An important topic in the healthcare industry is the increasing focus on enforcement of HIPAA law and scale. Let’s look at how a Tennessee hospice serves as an example of making the news even when just a few records are compromised:

  • Setting an example
  • HIPAA on the highway
  • Act locally first
  • Don’t be an example.

Setting an example

In what seems to be a similar pattern to the DOT National Highway Traffic Safety Administration’s incredible uptick in car recalls during 2014, the HHS Office of Civil Rights legal team publicly predicted that the number and dollar amount of healthcare settlements would be increasing through this summer.

Specifically, Chief Regional Civil Rights Counsel Jerome B. Meites said that the degree of enforcement that had occurred between June 2013 and June 2014 – which totaled $10 million in settlements, including a record $4.8 million agreement – would “pale in comparison to the next 12 months.”

HIPAA Wall of Shame

Many of the high-profile cases investigated by the federal government are featured on a public webpage that some healthcare technologists now call the “HIPAA Wall of Shame.” In that way, organizations that experience large-volume breaches (affecting 500 or more people) serve as examples of what not to do.

However, sometimes a TV news report serves as a Wall of Shame, even for minor breaches.

HIPAA on the highway

An ex-employee of a hospice did not destroy protected health information as the law demands, resulting in a critical investigative news segment.

When Sandra Rambo found medical records while walking with her daughter at the side of a highway, she knew immediately that it violated patient healthcare protections. The pair found almost two dozen hard-copy documents from Amedisys, representing 17 different patients. Rambo called her local news station, WJHL, to discuss the documents, including name and contact information, medical diagnoses and symptoms, and various “other private patient details regarding hospice visits.” The documents were from 2010.

A spokesperson for Amedisys, also interviewed by WJHL, said that a previous staff member hadn’t destroyed the documents per the hospice’s policy.

Act locally first

The news show also reached out to Rachel Seeger, senior advisor for public affairs and outreach at the HHS Department (which oversees the OCR). Seeger said that typically when an organization is noncompliant with healthcare law, the OCR helps guide them toward solutions that will keep their patient data secure.

It is rare that a settlement must be signed between HHS and the violating party, but that does sometimes occur – see the $10 million of settlements indicated above. In these cases, a resolution agreement is signed by HHS and the healthcare company, stating that the latter will conduct specific tasks (such as employee education) and give updates regularly to the agency, typically for 36 months. Throughout that probationary window, the OCR carefully determines if the firm is taking proper steps toward compliance. Additionally, “a resolution agreement likely would include the payment of a resolution amount,” commented Seeger. “These agreements are reserved to settle investigations with more serious outcomes.”

The importance of a small breach

Although typically, the government focuses on cases in which hundreds or thousands of records are exposed, Rambo did not think that the seemingly accidental misplacement of a few files was trivial. She was incredibly passionate about the issue because one of the 17 files was that of a man who lived nearby and had recently passed away.

Rambo told the news reporter that HIPAA was put into effect so that medical establishments would become hyper-aware of privacy and security, preventing these types of incidents. Referring to healthcare practices, she said, “They’re supposed to prevent this from getting in the public’s grasp.”

Response from Amedisys

According to a representative for Amedisys, the company gathered all the files in Rambo’s possession and is reviewing how the breach occurred to avoid additional exposure.

The representative told WJHL that the organization is abreast of HIPAA law, with all medical records digitally encrypted since 2012. As healthcare security consultants advise, the hospice also has comprehensive data policies and procedures in place.

The policy currently in writing at Amedisys demands that employees immediately shred all paperwork following any visit. The person who dumped the documents at the side of the road was acting in a rogue fashion, as could be guessed. Amedisys said, “It does not appear that this former employee followed our normal protocols.”

The facility is giving patients affected by the breach free subscriptions to credit tracking services. They are also retraining their staff.

What can you learn from this incident?

Although the notion of a data breach may sound initially complex, like hackers carefully working their way into a system, HIPAA violations are often the result of simple, day-to-day mistakes. If a disgruntled staffer’s employment has been terminated, they may accidentally still log in or otherwise access records. Alternately, someone still on staff may not understand the need to shred immediately and completely.

Don’t be an example

You may want your company to be an example of healthcare success. Still, you don’t want it to be an example of healthcare violation, like a system of Minnesota healthcare providers that exposed almost 2000 identities after records were accidentally dumped in the trash rather than being shredded.

Partner with a knowledgeable business associate, now fully responsible for compliance with the 2013 Final Omnibus Rule for your HIPAA Compliant Hosting.  We also offer many popular additional hosting options like Windows VPS Hosting or Dedicated Hosting.