The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two settlements with HIPAA-covered entities – one in Washington State and one in New Jersey with settlements of $240,000 and $30,000, respectively. In the Washington State settlement, hospital security guards impermissibly accessed the medical records of 419 individuals. In New Jersey, a health care provider disclosed the diagnosis and treatment of a patient's mental health condition in response to a negative online review. While both covered entities admitted no wrongdoing as part of the settlement, they each entered into corrective action plans with HHS. These two settlements are expensive and timely reminders that covered entities must maintain PHI in a HIPAA compliant manner.

​What You Need to Know:

 This alert answers three key questions pertaining to these two new HIPAA settlements:

• Why will snooping in medical records cause a HIPAA compliance issue?
• Why will providing a patient's PHI in response to a negative online review cause a HIPAA compliance issue?
• Why is it so important to have HIPAA policies in place and regular training for members of the entity's workforce?
   

In May 2018, OCR commenced an investigation that 23 security guards working in the hospital's emergency department used their login credentials to access patients' PHI through the hospital's electronic medical record system without any job-related purpose.

As part of the $240,000 settlement, the hospital entered into a two-year corrective action plan (CAP) requiring it to do each of the following:

• Conduct an enterprise-wide analysis of security risks relating to all electronic PHI
• Develop a risk management plan to address and mitigate security risks
• Develop, maintain and revise as necessary its HIPAA privacy and security policies
• Distribute its policies and procedures to its workforce members
• Update its security training program
• Review each of its business associate relationships and provide a report to HHS

In April 2020, OCR received a complaint that a health care provider impermissibly disclosed a patient's PHI following the patient's negative online review of the provider. OCR's investigation uncovered that the provider impermissibly disclosed the PHI of three additional patients in response to their online reviews.

In addition to a payment of $30,000, the provider entered into a two-year CAP and must do each of the following:

• Develop, maintain and revise its HIPAA privacy policies and procedures
• Ensure these policies and procedures specifically address permissible and impermissible uses and disclosures of PHI
• Apply and document appropriate sanctions against members of its workforce who fail to comply with the policies and procedure

The Washington State CAP and Resolution Agreement can be reviewed here and the New Jersey CAP and Resolution Agreement can be reviewed here.

Of course, it is easy to suggest that neither of these covered entities should have engaged in this conduct. Hospital security guards accessing hundreds of patient records defies logic. Similarly, posting patients' PHI in response to negative online reviews may be tempting, but certainly is inappropriate. Robust policies and procedures and training of all workforce members are critical elements of ensuring HIPAA compliance.