. 29 blog posting by attorney Mary Beth Gettins of Gettins’ Law.

When filing a lawsuit for collection of unpaid medical bills, Short Hills Associates in Clinical Psychology of Springfield, N.J. attached an accounting to the court filing that included patient diagnosis codes and treatment listings, Gettins said. In response to the court filing, the patient filed a complaint with the HHS Office for Civil Rights (OCR) and a counter claim in the collection lawsuit, alleging invasion of privacy, breach of the psychologist-patient privilege, fraud, misrepresentation, and other claims.

Problem: “Court filings are a matter of public record,” Gettins pointed out. This means that the records are open to the public, with anyone able to obtain a copy from the courthouse and, in some cases, court websites allow Internet download of all court filings.

Now this is no longer simply a collection case, Gettins said. “Short Hills could well be liable for far more than the unpaid medical bills. Short Hills filed 24 similar collection cases.”

The moral of this story? Beware of what kinds of information you attach to a collections case. “The inclusion of the diagnosis codes and treatment lists are not essential for substantiation of a collections case and should not be included in court filings,” Gettins stressed.

Watch Out For HIPAA ‘Teeth’ Biting You In 2016

The HHS Office for Civil Rights (OCR) closed out 2015 with a booming December for healthcare breaches, logging 23 reported breach incidents.

Of the 23 total, most involved healthcare providers (19) with four affecting health plans. Twelve breaches involved unauthorized access/disclosure, followed by theft (seven), hacking/IT incidents (three), and one incident of improper disposal. OCR posted these reported breach incidents on its so-called “Wall of Shame” (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf), which displays HIPAA breaches affecting 500 or more individuals.

Most also involved paper/films, accounting for nine of the total breaches, plus an additional breach that involved both paper/films and a desktop computer. Five breaches arose from laptops or other portable electronic devices, while four involved email, three network servers, and one electronic medical record (EMR).

St. Luke’s Cornwall Hospital in New York State reported the largest breach in December, with 29,156 affected individuals, arising from the theft of a portable electronic device. Most other breaches reported during the month were much smaller in scope, affecting far fewer individuals.

Beware: There’s no mistake that 2015 was a “banner year” for healthcare breaches, according to a Dec. 31 analysis by Jan McDavid, Esq., Chief Compliance Officer and General Counsel for HealthPort. HHS data indicates that more than 102 million Americans’ health records were inappropriately accessed or misused last year. Also, eight of the 10 largest healthcare provider hacks of all time occurred in 2015, with the largest from an insurer whose hacking-related breach affected 78.8 million individuals.

Look ahead: In 2016, some estimates place costs for healthcare breaches at hundreds of billions of dollars, McDavid warned. “HIPAA and related laws have real ‘teeth’ now. Be prepared.”