Unauthorized Disclosures of PHI Result in HIPAA Civil Financial Penalty and Settlement Settlement

HHS’s Workplace for Civil Rights (OCR) has introduced decision of two enforcement actions involving disclosures of protected well being info (PHI) in alleged violation of the HIPAA privateness rule. Within the first motion, OCR imposed a $50,000 civil financial penalty as a result of a well being care supplier disclosed PHI in response to a affected person’s adverse on-line assessment. Though the affected person had used a pseudonym to masks his id when posting the assessment, the supplier’s on-line response disclosed the affected person’s actual title and particulars concerning the affected person’s situation and remedy. After the affected person complained to OCR, OCR requested info from the supplier, who acknowledged posting the response, declined to take away the response from its webpage, and didn’t furnish OCR with related insurance policies and procedures. OCR knowledgeable the supplier that the disclosure violated the privateness rule and requested monetary info vital to find out an acceptable sanction. The supplier refused to supply the monetary info, contending that the requested paperwork didn’t “relate to HIPAA.” The supplier failed to reply to administrative subpoenas and didn’t take part in makes an attempt to resolve the matter by casual means. OCR decided that the suitable penalty tier was for a violation dedicated with “willful neglect and never corrected,” requiring a minimal penalty of $50,000 per violation. Discovering a single violation, OCR proposed a $50,000 penalty. As a result of the supplier didn’t request a listening to, the penalty grew to become ultimate.

Within the second motion, a supplier agreed to pay a $62,500 settlement after disclosing lists of sufferers to a marketing campaign supervisor and a advertising and marketing firm helping the supplier with fundraising for his political marketing campaign. Two marketing campaign mailings have been despatched to a complete of greater than 5,000 sufferers. OCR asserted that the supplier violated HIPAA by making the unauthorized disclosures, failing to designate a privateness officer, and failing to implement privateness or breach notification insurance policies and procedures. Along with the cost, the supplier agreed to a corrective motion plan (CAP) requiring assessment and revision of HIPAA privateness insurance policies, together with provisions associated to makes use of and disclosures of PHI, the minimal vital normal, enterprise associates, and coaching; all safety rule safeguards; and all breach notification necessities. After approval by HHS, the up to date insurance policies and procedures should be distributed to current and new workforce members inside specified timelines. Workforce members should be skilled on the up to date insurance policies and procedures after HHS approves the coaching supplies. The supplier should submit two annual reviews documenting compliance with the CAP, together with proof demonstrating that the supplier applied safety measures in response to its most up-to-date danger evaluation and danger administration plan.

EBIA Remark: These enforcement actions illustrate why it’s essential for all well being care suppliers, well being plans, and enterprise associates to know core HIPAA ideas—beginning with having the ability to acknowledge PHI. Though it might appear notably unfair not to have the ability to present an in depth response to public criticism, OCR has made its place on this concern clear in prior decision agreements, together with one involving social media (see our Checkpoint article) and one involving newspapers (see our Checkpoint article). Until a use or disclosure of PHI is for remedy, cost, or well being care operations, a person’s authorization is often vital. For extra info, see EBIA’s HIPAA Portability, Privateness & Safety handbook at Sections XXII.A (“What Info Is Protected?”) and XXVI (“Core Privateness Requirement #1: Use and Disclosure Guidelines”). You might also be keen on our webinar “Sensible Utility of HIPAA Use and Disclosure Guidelines for Group Well being Plans” (recorded on 8/12/21).

Contributing Editors: EBIA Workers.