At the end of March, 2022, the Department of Health and Human Services’ Office for Civil Rights announced penalties and corrective actions in four HIPAA investigations. Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) gives patients control over their protected health information. It bars covered entities from disclosing protected information without the patient’s consent and gives patients the right to request their medical records from providers. Covered entities are generally thought of as health care providers, including doctor’s offices and pharmacies, but also include health plans and healthcare clearinghouses. HIPAA also covers business associates of covered entities, meaning if your organization is handling private health information, you’re likely covered by HIPAA.
In a statement released on March 28, 2022, the Director of the Office for Civil Rights, Lisa J. Pino, urged covered entities to “take their HIPAA compliance responsibilities seriously.” Pino went on to warn that organizations that don’t take those responsibilities seriously may be subjected to expensive penalties. In the four cases that the OCR wrapped up in March, penalties ranged from $30,000 to $62,500. In past years, the OCR has collected more than $28.7 million penalties for HIPAA violations.
The OCR is sending a clear warning here: with protected health information, HIPAA compliance is not optional. A common theme in these most recent enforcement actions is lack of adequate training on HIPAA compliance. Covered entities need to make sure their organizations and staff are aware of all aspects of HIPAA compliance, including privacy, access, and what exactly constitutes protected health information.
The first of the four enforcement actions taken by the OCR was an access violation. Dr. Donald Brockley, a dentist out of Butler, Pennsylvania, had failed to provide a patient with a copy of their medical records after they had been requested. In the settlement agreement, Brockley agreed to pay $30,000 to HHS, train his staff on HIPAA compliance, with special attention paid to patients’ right of access, and provide the affected patient with their medical records.
OCR’s second enforcement action involved another dental practice, U. Phillip Igbinadolor, D.M.D. & Associates, P.A., in North Carolina. This practice was found to violateHIPAA by disclosing a patient’s protected health information publicly in response to a negative online review. The patient’s review had been anonymous, and the practice responded by posting information that could identify the patient—a privacy violation under HIPAA, as a patient’s identifiable information cannot be released without the patient’s consent. The practice did not respond to a subpoena and waived their rights to contest the hearing. HHS issued a $50,000 penalty. Had the staff at this practice been properly trained in HIPAA compliance, they’d likely have had a better understanding of what constitutes protected health information and understood that posting it online in response to a review is not only unethical but can also carry hefty penalties.
The third enforcement action was against Jacob & Associates, a psychiatric service provider in California. This enforcement action was a response to a right of access violation. A patient requested their medical records but did not receive a timely response. Because of this, HHS ordered Jacob & Associates to pay $28,000 and take “corrective actions” including revising their compliance training materials. While right of access isn’t often something people think about in regards to HIPAA, it is still important to properly train staff on this topic..
The OCR’s fourth enforcement was against Northcutt Dental in Fairhope, Alabama. The owner of the practice, David Northcutt, had decided to run for state senate office in Alabama. In his attempts to build support for his senate run, he handed over protected health information, including names and addresses to a third party marketing company and campaign manager. Northcutt had intended to send letters to 3,657 of his patients advertising his run for office. This is a clear violation of HIPAA as Northcutt, a covered entity, had provided patient’s identifiable and protected health information to a third party that was not covered by HIPAA. While Northcutt likely thought patient’s names and addresses were not protected health information, had he taken a more robust HIPAA compliance training program he would have learned that all identifiable information for patients—including information that may seem innocuous like names—are in fact, protected health information. The practice was ordered to pay $62,500 and seek approval for their compliance training programs.
These four enforcement actions highlight the importance of providing HIPAA training to all relevant employees. If you are a covered entity, you are required to provide training to employees who have access to health information. Poorly designed training programs can lead to gaps in employees’ HIPAA knowledge. There’s little room for mistakes or gaps in knowledge when it comes to HIPAA compliance, mistakes can lead to your organization paying expensive fines and suffering harm to its reputation.
Your first line of defense against expensive and dangerous mistakes is effective and comprehensive HIPAA compliance training. That’s why you need to make sure your staff are getting the proper training when it comes to HIPAA compliance. Training programs should cover all aspects of HIPAA—including HIPAA’s privacy, right of access, and security rules, as well as what constitutes protected health information.
Training on the HIPAA Privacy Rule and the HIPAA Security rule should be provided to all executives, managers, employees, providers, administrative personnel, and anyone else who might become involved in handling protected health information on behalf of a covered entity.
Organizations should train not only their employees but also any agents or third parties that might knowingly or unknowingly violate HIPAA requirements in the course of their work.
Clear Law Institute offers comprehensive and thorough HIPAA training for covered entities around the country. Schedule your free consultation here.
Simple mistakes made in the hiring process could be costly in more ways than one. Not only could you be turning away star employees, you could also end up paying handsomely for it.Read More