Filefax, Inc., a defunct Illinois medical records storage and management company, has been fined $100,000 for improperly handling medical data under an agreement with the court-appointed receiver managing the company’s assets on behalf of its creditors.  This settlement has implications for both service providers and their covered entity clients.  Fox Rothschild partners Elizabeth Litten and Michael Kline were quoted in an article by Marla Durben Hirsch entitled “Be prepared for HIPAA Issues if a business associate shuts down” in the August issue of Medical Practice Compliance Alert.

As the HHS press release stated, the consequences for HIPAA violations don’t stop when a business closes.  In this case, Filefax had been under investigation by state and federal authorities since 2015 for careless handling of medical records which had been abandoned at a shredding facility.   Medical Practice Compliance Alert notes:

This settlement shows that  a provider or business associate that has violated HIPAA can’t avoid the consequences by shutting down.  “OCR is saying that you’re still responsible if you close your doors.” Says attorney Elizabeth Litten with Fox Rothschild in Princeton, NJ.

But it also provides a cautionary tale for providers who work with business associates that go under because providers are ultimately responsible for their patients’ records.

The article suggests the following tips for a covered entity to reduce its risks when a business associate may be in shaky financial shape:

  1. Keep an inventory of your business associate relationships.
  2. Choose business associates carefully.
  3. Monitor your business associates’ compliance with HIPAA.
  4. Expect increased scrutiny if a business associate is already on the government’s radar.
  5. Watch for signs that the business associate may be running into financial trouble.
  6. Don’t sit idly if the business associate files for bankruptcy.

What should a covered entity do when it learns that a business associate may have violated its HIPAA responsibilities?  For starters, see our previous post entitled Ten Tips for Actions by a Covered Entity after a HIPAA Breach by a Business Associate.  And if that BA has ceased operations, be prepared to take control of the situation even if the BA may not have enough resources left to reimburse you for its mistakes. Remember, the buck always stops with the Covered Entity.

Harry S. Truman Library & Museum 2017

Post Contributed by Matthew J. Redding.

On April 26, 2017, Memorial Hermann Health System (“MHHS”) agreed to pay the U.S. Department of Health and Human Services (“HHS”) $2.4 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule.

The underlying incident occurred in September of 2015, when a patient presented a falsified Texas driver’s license to MHHS’ staff upon appearing for the patient’s scheduled appointment. MHHS’ staff contacted law enforcement to verify the patient’s identification, and law enforcement thereafter came to the facility and arrested the patient. The incident drew some national attention from immigration activist groups.  Our partner Bill Maruca posted a blog in September 2015 that discussed the event.

It is important to note that the disclosure to law enforcement was not a contributing factor to the alleged HIPAA violation. In fact, a covered entity is permitted under HIPAA to disclose protected health information (“PHI”) to the limited extent necessary to report a crime occurring on its premises to law enforcement (see 45 CFR 164.512(f)(5)). However, in the MHHS case, the potential HIPAA violation occurred when MHHS issued press releases to several media outlets, addressed activist groups and state officials, and published a statement on its website following the incident, identifying the patient by name on each occasion.

The MHHS facility was a gynecology clinic, and its disclosure of a patient’s name associated with the facility constituted PHI. Therefore, the release of the patient’s name without the patient’s authorization was an impermissible disclosure of PHI under HIPAA.

The OCR alleged that, in addition to the impermissible disclosure of PHI, MHHS failed to document the sanctions imposed on its workforce members responsible for the impermissible disclosures.

6 Takeaways:

Covered entities, such as hospitals, physician practices, and other health care entities, should be cautious in publicizing any event involving its patients so to avoid impermissibly disclosing PHI. Further, public disclosure could open the door to liability under state statutes and common law (e.g., patient’s right of privacy, freedom from defamation, and contractual rights). Here are a few takeaways from the MHHS HIPAA settlement:

  1. PHI must remain protected. The disclosure of PHI to law enforcement, or the presence of health information in the public domain generally, does not relieve the covered entity of its obligations under HIPAA. Instead, covered entities have a continuing obligation to protect and maintain the privacy and security of PHI in their possession and control, and to use and disclose only such information as is permitted under HIPAA.
  2. Avoid inadvertently publishing PHI. PHI is not limited to health information that identifies a patient by his/her name, SSN, address or date of birth. In addition, it includes any other health information that could be used to identify the patient in conjunction with information publicly available. We’ve seen other instances where health care entities inadvertently publish PHI in violation of HIPAA, leading to significant fines (see NY Med: $2.2 Million settlement).
  3. Review your HIPAA policies and procedures with respect to your workforce’s publications and disclosures to the media. To the extent not done so already:
    1. Develop a policy prohibiting your general workforce from commenting to the media on patient events.
    2. Develop a policy with respect to monitoring statements published on your website to avoid publishing any PHI.
    3. Designate a workforce member with a sufficient HIPAA background (nudge, nudge, HIPAA Privacy Officer) to handle media inquiries and provide the workforce with contact information of such member.
  4. Review your HIPAA policies and procedures with respect to law enforcement events.
    1.  For events not likely to compromise the health and safety of others, encourage your workforce to handle such events as discreetly as possible, involving only those members of the workforce who have a need to know.
    2. Train your workforce to identify the situations where disclosure of a patient’s PHI to law enforcement is permissible and those situations where the patient’s authorization must be obtained before disclosing his/her PHI to law enforcement.
  5. Don’t forget to timely notify the affected individuals. If an impermissible disclosure of PHI occurs, do not let the publicizing of such disclosure cause you to forget your breach notification obligations. Failing to timely notify the affected individual could result in additional penalties (see Presence Health: $475,000 settlement). The breach notification clock starts ticking upon the covered entity’s discovery (as defined under HIPAA) of the impermissible disclosure.
  6. Document your responses to impermissible disclosures of PHI and your compliance with HIPAA. HIPAA places the burden on the covered entity to maintain sufficient documentation necessary to prove that it fulfilled all of its administrative obligations under HIPAA (see 78 FR 5566 at 5641). Therefore, once you discover an impermissible disclosure, document how your entity responds, including, without limitation, the breach analysis, proof that the patient notices were timely sent, sanctions imposed upon the responsible workforce members, actions taken to prevent similar impermissible disclosures, etc. Don’t forget, the covered entity is required to maintain such documentation for at least 6 years (see 45 C.F.R. 164.414 and 164.530(j)) .