On June 13, 2013, the Department of Health and Human Services (“HHS”) announced that it reached a settlement with a California medical center (“Medical Center”) stemming from alleged violations under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule. The settlement follows an investigation by the HHS Office for Civil Rights (“OCR”) that was prompted by a Los Angeles Times article about two senior leaders of the Medical Center disclosing a patient’s protected health information (“PHI”) to the media without a valid written authorization.
Specifically, the HHS investigation indicated that the Medical Center failed to safeguard the patient’s PHI from impermissible disclosure by discussing medical services being provided to the patient with media outlets on three separate occasions, without written authorization. The disclosures were made in response to a story in the media regarding potential Medicare fraud at the Medical Center. The HHS investigation also indicated that the Medical Center impermissibly used the patient’s diagnosis, treatment and medical condition by including it in an email to its entire workforce of over 700 people. Finally, the HHS investigation indicated that the Medical Center failed to sanction its workforce for impermissibly disclosing the patient’s information.
Accordingly, HHS and the Medical Center entered into a Resolution Agreement (“Agreement”) in which the Medical Center agreed to pay $275,000 to HHS and implement corrective measures, which include:
- Designating compliance representatives for each of its 15 other facilities;
- Developing, maintaining and revising written policies and procedures that comply with federal privacy standards, to be approved by HHS;
- Establishing administrative, technical and physical safeguards to protect PHI from any intentional or unintentional disclosure to media outlets;
- Distributing approved privacy policies and procedures to all new and current workforce members;
- Requiring workforce members with access to PHI to attend training on privacy standards and to certify that they have read, understood and will abide by the policies and procedures;
- Submitting a written implementation report to HHS to summarize the status of the Agreement’s implementation; and
- Filing an annual report with HHS detailing compliance with the Agreement and any findings.
In the press release announcing this action, OCR Director Leon Rodriguez was quoted as saying, “When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior.” Mr. Rodriguez stressed the role that senior leadership plays in defining the culture of HIPAA compliance in an organization and how that culture helps to ensure the full protection of patient rights.
Practical Takeaways
In light of this development, covered entities of all types should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Periodically reviewing and revising privacy policies and procedures to ensure that patient information is safeguarded;
- Developing appropriate privacy training for all levels of employees and ensuring that updated policies and procedures are distributed throughout the workforce;
- Ensuring that senior leaders demonstrate a commitment to protecting patient privacy and foster a culture of compliance;
- Developing protocols for appropriately responding to media inquiries and reminding employees that PHI is protected by the HIPAA Privacy Rule, even if such information is already in the public domain, and that disclosures to media outlets require prior written authorization;
- Establishing technical and administrative safeguards so that only workforce members that are involved in the provision or payment of care have access to PHI; and
- Developing and consistently enforcing internal sanctions for workforce members that violate privacy policies and procedures.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
If you need additional information about HIPAA and HITECH, please contact Mark J. Swearingen at 317-977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
Special thanks to Kim Reese, Law Clerk, for her assistance with the preparation of this alert.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. View our HIPAA Impact Series and sign up to receive updates by visiting www.hallrender.com/impact.
