.st0{fill:#FFFFFF;}

Podcast

2 More OCR Settlements – Ep 388 

 January 6, 2023

By  Donna Grindle

Share0
Tweet0
Share0

ocr settlementsFor our first show of 2023 we review 2 more OCR settlements! These are the last ones released in 2022. Listen in to hear what happened so that you can learn how to avoid making the same mistakes in the new year.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

2 More OCR Settlements – Ep 388

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[05:42] FTC new tool: Mobile Health App Interactive Tool

It is supposed to help those developers figure out what rules apply to their app based on who it is for and what it does.

An important caveat: This tool is not offering legal advice and is provided for informational purposes only. Using this tool isn’t required by federal law and can’t guarantee compliance with applicable federal requirements. Instead, it’s meant to give you a snapshot of potential compliance obligations and point you to educational materials and best practices for delivering safe, accurate services while safeguarding the privacy and security of consumer information.

2 More OCR Settlements

[11:43] For our first show of 2023 we have 2 more OCR settlements to share! There may be some more in 2022 after this but as of this recording, these are the last ones for this year. Let’s see how we can use these to learn from them.

Social Media and PHI should not be mixed

First up, we have another dental practice in the spotlight. There have been several of these lately. We have mentioned many times that there is a lack of serious concern about privacy and security in the dental specialties. It may be improving, but there have certainly been plenty of cases and personal stories to confirm that to be the case. Hopefully, the fact that OCR has settled with more dental practices this year than ever all other years combined, will make a difference.

In this case, we have New Vision Dental (NVD) in California. They have agreed to pay $23,000 to OCR and implement a 2-year corrective action plan (CAP) for responding to an online review with information including PHI.

This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear NO. OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.OCR Director, Melanie Fontes Rainer

Interesting notes on this one. It included an onsite visit! That part didn’t make any of the stories I read so far but it is in the details of the agreement. Here are the facts and what they found that started to get us here.

On November 29, 2017, OCR received a complaint saying that NVD “ impermissibly disclosed protected health information (PHI) on its Yelp business page.” It seems that Dr. Brandon Au, who apparently owns the practice, would respond to patient comments including their PHI. That is stuff we have seen before, but this complaint included the allegation that NVD seemed to have a habit of doing this.

The complaint filed said that NVD habitually disclosed PHI when it responded to patient posts on social media. Apparently, they were sometimes providing full names of patients even when the patient didn’t use their name in the post. They were also including detailed information about patient visits and insurance, even when it may not have been previously mentioned in the reviews.

So, OCR goes to the Yelp page to see what is happening on the reviews. It is public information after all. It was easy to see that they had definitely been including PHI in their responses.

On March 1, 2019, OCR conducted an on-site visit to NVD as a part of its investigation.
On August 27, 2018, OCR notified NVD their compliance with the Privacy Rule was being investigated. Those letters usually come with a request for information. I am not sure what exactly happened but….. Here is where “what we know” gets interesting. They added that on March 1, 2019 OCR did an on-site visit as part of its investigation.

Officially, the Privacy Rule was all that was evaluated. Not sure what would have been found if the other rules were evaluated, but it would not have been pretty based just on what we do know. The official violations they were facing were:

  1. Impermissible disclosure of PHI.
  2. Failed to have the minimum content required in their NPP.
  3. Failed to implement policies and procedures for handling PHI on social media/public platforms.
[23:39] In the CAP, we see the normal requirements for developing policies and procedures for the Privacy Rule and training the entire workforce on them within a limited time frame. The last item on the minimum content that must be included in their PnPs says this:

7. Policies and procedures to comply with the Breach Notification Rule; including NVD’s internal reporting procedures which will require all workforce members to report to the designated person or office at the earliest possible time any potential violations of the Privacy, Security or Breach Notification Rules or of NVD’s privacy and security policies and procedures. Such reporting procedures shall require NVD to promptly investigate and address all received reports in a timely manner. (45 C.F.R. § 164.400, et. seq.)

Number 42 in the right of access initiative

[30:25] This one is a primary care group: Health Specialists of Central Florida Inc. This one will be paying our $20,000 and another 2-year CAP.

The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law. Today’s announcement speaks to the importance of accessing information and regulated entities taking steps to implement i procedures and workforce training to ensure that they are doing all they can to help patients access.OCR Director, Melanie Fontes Rainer

In November 2019, a woman filed an OCR complaint that she has been trying to get her deceased father’s records from Health Specialists. She said she had made multiple requests for access to the requested medical records and still had not received them. Once OCR contacted the office the records were finally sent over on Jan 27, 2020. That was too little too late, though, because it was almost 5 months after the initial requests were made in August 2019.

As the settlement document pointed out:

In consideration of the Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings, the Parties agree to resolve this matter according to the Terms and Conditions below.

A specific note in the CAP got my attention just because I have had recent discussions about reviewing your policies and procedures on a regular basis. Well, what do I see but confirmation of my recommendation! That always makes anyone have a proud moment – if not, you should allow it.

The Covered Entity shall assess, update, and revise, as necessary, the policies and procedures at least annually or as needed.

So, for many folks, finding the policies and procedures and dusting off the binder is the first step. Policies and procedures are not just a paperwork thing. It is the thing that makes sure everybody’s following the same plan, the same rules, and all the steps that need to be taken are taken every single time. That’s what it’s all about.

Go to top

Remember, don’t ever overlook these documents. It is really the only time you see, in writing, what OCR really thinks when they have what they need for a “fact-specific determination” about compliance. You never know when they will come in handy.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: