News, Private Duty, Regulations

Make sanction policy, hit other marks to avoid big fines for small HIPAA breaches

A recent HIPAA breach that involved transmission of protected health information (PHI) to only one party — a reporter — nonetheless cost a Connecticut practice $125,000, in part because the practice didn’t take simple precautions.

In February 2015, a patient of Allergy Associates of Hartford, P.C., a four-doctor, three-office practice, had talked to a local TV news program about the patient’s provider. A reporter for the station contacted the provider for comment, which, ill-advisedly, the provider gave along with some of the patient’s PHI.

Allergy Associates had deputized a privacy officer, and that officer had instructed the office “to either not respond to the media or respond with ‘no comment,’” according to an HHS statement. But the doctor did, and the office failed to take disciplinary action against the doctor “or take any corrective action following the impermissible disclosure to the media,” HHS says.

We’re more likely to see news stories about huge, horrifying HIPAA breaches that lead to million-dollar settlements, like a laptop containing thousands of patient records that gets lost, than we are about small-bore cases like this. But little breaches are something HHS’ Office for Civil Rights (OCR) “representatives have been vocal about focusing on lately,” says Jay Anstine, a health care corporate compliance expert in Fort Collins, Colo.

Breaches like these can be honest employee mistakes like “faxing patient records to the wrong number,” or purposeful, “like snooping into electronic records of a friend or neighbor,” says Lora L. Zimmer, an attorney with McCarty Law in Appleton, Wis.

With smaller health care providers, sometimes there can be a corporate culture of “we’re small fish” when it comes to compliance, Anstine says. But “there are no small fish in the eyes of the OCR.”

OCR announced in 2016 that it would step up investigation of data breaches involving fewer than 500 personal health records.

Should you report every breach?

Does every small breach require that you report to OCR as if it were a big one?

If an employee sends a fax and it went somewhere it wasn’t supposed to or if it’s sent to another covered entity — just the wrong one — “there’s an exception because they’re also subject to privacy restrictions, and you may deem that the probability of compromise is low,” says Mark J. Swearingen, an attorney with Hall, Render, Killian, Heath & Lyman, P.C. in Indianapolis.

“If there’s a small, defined group of people who had access to the information, the provider should reach out to those people to get assurances from them that they will return or destroy any information that’s come into their possession,” Zimmer says. “I have even gotten affidavits from people in which they swear they will not further use or disclose the information — though usually that’s been in cases of employees purposefully accessing information they shouldn’t. These good-faith efforts to mitigate the harm are important both for the patient’s peace of mind and in the event that OCR looks into the breach.”

In these cases, you may decide there’s no need to report the breach. But be careful, Swearingen says. While before the breach-notification rule was passed in 2013, covered entities had a great deal of discretion in judging whether a breach posed the “significant risk of financial, reputational or other harm” that made it reportable, under the new law, “the presumption is that it’s a breach.”

Do sanctions, no exceptions

Two things you do have to do, regardless of whether your breach is reportable: Log the incident (and retain the record for at least six years) and sanction the offending party. The failure to sanction the offending party was what HHS specifically cited in the Allergy Associates case.

And you’re more likely to deliver appropriate sanctions if you prepare a protocol ahead of time, Zimmer says.

“Providers should have HIPAA policies that state that violation of [privacy] policies can result in disciplinary action against an employee, and they should also have an employee handbook that lays out potential disciplinary actions that could be taken in the case of a violation of the employer’s policies,” Zimmer says. “And in the case of a breach, the provider should document any disciplinary action taken as a result.”

Jay Hodes, president of Colington Consulting in Burke, Va., says he prescribes a policy with a menu of possible sanctions — “a verbal reprimand, a written reprimand in employee’s personnel file, retraining on HIPAA awareness, retraining on the organization’s privacy policy and how it impacts the employee and his/her department or retraining on the proper use of internal forms and HIPAA required forms” — depending on the nature and seriousness of the offense.

“The more egregious the offense, the harsher the sanction,” he adds.

It’s important that these sanctions be meted out without regard for employee status, Swearingen says. You have to be consistent across the board — OCR could key in on why a provider would sanction clinicians but not executives.

But the important thing is that policies exist: “Whether OCR or another government agency, anytime they’re conducting an investigation, one of the first documents you’ll be required to produce is your policies,” Hodes says.

Without that, you’re sunk. — Roy Edroso (