I learned a long time ago, when I served in that contradiction of terms, military intelligence, that the big risk, at that time to defense information, now also to health information, is people, not technology. You can have the best encryption possible, but if a member of your workforce gives the decryption key to an unauthorized person, what good is your technical security? Or what if a member of your workforce simply blabs protected health information (“PHI”) at a party? And even when the security incident appears to be technical, such as hacking, ransomware, or phishing, a person or group is still behind it.
And violations of individual rights of the Privacy Rule, such as the right of access, are almost totally non-technological. The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has an initiative ongoing to sanction covered entities and business associates who do not afford individuals their right to inspect and copy their PHI.
OCR just announced its ninth financial penalty under its HIPAA Right of Access Initiative. NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management, settled the enforcement action for $100,000. A patient had made numerous requests for records, including diagnostic images. NY Spine provided some of the records but did not provide the images until more than a year later, after the patient had complained to HHS. I mean, how dumb is that? Out a hundred K for not affording a patient something that the patient had a federal right to? But it was a workforce member or members that denied the access, not a computer. Or maybe management—the doctor saying “They are my records and I’ll decide whether to release them to the patient.” Yes, doc, they are your records, but the patient has a federal right of access to those records, including getting a copy of the records.
You should have a request form for copies of records and a policy for handling the requests, including getting physicians’ determinations that the access would pose a significant threat to the health or safety of the patient or a named individual.
In a new one, a HIPAA crime that I had not thought of, an acquaintance of a health care worker acted as if he were a whistleblower and contacted the hospital where the health care worker was employed and the FBI to falsely allege that the worker had violated HIPAA by sending photographs of patients to unauthorized individuals. His motive was simply to harm his acquaintance. He has pled guilty to making a false statement to federal authorities and faces a five-year maximum sentence although he is unlikely to get the maximum under the Federal Sentencing Guidelines. Hopefully, the perpetrator will experience the inside of a federal prison. How much fun was it for the hospital and the employee to be investigated by the FBI?
I don’t know how the hospital or its employee could have anticipated and prevented this HIPAA-related crime, but because an FBI or OCR investigation is always going to look at the entity’s overall compliance effort, it behooves a covered entity or business associate to achieve a high enough degree of HIPAA compliance to look good to the investigators. Remember, they can always find the allegation to be unfounded, but find other HIPAA violations that can result in sanctions. In every investigation in which I have represented the covered entity, the investigators wanted to see the written risk analysis and its updates, policies and procedures, security incident reports, patient complaint records, and training records. That’s why I wrote my Happy HIPAA Book to tell you what HIPAA documents to maintain, what they should contain, and find one easy place to find them when investigators or auditors show up.
And be certain to be aware of personnel security risks, not just physical and technical ones. Screen people before giving them access; train them, including periodic refresher training, enforce your policies, and use your sanction policy to punish wrongdoing. If you have done all of that and have written records thereof (make sure that you keep the written records for the six years required under HIPAA), you will not be liable for an employee who goes rogue and does something evil or even just plain stupid.
Alice here: please stay safe out there, especially so close to a weekend with a full moon, Halloween, time change, Mercury in retrograde, Covid-19, and so close to the election.