DELC To Pay $5,000- Consequences of Potential Violation of HIPAA Rules

DELC To Pay $5,000- Consequences of Potential Violation of HIPAA Rules

The term HIPAA refers to the Healthcare Insurance Portability and Accountability Act. Overall, the goal of HIPAA is to safeguard patient Protected Health Information (PHI). This applies to a variety of contexts. On one hand, it aims to protect the unauthorized disclosure of PHI to third parties. But in addition, HIPAA protects the patient's right to obtain copies of their own medical records. Plus there is a large space in between these issues that are governed by HIPAA as well. When organizations are found to be in violation of this federal law, stiff consequences can follow. One example of this can be seen with DELC, which was announced in June 2021 to be found in violation of HIPAA regulations. To avoid a fate like this, it's critical that all healthcare-facing companies and affiliates remain up-to-date on all applicable regulations. For more information and to learn how best to protect your team, keep reading below!

What is HIPAA?

Broadly speaking, HIPAA casts a wide net over healthcare privacy and accessibility issues. But there are five specific HIPAA rules that govern the exact jurisdiction of the federal law. The first rule is the HIPAA Privacy Rule. This tends to be the most well-known of the bunch, and often gains the most notoriety when violated. In essence, the privacy rule governs how PHI and other medical records are handled at all stages. This includes everything from storing and accessing information to how it is disclosed. The privacy rule also protects patients' access to their own medical records, without excessive burdens in the sense of finances or time. The second rule is the HIPAA Security Rule. This focuses on how organizations with access to patient PHI protect it from unauthorized access or dissemination. This covers the full spectrum of security measures, from the data itself and the software used to house it, to any physical equipment used in this respect. The third rule is the HIPAA Transactions Rule. This sets regulatory guidelines on the transactions and coding that should be used. These include codes like ICD-9, ICD-10, HCPCS, CPT-3, CPT-4, and NDC. Proper use of these codes and transactions ensures the safety and accuracy of patient medical information. The fourth rule is the HIPAA Identifiers Rule. This sets three unique identifiers to be used by a HIPAA-covered entity. Examples of these include:

  • National Provider Identifier (NPI)
  • National Health Plan Identifier (NHI)
  • Center for Medicare & Medicaid Services (CMS)
  • Standard Unique Employer Identifier

Finally, the fifth rule is the HIPAA Enforcement Rule. This codifies the application of HIPAA security and privacy regulations and establishes penalties for enforcement of violations.

What is HIPAA Training?

To best protect your staff and patients, it is crucial that any team with access to patient PHI fully understands their responsibilities under these rules. Luckily, there is a wealth of resources available to help your team remain compliant with all applicable rules and regulations in this respect. HIPAA training programs are a great way to easily access education from anywhere. These courses can benefit nearly any setting that has access to patient PHI. This includes:

  • Doctor's offices
  • Hospitals
  • Clinics
  • Physical therapy centers
  • Dentists
  • Pharmacies
  • Vaccination centers
  • Laboratories
  • Mental health professionals
  • Medical billing offices

These are just a handful of examples of teams that may have access to patient information that would thus require HIPAA compliance.

What is HIPAA Certification?

These training courses are designed to provide a comprehensive overview of HIPAA regulations, with information specific to various practice areas. This way, your team can gain a greater understanding of their liabilities, and how it applies to the greater goal of compliance Upon completion of these programs, teams would thus earn HIPAA certification certificates. This proves not only to internal actors but to patients and other external parties, that your organization is serious about protecting their patients. Furthermore, it sets the tone that HIPAA violations are unacceptable. It may just be the factor that prevents your team from a costly HIPAA violation investigation, and thus, a potentially expensive settlement.

Modern HIPAA Violations

As we continue to move into a more highly technical society, a new generation of potential HIPAA violations follows. There are bad actors seemingly around every corner, using cutting-edge technology and tactics to target sensitive PHI. In addition, the turn towards telehealth and remote healthcare strategies poses a risk for various HIPAA issues. For these reasons, the Office for Civil Rights (OCR) and its parent agency the US Department of Health and Human Services (HHS) are not backing down on enforcing these violations. In fact, on June 2nd, 2021, OCR announced its most recent settlement. This is the 8th financial penalty that has been issued so far this year, following a HIPAA rule violation. This new case provides an important reminder of the need to properly protect patient information, while also granting lawful access in a reasonable manner. Keep reading below for more on this emerging settlement.

DELC HIPAA Violation

Typically, the more notable HIPAA violation cases come from situations in which PHI was compromised or unlawfully disclosed. But there are several lesser-known cases that pose just as much of a risk to safeguarding patient information in other categories. One example of this is from a recent HIPAA settlement regarding the right of access. OCR recently announced its 19th settlement under the HIPAA Right of Access Initiative. This campaign was launched in fall 2019. It is designed to support patients and other individuals, and their right to seek timely access to their own medical records. Furthermore, this access should come at a reasonable cost. In this case, the company under the microscope is the Diabetes, Endocrinology & Lipidology Center, Inc (DELC). This West Virginia-based healthcare provider mainly treats patients with Endocrine diseases and disorders. What Happened? In August 2019, a complaint was raised with OCR, reporting that DELC failed to meet its legal responsibilities under the HIPAA Privacy Rule right of access regulations. In particular, a parent requested access to their minor child's medical records in July 2019. DELC failed to comply with this request in a timely manner. Under the HIPAA Privacy Rule, this type of request must be provided within 30 days of receiving the original request. In response to this failure to comply, the parent filed an OCR complaint. OCR then began investigating the situation. The Office ultimately determined that this failure to provide the parent with timely access to their child's PHI served as a potential violation of the right of access under HIPAA rules. Upon completion of their investigation, OCR again requested these records in May 2021. This was more than two years after the initial request. OCR made it known this was unacceptable, and that a federal investigation should not be required in order to obtain your child's medical information from any provider. How Was it Remedied? In this case, DELC decided to settle. In doing so, the company agreed to implement various corrective actions. These corrective actions include a mandatory review and update of the company's policies and procedures, as it relates to patient PHI access. These policy changes must then be sent to HHS. Upon review and approval, DELC then has 30 days to implement the changes. If they fail to comply with this requirement, HHS will step in to mandate PHI access training of their own. Another factor of the corrective action plan is for DELC to provide the original claimant with their requested records. This must be done within 15 days. If DELC does not send the records accordingly, they must provide reasoning for denying access. It also includes various pieces of training for all staff and administrators, to ensure continued compliance moving forward. With this, a two-year monitoring period is required by OCR. DELC is also required to pay a $5,000 settlement. It is important to note that although there are various sanctions and remedial actions placed on DELC, the settlement agreement is not an admission of guilt. Rather, the company entered into the agreement to avoid the financial and legal burdens of a prolonged investigation and the potential legal ramifications that may follow.