Posts Tagged fine

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Looking Forward to Retirement? Solo Practitioners Can Still be HIPAA Compliant as You Close the Doors

Looking Forward to Retirement? Solo Practitioners Can Still be HIPAA Compliant as You Close the Doors

Maybe you’ve been planning for retirement for some time or perhaps you’ve had a bad month and have decided that you’re better suited for life on the lake. In either circumstance, when you get ready to leave your practice and wind down your affairs, don’t forget that you still have responsibilities pursuant to state and federal laws and regulations and those obligations don’t cease just because you won’t be returning to the office.

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) require providers ensure the confidentiality, integrity and availability of their patient’s protected health information (PHI). Thus, providers are tasked with preventing unauthorized access to PHI, ensuring that their records are not inappropriately altered or destroyed, and assuring that the records are available to the patient or other authorized individuals or entities.

Patient Notification

Pursuant to Alabama law, “When a physician retires, terminates employment or otherwise leaves a medical practice, he or she is responsible for ensuring that active patients receive reasonable notification and are given the opportunity to arrange for the transfer of their medical records.”[1] The law does not specifically define how much time is considered “reasonable,” thus; the type of practice or scope of services provided should be considered in determining reasonable notice. In all instances, notification should be provided in a manner that allows the patient adequate time to act upon the notification and either obtain a copy of their records or find a new physician.

Patient notification should be provided via U.S. mail and should include the following:

  • The date that the practice intends to close;
  • How the individual may obtain a copy of their medical record or have their records transferred to another physician; and
  • Contact information for the new physician if the patient records are being transferred to another physician without the patient’s consent. (Note: The retiring physician should enter into a Business Associate Agreement (BAA) with the purchasing physician to permit the purchasing physician to obtain and maintain the aforementioned patient records. By virtue of that agreement, the purchasing physician is acting as a custodian of records and is required to ensure the confidentiality, integrity and availability of those patient records regardless of whether the patient decides to utilize the purchasing physician for their treatment services. Pursuant to HIPAA, the purchasing physician cannot utilize those patient records unless and until the patient consents.) Alternatively, if the records are not being transferred to another physician, the notice should inform the patient of where the records will be located after closure, how long they will be retained, and contact information to make record requests.

Tip #1: While not required, it is suggested that patient notification be sent via certified mail, return receipt requested to the patient’s last known address. This allows the retiring physician to place those receipts in the patient files to demonstrate the attempt to notify the patient of the retirement or closure.

Tip #2: Don’t forget about the patient’s right to confidential or alternative communications when performing the mail-out.  If your practice has agreed to a reasonable request of a patient to receive communications by alternative means, you must ensure that you have considered that request. For example, if they have requested that you use a particular P.O. box, instead of their home address.

Malpractice Carrier Notification

At the top of your list for entities to notify should include your medical malpractice carrier. Your medical malpractice carrier can give you a tremendous amount of guidance and many offer a checklist that you can use to ensure that you are covering all of the steps that will keep you eligible for coverage at the time of closure and beyond. Be sure to ask them about any extended malpractice coverage that can be considered for any allegations of medical malpractice that may arise after closure.

Sell v. Closure

When a practice is sold to another physician, the aforementioned BAA between the retiring physician and the purchasing physician may be utilized for the appropriate maintenance and availability of records. But when a practice closes, it is often necessary for the retiring physician to contract with an outside entity to maintain the records and ensure their future availability in accordance with HIPAA and state laws. Finding the right record management company is essential in this circumstance, in addition to entering into the required BAA.

Whether you enter into a BAA with a purchasing physician or record management company, ensure that the agreement includes provisions relating to record retention and disposal applicable to the types of records your practice utilizes. For example, there are special rules for mental health, substance abuse, and notifiable disease records. As the BAA is being drafted, attorneys and compliance experts should be consulted to ensure that appropriate provisions are included.

Closing Won’t Allow You to Escape HIPAA Fines

On Feb. 13, 2018, the Department of Health and Human Services announced a settlement with Filefax, Inc. for $100,000.  It was determined that Filefax was a medical record storage company which inappropriately handled the medical records of approximately 2,150 patients by not ensuring that the records were secure.  “The careless handling of PHI is never acceptable,” said OCR Director Roger Severino. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.” Though Filefax closed its business, HHS was able to secure settlement proceeds via an appointed receiver which “liquidated its assets for distribution to creditors and others.”

Whether you are currently facing the prospect of retirement or whether it is still on the horizon, it’s never too early to speak with a health care compliance professional about the appropriate steps to take to ensure compliance with state and federal laws.

[1] Alabama Board of Medical Examiners Rule 540-X-9-.10(3)


Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →