costly phi mistakesHere we go with two more OCR enforcement settlements.  As we expected, the end of the year included a flurry of enforcement announcements from OCR.  Just as this was about to be recorded they announced the second patient access settlement. So we can get both done in one episode!  Both of these cases are related to some costly PHI mistakes so let’s get down to business.

 

A 5 star review is all we ask from our listeners.
1x
0:00
...
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Costly PHI Mistakes – Ep 235

The HIPAA Boot Camp

2020 Spring Session Dates

March 24, 25, 26

Tucker, GA

For info go to TheHIPAABootCamp.com

Registration Form

 

Share Help Me With HIPAA with one person this week!

Donna was featured on the Cyberwire Caveat podcast.  Thanks to Dave and Ben for having me on the show!  It was good to talk about HIPAA with folks who want to learn about it.  You can listen to that episode on your favorite podcast player or on their website page for the show Helping us understand HIPAA.

Big thanks to Lucas Noki aka @zPrototype2 for tweeting out his list of best infosec podcasts and including Help Me With HIPAA!  We appreciate your support, thanks for spreading the word.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Costly PHI Mistakes

Reading between the lines you can always tell when someone wasn’t cooperating with OCR in a resolution agreement or determination. Sentara was likely one of those when you read the latest settlement.  Maybe not an all out refusal to cooperate but clearly some issues right from the start seem to exist in at least one of these cases.

What costly PHI mistake caused Sentara to get hit with a big check to write?

OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

Sentara has been around for a long time.  I remember dealing with them way back in the early 90s when they were just around the Norfolk, VA area.  Now, they own 12 acute care hospitals with more than 300 “care sites” in Virginia and North Carolina.  They are huge.  This goes back to how people always assume the big guys have HIPAA covered.  Things are not as they always seem.

OCR received a complaint from a patient on April 17, 2017. The patient said they received a bill from Sentara that included another patient’s name, account number, and dates of services in the envelope. This original problem was reported by Sentara saying that only 8 patients were impacted by this breach.

But, OCR started asking questions and it turns out that isn’t what happened, exactly. It seems that there were really 577 patients whose info was mixed in with various statements going out to 16,342 patients. I bet that came as a surprise. Eight patients do not sound anything like 577 patients when it comes to a breach report.

Blatantly fail to report breaches as required by law
The OCR started looking into it even more. They found that there was no BAA in place between the provider of care and the business associate that takes care of the billing. I think this happens a lot with the structure of companies getting complex. There is an entity set up as a management company that handles the back office work. With each section of the organization being separate legal entities there must be proper agreements in place, they can’t just operate that it is assumed everyone will do what they are supposed to be doing.

The proper BAA wasn’t signed until Oct 17, 2018. I cannot stress enough the importance of getting your ducks in a row ASAP when a significant event occurs. This was another issue that just got added onto the list of problems violations.  It is possible it could have been overlooked if they had done a full review after the breach occurred in 2017.

The director’s quote for the press release seems to show some frustration.

HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.  When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.Roger Severino, OCR Director

Wow, blatantly.  There goes that underlying sense that maybe there wasn’t a lot of cooperation going on in this case.  The fact that they settled says a lot based on the stance that some of the other large entities have taken with fighting the CMP.

Sentara agreed to pay $2,175,000 and committed to a 2-year CAP that covers 10 of their hospitals that are listed specifically in the settlement document.  The CAP focuses specifically on getting their breach notification policies and procedures in line.  Lucky for them they now have time to get other ducks in a row before something else goes wrong.  This should be the costly PHI mistake that would motivate them to invest in all areas of the privacy and security program.

What costly PHI mistake prompted the settlement with Korunda?

OCR Settles Second Case in HIPAA Right of Access Initiative

Korunda Medical, LLC is a Florida-based company that provides primary care and pain management to around 2,000 patients a year.  This case is only the second one directly related to patient right of access to their records.  We reviewed the first one several weeks ago.  I do not expect this to be the last one though.  Especially, after reading the details of this case.  This case explains again the costly PHI mistakes when you prevent patients from getting their medical records in a timely manner under the new enforcement initiative.

On March 6, 2019, OCR received a complaint that Korunda Medical refused to provide a patient their PHI in the requested format nor did they charge a cost based fee to provide the records in any manner.  OCR contacted the Korunda folks on March 18, 2019 and provided what they call “technical assistance”.  That is their way of nicely telling you what you should be doing so you can learn the error of your ways and right the ship.  One would think that is enough but for way too many years there are organizations that see that response as them getting off the hook.  They don’t make any changes at all.

According to the announcement the patient had been repeatedly asking Korunda to forward their medical records in electronic format to a third party. Not only did they not send the records in a timely manner but they also didn’t do it in electronic format.  On top of those issues, they charged them more than a reasonable cost-based fee to send the records late and in the wrong format.

Guess what happens next!  OCR gets another complaint filed on March 22, 2019 that says they are still doing the same thing.  Basically, a shout out to OCR saying, Mom, Dad! They’re doing it again!  At this point, OCR let’s Korunda know that they have to look into their practices and investigate the continued complaints.  Yeah, they said before don’t make me come in there but you kept it up so here they are to enforce the rules of the house!  We can assume no one was ready when they got the investigation notice on May 8, 2019.  They don’t seem to realize they continue to make some very costly PHI mistakes.

This is where it gets tricky.  All they say for the results of the investigations is this:

HHS’s investigation indicated that the following conduct occurred (Covered Conduct):  

Korunda Medical failed to provide timely access to protected health information from April 22, 2019 to May 12, 2019

The press release does make a point of saying that after the second OCR intervention they provided the patient records to the third party in the requested format for free.  I guess they finally got the message this time.  I really do wonder what happened between the first complaint call from OCR and the second complaint being filed.

This took place really quickly for the complaint to come in, the assistance provided, another complaint, an investigation AND a settlement within just a few months.  It sets a record for turnaround time.  Is it possible that these folks are being used as the example we always hear about?  Remember, Severino announced this enforcement initiative at the National HIPAA Summit in March 2019.  Maybe these folks were in the wrong place at the wrong time with no HIPAA program in place?

The settlement agreement required them to write a check for $85,000.  That isn’t chump change by any means when the finding doesn’t even cover a month.  It is pretty easy to classify this one as a costly PHI mistake just like the Sentara case above.  Clearly, there are things going on in the mix that they don’t include in the settlements like they do in the CMP determinations.  No matter what the intent is for other providers to get the message loud and clear.

Here is the directors quote in the press release.

For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.Roger Severino, OCR Director

Korunda Medical did agree to a one year corrective action plan that only focuses on getting their policies and procedures corrected for patient’s access to medical records.  Of course, they also are required to train staff on the updates.  If they are smart they will work on their entire privacy and security program not just this part.  One complaint about something else or a data breach reported and the gloves will come off.

Some may say that calling these costly PHI mistakes instead of outright failures is being too nice.  When it comes to this stuff we can only hope that people really did make mistakes.  Hopefully, there wasn’t a complete failure to care about protecting PHI but then again…..

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.