Small Breaches Can Be Subject to Large Penalties

June 21st, 2019 - Namas
Categories:   Compliance   HIPAA|PHI   Practice Management  

Small Breaches Can Be Subject to Large Penalties 


We may have heard about the large fines issued by the Office for Civil Rights (OCR) against big organizations like Anthem or the University of Texas MD Anderson Cancer Center. These organizations have been in the news due to privacy breaches that constituted violations of the HIPAA privacy rule. However, a recent incident reminds us that even small physician offices have fines issued by OCR for violations. For small practices, the sums involved for these fines can be considerable.


Allergy Associates of Hartford is a relatively small practice; consisting of three doctors and four offices in Connecticut. This practice recently agreed to a $125,000 settlement with OCR because of a privacy violation. The HHS statement provides an example of what not to do and what the consequences can be. A brief summary of the statement, available on the HHS website here, follows.


In February 2015, an Allergy Associates patient contacted one of the local television stations to speak about a dispute between that patient and an Allergy Associates doctor. The reporter from the station followed up with the doctor, who proceeded to impermissibly disclose protected health information about the patient.  


OCR investigated this situation and found that the doctor's discussion with the reporter demonstrated "a reckless disregard for the patient's privacy rights and that the disclosure occurred after the doctor was instructed by Allergy Associates' Privacy Officer to either not respond to the media or to respond with no comment." To further complicate the situation, no disciplinary action was taken against the doctor nor was there any corrective action taken following the impermissible disclosure.


The fines and publicity around this event are not meant to scare practices. It provides an opportunity for all of us working in practices to learn what not to do, and what to do, in complying with the HIPAA Privacy (and Security) rules.


What should physician practices do as a result of this incident and the OCR response? First, providers must always be diligent in protecting patient privacy in all communications, at the office or elsewhere. The HIPAA rules about privacy apply to all types of information, whether electronic, written, or spoken. Second, the OCR takes violations of the privacy rules seriously, no matter what the size of the organization. Finally, all organizations must have a disciplinary policy in place for privacy breaches. Employees should be well aware of this policy, and it must be followed when breaches occur.


Any size of practice must follow the requirements of the Privacy Rule. This includes having a designated privacy officer, a written set of privacy policies and procedures, and periodic training sessions for all employees. All of these efforts can be used to reduce, and hopefully eliminate, the possibility of a privacy breach.


Besides having to pay the $125,000, Allergy Associates will have to undertake a corrective action plan that includes two years of having the OCR monitor their HIPAA compliance. This was a further burden on the practice that could have been avoided.


Remember that the OCR does not need to wait for a patient complaint to initiate a HIPAA violation investigation. They can start investigations based on newspaper articles or television segments, Internet articles, Facebook posts, or other types of evidence.


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Artificial Intelligence in Healthcare - A Medical Coder's Perspective
December 26th, 2023 - Aimee Wilcox
We constantly hear how AI is creeping into every aspect of healthcare but what does that mean for medical coders and how can we better understand the language used in the codeset? Will AI take my place or will I learn with it and become an integral part of the process that uses AI to enhance my abilities? 
Specialization: Your Advantage as a Medical Coding Contractor
December 22nd, 2023 - Find-A-Code
Medical coding contractors offer a valuable service to healthcare providers who would rather outsource coding and billing rather than handling things in-house. Some contractors are better than others, but there is one thing they all have in common: the need to present some sort of value proposition in order to land new clients. As a contractor, your value proposition is the advantage you offer. And that advantage is specialization.
ICD-10-CM Coding of Chronic Obstructive Pulmonary Disease (COPD)
December 19th, 2023 - Aimee Wilcox
Chronic respiratory disease is on the top 10 chronic disease list published by the National Institutes of Health (NIH). Although it is a chronic condition, it may be stable for some time and then suddenly become exacerbated and even impacted by another acute respiratory illness, such as bronchitis, RSV, or COVID-19. Understanding the nuances associated with the condition and how to properly assign ICD-10-CM codes is beneficial.
Changes to COVID-19 Vaccines Strike Again
December 12th, 2023 - Aimee Wilcox
According to the FDA, CDC, and other alphabet soup entities, the old COVID-19 vaccines are no longer able to treat the variants experienced today so new vaccines have been given the emergency use authorization to take the place of the old vaccines. No sooner was the updated 2024 CPT codebook published when 50 of the codes in it were deleted, some of which were being newly added for 2024.
Updated ICD-10-CM Codes for Appendicitis
November 14th, 2023 - Aimee Wilcox
With approximately 250,000 cases of acute appendicitis diagnosed annually in the United States, coding updates were made to ensure high-specificity coding could be achieved when reporting these diagnoses. While appendicitis almost equally affects both men and women, the type of appendicitis varies, as dose the risk of infection, sepsis, and perforation.
COVID Vaccine Coding Changes as of November 1, 2023
October 26th, 2023 - Wyn Staheli
COVID vaccine changes due to the end of the PHE as of November 1, 2023 are addressed in this article.
Medicare Guidance Changes for E/M Services
October 11th, 2023 - Wyn Staheli
2023 brought quite a few changes to Evaluation and management (E/M) services. The significant revisions as noted in the CPT codebook were welcome changes to bring other E/M services more in line with the changes that took place with Office or Other Outpatient Services a few years ago. As part of CMS’ Medicare Learning Network, the “Evaluation and Management Services Guide” publication was finally updated as of August 2023 to include the changes that took place in 2023. If you take a look at the new publication (see references below),....

Home About Terms Privacy

innoviHealth® - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain)

Copyright © 2000-2024 innoviHealth Systems®, Inc. - CPT® copyright American Medical Association