The US Department of Health and Human Services, Office of Civil Rights is the chief enforcer of HIPAA. The Office’s recent enforcement of HIPAA with respect to a Massachusetts derm practice is illustrative of how the government views HIPAA and how vulnerable medical practices are.
Adult & Pediatric Dermatology, P.C. self reported a HIPAA breach (the theft from its office of an encrypted thumb drive with over 2,000 patients’ info relating to Moh’s surgery). The thumb drive was not recovered. The practice notified all of its patients within 30 days and also provided the requisite media notice. Here’s the fault found by the government:
1. The practice didn’t conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of the electronic Protected Health Information (ePHI) until after the theft;
2. The practice didn’t fully comply with the administrative requirements of the Breach Notification Rule by having written policies and procedures and in-service training of office staff;
3. The practice impermissibly disclosed the ePHI by providing unauthorized individual access to the ePHI for a purpose not permitted by the Privacy Rule.
Because of the foregoing, the government required the practice to-
A. Pay $150,000; and
B. Enter into and comply with a corrective action plan.
HIPAA protects Protected Healthcare Information (“PHI”) and imposes certain privacy obligations on “covered entities.” It attempts to balance both confidentiality and need for communication between providers. Too much protection could gum up the works and defeat the transmissibility aspect of healthcare reform.
A few definitions would help:
“Protected Health Information” is essentially any information (in any form) that is created or received by a healthcare provider, health plan, etc. which relates to a person’s pasts, present or future health care or the payment therefore.
A “covered entity” is a healthcare provider, health plan or healthcare clearinghouse.
A “business associate” is an individual or entity that performs, on behalf of a covered entity any function or activity involving the use or disclosure of PHI and which is not a member of the covered entity’s workforce.
Among other things, the healthcare reform law (1) applies the application of HIPAA to Business Associates, and (2) prohibits the sale of PHI. In addition to granting patients greater rights and PHI access, the new law:
1. Prohibits the sale of PHI;
2. Enables healthcare consumers who pay for their own healthcare to prohibit their provider from sharing PHI with their own healthcare plan;
3. Requires HIPAA covered entities and business associates to provide affected individuals with notice of any breach of their unsecured PHI within 60 days. Covered entities in Florida have just 45 days to report; and
4. Requires breaches involving more than 500 people to be reported to HHS and the media.
The law is confusing and complex. Covered entities should have a detailed decision tree to follow to ensure compliance with the law. That said, they should be aware that the following do not constitute a HIPAA breach:
1. Unintentional, good faith acquisition, access and use of PHI;
2. Inadvertent disclosure of PHI from an authorized person to another authorized person;
3. Unauthorized disclosures in which the recipient would not have been reasonably able to retain PHI; and
4. Access to secured PHI.