ORLANDO, Fla. — HIPAA violations come in all shapes and sizes, but to avoid any infraction, facilities need to ensure their staff is trained on the law and the proper procedures.
“Effective employee training is critical. I can’t stress that enough,” said Leonard Lucey, JD, LLM, legal counsel for the American College of Radiology, speaking this week at the 2012 annual meeting of the AHRA, association for medical imaging management. “If your employees know what to do you will be safe.”
The common causes for a HIPAA breach in 2009 and 2010 were theft of patient health information, unauthorized access to the data, human error, loss and improper disposal of patient records. There should be limited access to patient health information, and employees should know where the information is located.
Although the original privacy and security law was passed in 1996, enforcement rules were added seven years later, and the recent HITECH act of 2009 added more requirements to protect the information. For example, now business associates of covered entities are covered under the law, meaning anyone who comes in contact with protected information is also liable. This could include PACS and RIS vendors, Lucey explained.
Another recent change is that patients now have absolute access to their protected health information. Failure to comply could land a facility with fines or at least a slap on the wrist and a corrective action plan.
Lucey detailed a few case examples of HIPAA violations. In one case, a hospital employee leaves a message with the patient’s daughter on the home answering machine. The message included protected health information, and even though it was relayed to a family member, it was still a violation, Lucey said. The patient had requested to be contacted at her work number and that staff only speak with her. The Office of Civil Rights, which handles the complaints, provided educational training for staff on the proper procedures.
In a second case, a radiologist interpreted a patient’s images, and sent the claim to the patient’s employer under worker’s compensation. However, that bill was sent in error, because the worker’s compensation plan wasn’t responsible for payment. In this case, the practice apologized, and the radiologist was sanctioned. “You have to be aware of who is entitled to the information,” Lucey added.
In a case reflecting the new business associates provision, a pharmacy faced a violation for providing protected health information to their law firm. The Office of the Civil Rights said that wasn’t permissible, because there wasn’t a business associates agreement in place with the firm. Check with legal counsel, Lucey said, to see if you need an agreement in place.
Lucey also detailed a few more high-profile cases that included major violations and steep fines. For example, a department manager from Massachusetts General Hospital left unsecured patient information on the subway. The facility received a $1 million fine ($5,200 per breach) and a three-year corrective action plan from the Office of Civil Rights.