Avoid the fate of these healthcare entities with solid training and compliance strategies. HIPAA violations have been ramping up in recent months. Check out these three recent examples of recent violations of the HIPAA rules so your practice can avoid making the same mistakes and incurring the ensuing penalties. 1. View This $950K Settlement for Security Rule Violation On July 1, 2024, Heritage Valley Health System agreed to pay $950,000 as part of a settlement with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR). Heritage Valley, which provides care in three states, was the victim of a ransomware attack in 2017 which affected its electronic medical records and left protected health information (PHI) vulnerable to outsider access. When the OCR began investigating the breach, it found that Heritage Valley had not implemented critical HIPAA requirements, including an emergency plan and security risk analysis. The organization had also failed to enact procedures and policies that would have allowed only authorized users to access electronic PHI. In addition to the $950,000 settlement, Heritage Valley is also required to create a corrective action plan that OCR will monitor over a three-year period. The organization must also conduct a risk analysis, create a risk management plan, develop written policies to comply with the HIPAA rules, and train staffers on HIPAA policies.
How your practice can avoid this fate: The best way to ensure you don’t face HIPAA Security Rule violations is by being proactive in protecting your practice. Perform a risk analysis periodically and ensure audit controls are in place to examine all information system activity. If you find that you’re vulnerable to a breach, take action immediately — call an IT security expert to assist if you’re in doubt about your ability to appropriately protect your data and your patients’ information. Resource: Read more about the Heritage Valley settlement. 2. Note What Happens When Medical Records Are Reviewed Without Reason Although it may seem like physicians have carte blanche to review medical records whenever they see fit, that’s not the case. In actuality, even physicians need a legitimate medical reason to access a patient’s record. And on June 28, 2024, one physician pled guilty to reviewing a patient’s medical records without their knowledge. According to a news release from the Department of Justice, Dr. Gabriel Roman admitted that while he was a resident at an Iowa hospital, he looked up the electronic medical records of a particular patient using computer systems that were located at two different hospitals. He was not treating the patient in question, and did not have their consent to review their medical files. Additionally, he photographed private information in the patient’s medical record and sent one photo through the social media app Snapchat. The doctor faces a potential sentence of five years in prison, three years of supervised release afterward, and a $250,000 fine. How your practice can avoid this fate: Everyone at your practice — including providers — should be thoroughly trained on the importance of only accessing medical records when they have legitimate reasons to do so. In addition to frequently reminding staff of the law around this area, you should put access parameters in place so no one can review medical records they aren’t supposed to see. Resource: To read more about the settlement and the details of the case, visit the Justice Department’s news alert about the case.
3. Beware of Sharing Medical Records With Law Enforcement Just as physicians don’t have unrestricted access to medical records, neither do law enforcement entities. There are a wide range of laws governing who can access PHI, whether they require a warrant, and what information you need from patients before you can share their records with law enforcement officers. On June 19, 2024, Adventist Health Hanford settled with the government as part of an effort to resolve HIPAA violations after its staff members gave medical information regarding two patients to law enforcement officers without authorization. In both cases, the patients were pregnant women who experienced stillbirths at the hospital. The hospital was said to have provided their medical records to law enforcement officers without the patients’ permission and without a legal warrant. Those records allegedly included information about a history of drug use among the patients, and law enforcement subsequently accused both patients of causing the deaths of their fetuses due to the use of drugs. Both patients were sentenced to prison. The California Department of Justice’s further investigation revealed that the hospital provided those records to law enforcement without authorization or a warrant, and both patients’ convictions were overturned. How your practice can avoid this fate: Train your staff on the parameters they must follow before sharing PHI with anyone, including law enforcement officers. Consult with a qualified healthcare attorney about the laws in your state, and create documentation outlining the specific requirements for turning over any PHI to police officers, detectives, attorneys, judges, or any other entities without patient authorization. Then disseminate this material to all staff members who access protected health information. Resource: Read more about the Adventist Health case. Torrey Kim, Contributing Writer, Raleigh, N.C.