HIPAA Violations for May 2021
The term HIPAA has been thrown around quite a bit especially after the events of the past year. While many may use this term, not all truly understand what it means. HIPAA stands for the Health Insurance Portability and Accountability Act. It was first established in 1996, codifying federal standards of patient protection. There are various sub-sections of HIPAA, governing how patient information can be used and shared. It is imperative that anyone with access to patient information understands these guidelines. On the other hand, it's critical patients understand their rights as well. When HIPAA violations do occur, there are remedial actions. Not only does this correct weak spots in patient security, but it also deters future violations. Keep reading for more information on HIPAA, and violations from May 2021 in particular.
What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 is a federal law designed to protect sensitive patient information from unlawful disclosure. While HIPAA sets the national standards for this activity, it is thus enforced by the five particular rules within the law. The US Department of Health and Human Services (HHS) oversees and enforces related activities. In particular, the HHS Office for Civil Rights takes the lead. It may seem obvious that medical providers are responsible for following these guidelines. However, these requirements extend beyond just hospitals and doctors' offices. HIPAA covers all entities that have access to patient information. This also includes any third parties or contractors that they do business with. Examples of businesses that must comply with HIPAA regulations include:
- Doctors' offices
- Dentists' offices
- Physical therapists
- Mental health professionals
- Medical billing offices
- Insurance companies
- Outpatient facilities
Common HIPAA Issues
There are various compliance issues that tend to arise more commonly than others, as reported by HHS' Office for Civil Rights. Whether they occur with or without knowledge of noncompliance, the following can be very dangerous if unchecked. 1. Disclosure of Protected Health Information The first is the impermissible use or dissemination of a patient's protected health information. This could take a variety of forms. It may occur from one medical office to another, or from an unauthorized request for a patient's records, or during a billing event. Either way, it can be avoided with the proper HIPAA compliance measures in effect. 2. Lack of Safeguards for Protected Health Information In fact, the second most common HIPAA issue occurs when there is a lack of compliance safeguards in place for protected health information. This is where the educational aspect comes into play. With the proper training and procedures in place, this issue can largely be avoided. 3. Improper Patient Access to Protected Health Information The third most common HIPAA issue brings an important factor to light. While most people associate HIPAA violations with the improper disclosure of patient information, there is another important piece to the puzzle that often gets missed. HIPAA is designed just as much to provide patients with access to their own information, as it precludes unlawful disclosure. This is the third most common issue as outlined by HHS' Office for Civil Rights: lack of proper patient access to their own records. 4. Insufficient Administrative Safeguards for Digital Protective Health Information The fourth most common HIPAA issue has continued to increase in relevance as we turn more towards telehealth practices. At the administrative level, many companies and offices run into trouble in terms of protecting electronic health information. Unfortunately, digital threats of data breaches are all too common. For this reason, offices must take all measures possible to protect their patients from these attacks. 5. Disclosure of Patient Protected Health Information, Beyond the Minimum Necessary The fifth most common breach of HIPAA regulations involves situations in which information can be permissibly disclosed. However, this should be provided on a need-to-know basis. In these situations, there is a legitimate need for access to patient information. But this does not grant unchecked authority to disclose a full patient file. This is especially relevant for patients with complex medical backgrounds. There may be a variety of information regarding different areas of medical attention, that could potentially be unlawfully disclosed. Following HIPAA guidelines, only relevant and required patient information should be disclosed. Unless the patient understands and consents to further release of their protected health information, there is great potential to fall out of compliance if too much information is released. These issues are carefully tracked at both a national and local scale, by the HHS and its Office for Civil Rights. This way, trends in HIPAA compliance can be identified and addressed. With proper education and training on these key issues, frequent HIPAA violations can be reduced.
What Are the HIPAA Rules?
There are five main HIPAA rules. These were established by HHS to enforce the goals of the original law. Each carries its own unique guidelines and implementation expectations to achieve the overarching goal: protecting patient health information. The first is the Privacy Rule. Generally speaking, this rule is designed to protect the private information and medical records of patients. It also allows patients access to obtain copies of their own records without red tape. Furthermore, the HIPAA Privacy Rule limits the uses and disclosures of patient information that can be made without their consent. The next is the Security Rule. This rule more clearly defines and regulates HIPAA's requirements in relation to electronic patient information. This covers all stages including storage, access, and transmission. The third rule is the Transactions Rule. This covers the code sets used on HIPAA transactions. Under the transactions rule, these codes must be properly applied to ensure the accuracy, security, and overall safety of the patient's medical records. The fourth rule is the Identifiers Rule. There are three specific identifiers used for covered entities under HIPAA, who perform administrative and financial transactions defined by the law. These identifiers are:
- National Provider Identifier
- National Health Plan Identifier
- Standard Unique Employer Identifier
The final rule is the Enforcement Rule. This rule expands the existing HIPAA privacy and security regulations and increases the penalties assessed for violations.
HIPAA Violations in May 2021
The year 2020 and into 2021 has proved to be a difficult time to maintain HIPAA compliance. Between the introduction of COVID vaccines and the continued reliance on telehealth, many offices and practices continue to struggle to keep up with HIPAA regulations. However, HHS has not let down on enforcing these regulations. Now more than ever, it is critical your team stays up-to-date on all HIPAA requirements. Otherwise, you may suffer the same fate as these companies charged with HIPAA violations in May 2021.
AEON Clinical Laboratories
AEON Clinical Laboratories also known as Peachstate is owned by Peachstate Health Management, LLC. This company mainly provides diagnostic, clinical, and other laboratory tests, including genetic testing. On May 25, 2021, HHS announced it had come to a settlement with this company. Peachstate agreed to pay $25,000 in fines, in addition to adopting a Corrective Action Plan. This is in response to accusations of violating the HIPAA Security Rule. An investigation and compliance review first began in response to a data breach on the part of a Peachstate affiliate. This event involved unsecured patient health information by Authentidate Holding Corporation (AHC), Peachstate's merger-partner. The breach was brought to light on January 7, 2015, after the US Department of Veterans Affairs reported a data breach of their own. This event in particular involved the telehealth services program that AHC was managing. Following this breach, HHS began a compliance review of AHC in August 2016. At this time, HHS learned of AHC acquiring Peachstate under a "reverse merger." From there, HHS expanded their compliance review to cover Peachstate, as well. During this 2016 investigation, HHS found systematic failures to comply with the HIPAA Security Rule. In response, Peachstate settled for $25,000 and the adoption of a three-year Corrective Action Plan. Unfortunately, in May 2021, they were found to be affiliated with a violation again. In the recent investigation, Peachstate chose to settle with HHS despite not being involved with the AHC data breach.
Looking Ahead to Upcoming Potential HIPAA Violations
In addition to existing HIPAA violations, there is a great potential for more to occur in the near future. As more and more Americans become vaccinated against COVID-19, and businesses begin to re-open to a full capacity, generally allowing for maskless entry for vaccinated individuals. But this opens the door for a variety of potential health information issues. Individuals across the country have begun to raise the question can a business ask if I am vaccinated? Is checking vaccination status a HIPAA violation? On one hand, there are many states simply using the "honor system" to validate vaccination status. They are leaving it up to the customers, to be honest about their status, and follow the rules accordingly. But other states are taking it up a notch. Oregon, for example, is preparing to require COVID vaccination card checkpoints. The Oregon Health Authority is expected to adopt a regulation requiring business owners or employees to inspect a customer's vaccination card. This includes checking the dates of individual shots. For companies that choose not to take part in this practice, they must continue to require masks even for those fully vaccinated. Despite many contrary claims, it is not a HIPAA violation for a business owner to ask a customer if they are vaccinated in order to allow maskless entry to a private building. It would, however, be a violation for the business owner to call the customer's medical provider and request this information without the customer's consent. While this may seem far-fetched, it highlights how there are many potential doors opened to HIPAA violations as the country begins to rebuild.
How Does This Affect My Company?
This question poses a very fine line and is something that all businesses must be aware of. Whether or not your state requires verifying vaccination status, there may be unique circumstances that arise. For this reason, it is imperative that all public-facing companies who see customers on a consistent basis understand these guidelines. Due to the ever-changing guidance surrounding COVID-19, a HIPAA violation is now a potential item for any company even those uninvolved in the medical community. All business owners and employees may find it beneficial to brush up on general HIPAA regulations, and how it may apply to them on a day-to-day basis. Education is one of the strongest means of protection, and may just save your company from many headaches down the road.