By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The HHS Office for Civil Rights is finishing 2024 with a flurry of HIPAA settlements and there is still more time to go. Each settlement offers a different insight into necessary compliance and oversight activities.
Don’t Over Share
The first settlement, announced on November 26, 2024, involved Holy Redeemer Family Medicine (Holy Redeemer) and its overzealous response to a request to release a patient’s information. OCR received a complaint about the issue in September 2023 asserting that Hold Redeemer impermissibly disclosed a patient’s information to the patient’s employer. The over disclosure included surgical history and reproductive healthcare information. In fact, Holy Redeemer provided the patient’s entire medical record to the employer.
The problem with the disclosure was the patient only asked for one specific test result to be provided to the employer.
After conducting an investigation, OCR informed Holy Redeemer that it impermissibly disclosed the patient’s information. That is a pretty obvious conclusion if Holy Redeemer provided information well above and beyond what the patient asked to be disclosed. The result of sending too much information was settling for a payment of $35,581 and implementing a corrective action plan.
The settlement provides a reminder that every disclosure of information should be reviewed for scope before being made. That may require double or triple checking for alignment with the request. Further, it is always a good idea to confirm if the disclosure meets the minimum necessary standard. It’s always a good reminder to not over share.
Employee Leaving, Turn Off Access
The second settlement, announced on December 3, 2024, involved Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast). The issue arose from a business consultant retained by Gulf Coast in May 2018. The contractor was supposed to provide services for a year, but stopped in August 2018. At that point, the contractor’s access to Gulf Coast’s systems should have been cut off.
However, Gulf Coast discovered that was not the outcome on February 20, 2019. Instead, Gulf Coast determined that the former contractor access information on over 34,000 patients by entering the system at least 3 times after services ceased in August 2018. Accordingly, Gulf Coast finally terminated access on February 21, 2019. Gulf Coast submitted its breach notification to OCR on April 5, 2019.
As should be expected, OCR initiated an investigation to get better insight into Gulf Coast’s compliance practices. As is usually the case, OCR found extensive issues, in its view. Per OCR, the deficiencies included not conducting a risk analysis (a standard finding and really head scratching as to why it’s so often missing), lack of system monitoring for access issues, no procedures to follow when a workforce member is terminated, and lack of policies to modify a user’s access to systems (arguably a doubling down on the lack of termination procedures). OCR notified Gulf Coast of the findings on January 23, 2024.
The gulf of time between the investigation and notification of the findings should be cause for question. Are OCR’s resources that stretched thin that it cannot close an investigation in less than about 4.5 years, does it take that long to wade through information, or are there other factors at play?
Regardless, after OCR sent its findings, OCR reported that it could not resolve the matter informally with Gulf Coast. What does lack of informal resolution mean? Does that mean Gulf Coast would not agree to a settlement or did Gulf Coast not want to take technical guidance? There are some key distinctions there and it would be helpful to know what caused the breakdown.
Following the breakdown in discussions, OCR moved to impose a civil monetary penalty. After going through its standard factors, OCR proposed a penalty of $1,190,000. Gulf Coast did not provide valid defenses or seek a hearing, so that amount was finalized.
Some of the questions arising from this penalty were already raised. Those include how did informal resolution discussions breakdown and why was no risk analysis being conducted. Those are arguably more of the run of the mill issues.
The bigger takeaway from the penalty announcement is the need to have clear procedures when someone leaves an organization, whether the departure is voluntary or involuntary. Not having process to remove access to kick in immediately is a recipe to have a breach. Even if the departing workforce member does not have a nefarious intent, if there is any form of access following departure then there is a breach. That outcome is easily avoidable by just turning off the proverbial spigot. It should be a basic component of offboarding.
Conclusion
Is there more to come in 2024? OCR is certainly not slowing down in announcing settlements or imposing penalties. The Office of the Inspector General called out OCR for not doing enough to audit compliance with HIPAA and not enforcing violations enough. That kick in the pants may be the ongoing spur to keep the heat on. As always, if organizations take the time to examine operations and double check what is being done, then headline avoidance is increased.
This article was originally published on The Pulse blog and is republished here with permission.