Archive for HIPAA Violations
The HIPAA Omnibus Rule changed the breach notification process by introducing a four-factor risk assessment process and requiring covered entities (CE) and business associates (BA) to demonstrate whether the probability that PHI was compromised is low. In response, the Workgroup for Electronic Data Interchange (WEDI) recently released an issue brief that provides breach notification guidance.
The issue brief describes the following processes for establishing probability and requirements for notification:
- Determine whether the data is PHI. If it is not PHI, further breach notification action is not required.
- Determine whether the data is unsecured PHI. No further action is required if the PHI is secured and the organization can document that the method for securing PHI was enabled at the time of the breach. If the breach involved unsecured PHI, proceed to the next step.
- Determine and document whether the incident falls within one of the breach notification exceptions, in which case breach notification is not necessary. If the disclosure does not fall within an exception, proceed to the next step. The exceptions include the following:
- Unintentional access to PHI in good faith while performing a job that does not result in further impermissible use or disclosure of PHI.
- Unintentional disclosure of PHI by a CE or BA authorized to access PHI to another person authorized to access PHI at the same CE, BA, or affiliated organized healthcare arrangement.
- When PHI is improperly disclosed, but the CE or BA thinks that the recipient is unable to retain the information.
An organization that immediately decides to proceed with notification does not need to perform the four-factor risk assessment process. Otherwise, the process is required after a breach of PHI is discovered, according to WEDI. If the probability that PHI was compromised is low, notification is not necessary and the organization should document the process for future reference. WEDI recommends remediation even in the event of a low probability breach determination.
The Puerto Rico Health Insurance Administration (ASES, its Spanish acronym) recently fined Triple-S Salud, Inc., (TSS) $6.8 million for violating HIPAA, according to documents filed with the U.S. Securities and Exchange Commission. The fine exceeds the highest civil monetary penalty imposed by OCR by nearly $2.5 million.
TSS mailed pamphlets that displayed recipients’ Medicare health insurance claim numbers, unique numbers assigned by the Social Security Administration that are considered PHI, to 70,000 Medicare Advantage beneficiaries September 30, 2013. The fine imposed on TSS, a health insurance subsidiary of Triple-S Management Corporation, is for a breach of PHI of 13,226 dual-eligible Medicare beneficiaries, according to the filing.
TSS conducted an internal investigation of the breach and reported the incident to agencies of the federal government and Puerto Rico. However, ASES alleged that TSS did not take the required steps when responding to the breach, according to the filing.
ASES also imposed sanctions on TSS that include the suspension of new enrollments of dual-eligible Medicare beneficiaries. TSS must notify affected individuals of their right to unenroll. The health insurer is offering 12 months of free credit monitoring and identity protection services to affected individuals.
The Federal Trade Commission (FTC) recently denied a motion to dismiss a complaint filed by Georgia-based LabMD, Inc., which allegedly violated HIPAA and the FTC Act. LabMD conducts clinical laboratory tests and reports the results to healthcare providers.
LabMD argued that the FTC had no authority over data security practices of covered entities, and therefore moved to dismiss the complaint. The company also argued that the enactment of HIPAA negates Section 5 of the FTC Act, which allows the FTC to investigate the data security practices of private companies, according to the docket. The FTC rejected both claims.
LabMD landed on the FTC’s radar after the company’s billing department manager shared a document containing the PHI of approximately 9,300 patients on a peer-to-peer file-sharing network, according to Bloomberg BNA. The company later came under fire when a police department found that identity thieves were in possession of LabMD documents containing patients’ PHI.
Officials at Phoebe Putney Memorial Hospital in Albany, Ga., recently terminated two employees for HIPAA Privacy Rule violations that led to the theft of a password-protected unencrypted computer, the Albany Herald reported.
The hospital announced January 3 that a password-protected, unencrypted desktop computer containing PHI of patients treated from May 2010 to October 2013 was missing from its outpatient behavioral health clinic. The computer may have contained patient names, addresses, dates of birth, dates of service, diagnoses, and some Social Security numbers, the article said.
A police report stated that at 7:30 p.m., November 5, 2013, a clinic employee placed a computer in a box, moved it into the hallway, and intended to relocate it to a spare office the following day. However, the box was not where the employee left it when she returned the next day. A janitor reportedly took the box to the dumpster because he thought it was trash, but no one was able to locate it, according to the Albany Herald.
Q: Our organization color-codes patient files according to referral source and type. We use a specific color for Medicaid patients. We use these charts primarily for billing documentation and correspondence purposes because most session notes are on an electronic system. Does using color-coded charts to distinguish patient types violate HIPAA?
A: HIPAA does not prohibit color-coding patient charts. However, ensuring that the color key is not readily accessible to visitors, other patients, and family members is important, as is ensuring that charts are not in plain sight where unauthorized individuals can view patient names. For example, if the charts of patients seeking treatment for HIV/AIDS are uniquely color-coded and an unauthorized individual could easily determine the diagnosis associated with the color, a chart left out where only the patient name is visible could be used to easily identify a patient’s condition. In the end, it’s a matter of securing charts versus the use of colors or numbers to identify classes of patients.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Please email your HIPAA questions to Associate Editor Jaclyn Fitzgerald at firstname.lastname@example.org.