Health Insurance Portability and Accountability Act (HIPAA)

Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements.  The OCR announcement and accompanying

The Office of Civil Rights of the Department of Health and Human Services (OCR) announced that it has entered into a settlement with a business associate that provides electronic medical records services to health care providers.  The resolution agreement requires Medical Informatics Engineering, Inc. (MIE) to pay $100,000 and adhere to a corrective action plan. 

After a quiet winter, the Department of Health and Human Services’ Office for Civil Rights (OCR) revived with the spring, issuing a set of frequently asked questions and two recent announcements.

The FAQs address the situation where an individual requests a covered entity to disclose protected health information (“PHI”) to an app. The covered entity

On February 7, 2019, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services published the resolution agreement for its final HIPAA settlement of 2018.  The resolution agreement cited two breach notifications that OCR received from the parent of several hospitals in California.  In 2013, the provider notified OCR of a breach that occurred when one of its contractors removed electronic security protections from a server.  This breach affected more than 50,000 individuals.  In 2015, the provider submitted notice of a second breach, this one resulting from an employee’s activation of the wrong website, affecting more than 11,000 individuals.
Continue Reading

A relatively quiet year for HIPAA enforcement is ending with a small flourish.  The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.

The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida.  In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider.  ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:

  • The disclosure affected 9,225 patients.
  • ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
  • ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
  • ACH failed to conduct a security risk analysis until after the breach was discovered.

To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.

The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado.   The ensuing investigation revealed:

  • The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
  • The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.


Continue Reading

The Office of Civil Rights of the Department of Health and Human Services has announced settlements with three different Boston-area hospitals for allegedly compromising the privacy of protected health information by inviting documentary film crews on premises without first obtaining patient authorization.  The three settlements call for a total of almost $1 million in penalty payments and require each of the hospitals to undertake corrective action.  The corrections are not the same for each hospital and range from workforce education and communication to the establishment of specific procedures, for example, for deciding when to allow media access and for putting safeguards in place to monitor film crew activity.
Continue Reading

Imagine a breach in the privacy of protected health information.  The violation of an individual’s HIPAA rights may be clear, but the individual cannot sue under HIPAA.  Courts have consistently held that HIPAA provides no private right of action.

In the recent case of Lee-Thomas v. Lab Corp., an individual brought suit, claiming that her HIPAA rights had been violated.  When hospitalized, she had been  asked to submit medical information on a computer.  She alleged that the information she entered was visible to another patient at a nearby computer station.  The court did not reach the question of whether the proximity of the computers resulted in a HIPAA violation.  It dismissed the claim, observing that HIPAA limits enforcement actions to the U.S. Department of Health and Human Services and states’ attorneys general.

The absence of a private right of action under HIPAA significantly reduces the risks faced by covered entities and business associates, but it does not shield them against all litigation and liability. Lawsuits for the improper disclosure of personal medical information have been brought under different theories, including common law breaches of privacy and breaches of contract.  Last year, Anthem Inc. settled a class action, arising from a large 2015 data breach, for $115 million. Currently, litigation is being pursued under non-HIPAA claims for disclosures that have resulted from mailing practices, including the use of window envelopes and incorrect addresses.  Case law is emerging, and it is possible that courts will refer to HIPAA’s standards as setting the bar for the privacy and data security safeguards that should be implemented and followed, but individuals who sue for breaches of those safeguards will need to base their claims on something other than a HIPAA violation.
Continue Reading

The Departmental Appeals Board of the Department of Health and Human Services (“Board”) has granted summary judgment against the University of Texas MD Anderson Cancer Center (“Center”) and upheld the imposition of $4.3 million dollars in penalties against the Center for violations of HIPAA’s privacy and security rules.  In this case, the personal medical data of more than 33,000 individuals was exposed through the theft of a laptop and the loss of unencrypted thumb drives.  None of these devices was encrypted, and the laptop was not password protected.
Continue Reading

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.
Continue Reading

The virtual world offers opportunities and obligations not found in nature.

For a couple of years, my wife has followed the adventures of a bonded eagle couple, Liberty and Freedom, residing in the hills near Hanover, Pennsylvania. A strategically positioned webcam offers a round-the-clock view of nesting activities. Last year the pair hatched two eggs and cared for the eaglets until they fledged.

This year, it appears as if calamity struck. Liberty has disappeared, and a new female, Lucy, has taken her place in the nest, destroying one of the eggs. Although the other egg remains in the nest, it is widely believed that the disturbance has rendered it unviable and that it will not hatch. It is possible that Lucy fought with the older Liberty and killed her.  The body has not been found.  It is also possible that Freedom and Lucy will now bond, but most viewers do not expect them to produce eggs this year.

In the virtual world, health care providers, health plans, health care clearinghouses, and their business associates have a responsibility to protect the treasured asset of individually identifiable information from predators and other dangers. But unlike eggs, which cannot be recovered if stolen or damaged, data is retrievable.
Continue Reading