Digital Debut
HIPAA Biannual Update
July to December 2022
BY MAIA KUNKEL | FEBRUARY 2023
Since ASCA’s last update in August, healthcare organizations across the country posted 333 breaches of protected health information (PHI) affecting 500 or more individuals. Consistent with previous time periods, the vast majority of the breaches—95 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to the theft of devices continues to steadily decrease, comprising only 3 percent of breaches in the last six months of 2022 compared to 21 percent in the first half of 2017.
SOURCE: ASCA
Within the US Department of Health & Human Services (HHS), the Office for Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.
ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can visit the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.
Many recent enforcement actions have been through the HIPAA Right of Access Initiative. Since the previous update in August, OCR has announced four more settlements in its HIPAA Right of Access Initiative, bringing the total to 42 enforcement actions since 2019. The recent investigations found varying degrees of noncompliance with patients’ requests to promptly receive their medical records and resulted in corrective action plans with several years of monitoring and settlements ranging from $20,000 to $80,000. Three examples of recent resolution agreements are provided below, along with precautions ASCs can take to avoid similar violations.
What Happened: GEDC-GA is a dental and orthodontics provider with multiple locations in Georgia. OCR’s investigation began in 2020 after receiving a complaint that GEDC-GA refused to provide a patient their complete medical records because the patient would not pay a $170 copying fee. The individual first requested their records in 2019 but ultimately did not receive their records until 2021. Following OCR’s investigation, GEDC-GA agreed to an $80,000 settlement and a corrective action plan with two years of monitoring.
Takeaway for ASCs: In 2019, OCR introduced a specific provision of the HIPAA Privacy Rule related to health information technology to help enforce and support an individual’s right to timely access their health records at a reasonable cost. In the case of GEDC-GA, OCR determined the fee demanded was exorbitant, which resulted in the individual waiting almost two years to obtain their medical records, and a big financial penalty for the provider.
ASCs should review their policies and training programs to ensure that all HIPAA obligations are able to be met when a patient requests access to their medical records. As OCR continues to announce more settlements in its HIPAA Right of Access Initiative, ASCs should keep in mind that it remains critical that patients can be granted timely access to their own medical information and able to take charge of healthcare decisions in a prompt manner.
What Happened: In 2021, NEDLC, which provides dermatology services in Massachusetts, filed a breach report with OCR. The report detailed that empty specimen containers with patients’ PHI were disposed of in a garbage container in the facility’s parking lot. The containers included labels with patients’ names, dates of birth, the providers who obtained the specimens and the dates the samples were collected. OCR’s investigation discovered that NEDLC impermissibly used and disclosed PHI and failed to maintain appropriate standards to protect patients’ PHI. NEDLC agreed to a more than $300,000 settlement and a corrective action plan with two years of monitoring.
Takeaway for ASCs: While improper disposal accounted for less than 1 percent of OCR breach investigations in the last half of 2022, instances of improper disposal are preventable. ASCs should ensure that proper safeguards are practiced to keep PHI from easily being discovered by the public. OCR offers an FAQ document to help address common questions on the proper methods and policies for PHI disposal.
What Happened: OCR began investigating the California dental practice after it received a complaint in 2017 alleging that NVD impermissibly disclosed patients’ PHI, including their names, treatments received and insurance information, posted in retaliation to negative reviews online. OCR concluded that NVD impermissibly disclosed patients’ PHI and failed to have proper policies and procedures in place to address releasing PHI online. After the investigation concluded, NVD agreed to a corrective action plan with two years of monitoring and a $23,000 penalty.
Takeaway for ASCs: Disclosing PHI publicly, including on the internet, is illegal under the HIPAA Privacy Rule. While responding to a negative review might feel tempting, it is never acceptable to purposefully expose PHI. In the case of NVD, it needlessly damaged its reputation, and resulted in a monetary penalty and a several-year investigation by OCR. ASCs should state in their policies that all members of staff must be informed of their obligations to adhere to all HIPAA requirements both in the ASC and online.
ASCA provides several resources to help ASCs remain compliant with HIPAA. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.
For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.