The Office for Civil Rights (“OCR”), a division of the Department of Health and Human Services (“HHS”), is responsible for investigating complaints and reports that covered entities (i.e., health plans, health care clearinghouses, or health care providers that conduct certain electronic transactions) or business associates have violated either the HIPAA Privacy or Security Rule. The HIPAA Privacy and Security Rules exist to safeguard Protected Health Information (“PHI”) that is held, used, or disclosed by covered entities and their business associates. Generally, any individually identifiable health information held by or that is within a covered entity’s or its business associates’ control is considered PHI, and any non-permitted release of PHI is considered a HIPAA violation.
Historically, the OCR has investigated and sanctioned larger covered entities and business associates in connection with HIPAA violations that affect the PHI of 500 or more individuals. OCR’s recent settlement agreement with Anthem, which corresponded to the much-publicized 2015 cyber-attack on Anthem’s information systems compromising the PHI of over 79 million individuals, is a good example of OCR’s normal enforcement activity (with the exception of the $16 million fine, the largest to date for a HIPAA violation). However, since 2015, the OCR has placed emphasis on investigating and at times fining smaller covered entities for breaches affecting less than 500 individuals (after a report issued by the HHS Office of Inspector General found that the OCR had typically not investigated the same). Two recent fines issued by the OCR illustrate this emphasis.
The first was issued against Allergy Associates of Hartford, P.C. (“Allergy Associates”), which is comprised of four physicians and two mid-level providers. The settlement agreement, announced on November 26, 2018, requires Allergy Associates to pay a $125,000 fine and enter into a two-year corrective action plan (“CAP”) with the OCR. The incident leading to the alleged violation involved a patient who tried to enter Allergy Associates for treatment while accompanied by her service dog. Upon seeing the dog, an Allergy Associate’s physician turned the patient away, advising the patient that he and many of his patients were allergic to dogs. The patient thereafter contacted a local media outlet about what happened, and also filed a complaint to the Department of Justice alleging that Allergy Associates violated her civil rights under the Americans with Disabilities Act. A physician from Allergy Associates later spoke with a reporter from the media outlet (off-the-record) regarding the incident and disclosed the patient’s PHI. Despite the fact that the reporter was already familiar with the incident, the physician’s statements to the reporter concerning the patient violated HIPAA, as he did not have her prior written authorization to disclose the information. Moreover, and despite an obligation under HIPAA to do so, Allergy Associates made no attempt to sanction the doctor internally.
The second was issued against Advanced Care Hospitals P.L. (“ACH”), an entity that provides contracted internal medicine physicians to hospitals and nursing homes and that, at time of the incident, had between 39 and 46 employees. The settlement agreement, which was announced shortly after Allery Associates’, requires ACH to pay a $500,000 fine and implement a two-year CAP. The incident itself involved the potential compromise of PHI belonging to between 400 and 8,885 individuals. The events leading to the incident occurred after ACH entered into a contract with a faux-representative from a billing company. During its investigation, OCR found that not only did ACH fail to properly vet the “representative,” it did not enter into a business associate agreement (“BAA”) with him before he was engaged to perform work (that involved the use of PHI) on ACH’s behalf – a fundamental HIPAA requirement.
These fines and CAPs demonstrate that all covered entities and business associates must be diligent about complying with HIPAA rules and regulations. Seemingly small violations such as speaking to the media off-the-record (even regarding information the media already knows), failing to conduct a proper risk analysis of a new business associate, and/or failing to execute a BAA can lead to fines that are potentially detrimental to small health care businesses.
It is critically important that covered entities and their business associates take appropriate steps to ensure their conduct is compliant with HIPAA. As the above matters demonstrate, the unpermitted disclosure of a single individual’s PHI can result in government sanctions. If you or your health care entity has any questions about safeguarding PHI, how to remain compliant with HIPAA and HITECH, or any other related questions, please contact an experienced health care attorney at (248) 544-0888, or via email at firstname.lastname@example.org. You may also subscribe to our health law blog by adding your email at the top right of this page.