Archive for HIPAA News
The wife of a murdered high school football coach urged Congress during testimony April 26 to update HIPAA to prevent further tragedies.
In June of 2009, a former player of coach Ed Thomas of the Aplington-Parkersburg High School football team in Parkersburg, Iowa, walked into a summer training session in the high school’s weight room and shot Thomas several times. The coach died later that day. The player was sentence to life in prison in 2010.
According to the testimony of Jan Thomas, the former player, Mark Becker, had been released from a hospital 24 hours earlier without anyone’s knowledge despite law enforcement authorities requesting the hospital alert them. Becker had rammed his car into the garage of an acquaintance, and tried to break his way into the house with a baseball bat, Thomas told Congress. When police arrived, he fled in his car leading law enforcement on a high speed chase. When the police apprehended him, he was then taken to an area hospital for psychological evaluation.
No one knew Becker was released, she said.
“Law enforcement was not notified, even though they had requested the hospital let them know when he was being dismissed,” Thomas said. “The hospital’s justification for not notifying law enforcement prior to his release was that HIPAA prevented this disclosure. Even his parents didn’t know until he called them later that evening. No one knew he had been released, but Mark’s privacy had been protected.”
Adults with severe mental illnesses are not always able to make good choices for themselves concerning their treatment or their actions, Thomas said, adding they may need help of a family member or other responsible parties to be
sure they receive required treatment.
“Due to HIPAA, even Mark’s parents were unable to get requested information or help make decisions for his treatment,” Thomas said. “I ask you. Is the privacy of one individual more sacred than a life? Is it more important than the welfare of the general public? Is it more important than allowing our law enforcement to know when a potentially violent offender is being released back into the very communities they risk their own lives to protect?”
The U.S. Attorney’s office in Eastern New York announced April 10 that an owner and officer of a medical equipment company was sentenced to 12 years in federal prison.
Helene Michel, 45, was convicted after a three-week jury trial in August 2012 of conspiracy to commit healthcare fraud and HIPAA identity theft crimes. At the sentencing Judge Joseph F. Bianco also ordered that Michel forfeit $1.3 million that was seized by the government at the time of her indictment.
According to the evidence at trial, between approximately April 2003 and March 2007, Michel owned and operated Medical Solutions Management, Inc., located in Hicksville, N.Y. Michel used her position as a medical equipment company owner to enter nursing homes in Nassau, Suffolk, Queens, Kings, and Dutchess counties in order to access and steal patient records.
During the scheme, Michel also falsely assumed a number of roles, including posing at various times as a doctor, a nurse practitioner, and a wound care expert. At times, in her false roles, Michel even accompanied doctors on patient evaluation rounds. Thereafter, Michel used the records that she stole to create and submit $10 million in false billings to Medicare for medical supplies and products that were either not required or not delivered.
Michel spent the Medicare funds that she stole through false claims and identity theft on her own personal interests, including a multi-million dollar home on Long Island’s North Shore, a half-million dollar pension account, and personal items such as luxury cars and designer handbags. Michel’s co-defendant Etienne Allonce, the co-owner of MSM, was also charged in the indictment and is believed to have fled from the United States. He remains a fugitive, listed on HHS OIG’s Most Wanted List.
Privacy and security officers got their marching orders when HHS released the long-awaited new HIPAA “Omnibus Rule” in January.
To comply with the final rule, healthcare organizations need to get working on a number of activities. The rule is enforceable 180 days from its publication in the Federal Register January 25, giving organizations until September 23 to get into compliance.
Each healthcare organization will need to determine where its priorities lie, depending on its current HIPAA compliance program.
“There’s work here for probably everyone,” says Phyllis A. Patrick, MBA, FACHE, CHC, president of Phyllis A. Patrick & Associates, LLC, in Purchase, N.Y. “But this is not all new if you have a compliance program. Take it in steps. I think it is all doable.”
So where can you get started with the 563-page final rule? HIPAA consultants and attorneys advised taking the following steps:
1. Conduct a risk analysis. You’ve heard it many times before, but a risk analysis is a good starting place, says Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC, in Portland, Ore. By conducting a risk analysis, you will determine what specific risks your organization faces. From there, you can create your own list of actions you need to take and set priorities. With a risk analysis, you will find out whether you are missing a particular policy or need to update a certain procedure.
Make sure your risk analysis reflects vulnerabilities highlighted in recent HHS guidance, such as the threat to the security of PHI from mobile devices, says Adam H. Greene, JD, MPH, a partner in Davis Wright Tremaine, LLP’s Washington, D.C., office. “HHS has made clear the risk assessment is a high priority,” he says.
Police wanted to find a missing 81-year-old man. But HIPAA wouldn’t let them.
Officials at Salem (Ore.) Hospital wouldn’t confirm the man was a patient when police came originally looking, according to a March 8 Statesman Journal.
“It’s a cumbersome law,” Salem police Lt. Steve Birr said. “When I managed the missing persons caseload, one of the difficult things is that we have people with mental illnesses, and they could end up in a mental health facility and you would never know it and they would never tell you.”
According to the March 8 Journal article, neighbors reported Thomas Dill missing to police after they noticed his absence from their apartment complex. Police weren’t concerned about Dill’s mental health, but they worried that the 81-year-old, who is diabetic, could have experienced a medical emergency that lead to his disappearance.
When police called area hospitals to see whether Dill was a patient, Salem Hospital said they couldn’t answer the question because it was PHI.
Police learned Dill was a patient at Salem Hospital two days later thanks to a tip from an anonymous caller.
He’s since been transferred to an adult care facility.
A Massachusetts city’s ambulance service announced March 14 a data beach incident affecting records of a number of ambulance patients.
Advanced Data Processing, Inc./Intermedix, which manages billing for the Gloucester (Mass.) Fire Department Ambulance Service, learned on October 1, 2012, that one of its employees improperly accessed and disclosed certain patient account information in connection with a scheme to file false federal tax returns. Accessed account information included name, date of birth, Social Security number and record identifier, but no medical information was accessed.
The employee was apprehended by authorities, immediately terminated and no longer has access to company systems. The company also thoroughly investigated the matter.
To help minimize the risk of future data breaches, the Company is making its employees aware of this incident and the consequences to the individual involved and reminding its employees of the importance of maintaining the security and confidentiality of individual records.