The first penalties of the year by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) are highlighting how human error occurs due to the misunderstanding of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. On March 28, 2022, OCR announced penalties related to compliance involving 4 cases.
Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these types of enforcement to 27 since the initiative began. OCR created this initiative to support individuals’ right to timely access to their health records at a reasonable cost. The other enforcement actions result from health care providers impermissibly disclosing their patients’ protected health information (PHI).
Monica McCormack, Director of Content Strategy for The Compliancy Group, Greenlawn, New York, said HHS has been largely focusing on privacy violations, and it will likely continue to focus on the right of access and small businesses in its enforcement efforts. “With these latest fines, one of the biggest takeaways is that each fine issued resulted from a single incident. The message this is sending to physicians is no practice or mistake is too small to show up on HHS radar,” McCormack said.
The OCR has taken enforcement actions against Donald Brockley, DDM, a solo dental practitioner in Butler, Pennsylvania, who was accused of failing to provide a patient with a copy of their medical record, according to an HHS press release. After being issued a Notice of Proposed Determination, Dr Brockley requested a hearing before an administrative law judge. The litigation was resolved before the court made a determination by a settlement agreement in which Dr Brockley agreed to pay $30,000 and take corrective actions.
D.M.D. & Associates, P.A., a dental practice with offices in Charlotte and Monroe, North Carolina, was accused of impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review, according to the HHS press release. OCR imposed a $50,000 civil money penalty. Jacob and Associates, a psychiatric medical services provider with two offices in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations.
Northcutt Dental-Fairhope, LLC, a dental practice in Fairhope, Alabama, impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign. It agreed to take corrective action and pay $62,500 to settle potential violations.
“HIPAA has a lot of room for improvement,” McCormack said. “The law is unclear, especially for small practices. Newer areas of compliance, such as cybersecurity, have caused even more confusion within the regulation.” Recently, the HHS issued a request for information to gain a better insight into how healthcare businesses currently are implementing security practices. McCormack said HHS is taking this action in an effort to improve cybersecurity guidance for medical practices of all sizes.
“The HIPAA requirements were put in place to help protect patients’ information and improve their access to their medical records. Most of the recent fines issued by the HHS were caused by the practices’ lack of knowledge of the law, including patients’ rights to their own data,” said McCormack.
While many practices are increasing their spending on technology, security, and technical safeguards, they are failing to invest in one of the most common causes of HIPAA violations, human error. “You can make every effort to secure PHI, but this won’t prevent human error due to misunderstanding of HIPAA requirements. This is why a complete compliance plan that includes employee training, policies and procedures, among other compliance requirements, is essential to protecting your practice,” McCormack said.
Many small practices focus on the cost of becoming HIPAA compliant, not realizing that the cost of noncompliance is much higher. “The HHS has continued to prove this true, issuing the majority of recent fines to single-practitioners. This is not a trend likely to end anytime soon,” McCormack said.
Andrew Tomlinson, Director of Regulatory Affairs for the American Health Information Management Association (AHIMA), a global nonprofit association of health information professionals, said the newly announced penalties continue the trend OCR has established over the last several years.
“We continue to support efforts to modernize HIPAA to reflect the technology investments the health system has made since the HIPAA law was first enacted,” Tomlinson said. “It is important to ensure privacy law reflects the real-world state of healthcare and is aligned with requirements nationwide.”
G. Lawrence Sanders, PhD, a professor in the Management Science and Systems Department at the State University New York at Buffalo, said there are very few instances where the Department of Justice (DOJ) has obtained fines and jail time for HIPAA violations. From April 2003 to July 2018, there were 186,453 health information privacy complaints submitted to the HHS, he said. Of these complaints, 37,670 were investigated and 26,152 (69%) resulted in corrective actions. Dr Sanders said that according to the HHS website, the OCR has imposed civil penalties of $78,829,182 for just 55 cases.
Individuals who perceive a high probability of being caught are less likely to release private information. However, Dr Sanders said when the personal context involves a friend or family member, such as a mother, most individuals will probably succumb to the incentive, regardless of the probability of being caught.
According to Dr Sanders, education is again the key. But not just checking off the “we did this” boxes. It is also not enough to have employees complete a web-based or an in-person security training class. Professionals, businesses, and employees need to be immersed in gamified security and privacy training, receive feedback, and interact socially with others on privacy and security issues if the training is to be successful
Physicians should regularly evaluate whether proper safeguards are in place and that the entire staff is aware of their roles and responsibilities, Dr Sanders said. “Perhaps doctors could be reminded not to disclose any PHI, even when they receive negative online reviews. Such disclosures are a violation of HIPAA regulations.”