No Snooping Nor Snitching Are the Key Takeaways From the Two Most Recent HIPAA Settlements With Covered Entities

Saul Ewing LLP

Saul Ewing LLP

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two settlements with HIPAA-covered entities – one in Washington State and one in New Jersey with settlements of $240,000 and $30,000, respectively. In the Washington State settlement, hospital security guards impermissibly accessed the medical records of 419 individuals. In New Jersey, a health care provider disclosed the diagnosis and treatment of a patient's mental health condition in response to a negative online review. While both covered entities admitted no wrongdoing as part of the settlement, they each entered into corrective action plans with HHS. These two settlements are expensive and timely reminders that covered entities must maintain PHI in a HIPAA compliant manner.

What You Need to Know:

 This alert answers three key questions pertaining to these two new HIPAA settlements:

  • Why will snooping in medical records cause a HIPAA compliance issue?
  • Why will providing a patient's PHI in response to a negative online review cause a HIPAA compliance issue?
  • Why is it so important to have HIPAA policies in place and regular training for members of the entity's workforce?

In May 2018, OCR commenced an investigation that 23 security guards working in the hospital's emergency department used their login credentials to access patients' PHI through the hospital's electronic medical record system without any job-related purpose.

As part of the $240,000 settlement, the hospital entered into a two-year corrective action plan (CAP) requiring it to do each of the following:

  • Conduct an enterprise-wide analysis of security risks relating to all electronic PHI
  • Develop a risk management plan to address and mitigate security risks
  • Develop, maintain and revise as necessary its HIPAA privacy and security policies
  • Distribute its policies and procedures to its workforce members
  • Update its security training program
  • Review each of its business associate relationships and provide a report to HHS

In April 2020, OCR received a complaint that a health care provider impermissibly disclosed a patient's PHI following the patient's negative online review of the provider. OCR's investigation uncovered that the provider impermissibly disclosed the PHI of three additional patients in response to their online reviews.

In addition to a payment of $30,000, the provider entered into a two-year CAP and must do each of the following:

  • Develop, maintain and revise its HIPAA privacy policies and procedures
  • Ensure these policies and procedures specifically address permissible and impermissible uses and disclosures of PHI
  • Apply and document appropriate sanctions against members of its workforce who fail to comply with the policies and procedure

The Washington State CAP and Resolution Agreement can be reviewed here and the New Jersey CAP and Resolution Agreement can be reviewed here.

Of course, it is easy to suggest that neither of these covered entities should have engaged in this conduct. Hospital security guards accessing hundreds of patient records defies logic. Similarly, posting patients' PHI in response to negative online reviews may be tempting, but certainly is inappropriate. Robust policies and procedures and training of all workforce members are critical elements of ensuring HIPAA compliance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide