Small medical practices who think they don’t need to worry about HIPAA privacy and security compliance had better think again.
In December 2013, Adult & Pediatric Dermatology, a 12-physician group in Massachusetts, agreed to pay $150,000 to US Health & Human Services for alleged violations of the HIPAA Privacy, Security, and Breach Notification Rules arising out of a lost, unencrypted flash drive containing patient information. In addition to the cash settlement, HHS required the group to implement a corrective action plan, including developing a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities.
Prior to the Massachusetts case, HHS reached a $100,000 settlement with a 5-physician group in Phoenix, Arizona. HHS accused Phoenix Cardiac Surgery, P.C. of a “multi-year, continuing failure … to comply with the requirements of the Privacy and Security Rules.” The practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. In addition, the practice had failed to implement even the most basic requirements of the Privacy and Security Rules – such as appointing a security official or adopting basic policies and procedures to appropriately safeguard patient information.
A review of the HHS website on which OCR posts examples of its enforcement actions reveals that most of the examples involve large hospitals, national drugstore chains, and large health insurance companies. The list of private practices facing enforcement actions appears to be growing, however. Surprisingly, many of the enforcement actions cited on the website deal with a private practice’s misunderstanding of the patient’s right to access his or her own medical records. For example:
- A practice refused to honor an individual’s request for a complete copy of her minor son’s medical record.
- A practice improperly billed a patient a $100.00 “records review fee” in connection with the patient’s request for a copy of his medical record.
- A practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice.
- A physician requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule.
- A private practice physician denied a patient access to her medical records because the patient had an outstanding balance for services the physician had provided.
Each of these cases arose out of a complaint filed with the OCR by an individual patient. And each of these cases involves one of the most basic provisions of the HIPAA Privacy Rule.
The experiences of Adult & Pediatric Dermatology and Phoenix Cardiac Surgery should serve as clear warnings that HHS is not only investigating those complaints brought against large health insurers and drug store chains, but that complaints against small, private practices are going to be investigated and prosecuted as well. Physicians, dentists and other private providers would be well advised to make sure they have the necessary policies and procedures in place to comply with HIPAA and that staff members are being properly trained. If you have an “off the shelf” generic HIPAA manual, Wetherington Hamilton, P.A. has the resources to help you tailor the policies to your practice and to provide you with the necessary staff training. If you don’t have a HIPAA manual or you aren’t providing training to your staff you are risking big fines.