October 2019 Was Full of Tricks, Not Treats, from the Office for Civil Rights
October was a busy month for the Office for Civil Rights (“OCR”) as it handed down one settlement and one civil monetary penalty for HIPAA violations and secured corrective action in a third case involving allegations of discrimination. With each enforcement announcement, OCR continues to send a message to health care providers regarding important aspects of compliance with HIPAA and civil rights laws.
October 2: OCR started the month of enforcement with a settlement involving impermissible disclosure of PHI on social media. A patient filed a complaint against Elite Dental Associates of Dallas, Texas, after the practice responded to the patient’s negative review on Yelp. OCR’s investigation revealed that the practice had repeatedly responded to patient reviews on Yelp in violation of HIPAA. This settlement is the latest of several settlements involving improper disclosure of PHI on social media. OCR Director, Roger Severino, stated in the OCR press release: “Social media is not the place for providers to discuss a patient’s care,” and “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”
While the settlement in this case was a modest $10,000, OCR noted that it “accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.”
October 23: OCR announced a rare move in imposing civil monetary penalties against Jackson Health System in Miami, Florida, based on multiple HIPAA violations from 2013 to 2016. OCR described this health system’s HIPAA compliance program as “in disarray” as it failed to prevent and detect multiple HIPAA violations. Those violations ranged from the loss of 756 paper medical records by the HIM Department in 2013 (along with the failure to provide timely and accurate breach notification to HHS following the incident), the impermissible disclosure of PHI to the media in 2015 when a reporter shared a photo of a patient’s medical record displayed on a monitor in the operating room (and related snooping by two employees into that patient’s record who leaked the photo to the reporter), and the improper access to more than 24,000 patient records by an employee who then sold the patient information. OCR cited numerous failures by the organization leading to those incidents, including failure to conduct an enterprise-wide risk analysis or to manage identified risks to a reasonable and appropriate level, failure to regularly review information system activity records, and failure to restrict authorization of its workforce members’ access to ePHI to the minimum necessary. The provider did not contest the findings and paid $2.15 million in civil monetary penalties. What’s the message here? While every covered entity will inevitably experience a significant breach at some point in time, OCR will look at how those incidents add up over time. If the organization does not have comprehensive and strong compliance policies and supporting activities to provide and highlight to OCR in an investigation, OCR will hold your entire record against you.
October 30: In the last enforcement action announced in October, Florida Orthopaedic Institute was alleged to have cancelled a patient’s surgery when it learned of the patient’s HIV status. The patient then filed a complaint with OCR and the practice was informed that OCR was investigating the complaint. The practice then terminated the patient and cited as the reason for dismissal the patient’s complaint to OCR. The patient then informed OCR of the dismissal. OCR cited the practice for dismissing the patient in retaliation for filing a complaint. To resolve the matter, OCR required the practice to implement corrective action including amending its nondiscrimination policies and revising its procedures for dismissing any patient from the practice. The practice also agreed to provide significant staff training on multiple topics including HIV, federal non-discrimination laws, grievance procedures, and the requirement to refrain from retaliatory actions. In the press release regarding this enforcement action, Severino emphasized that “Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of unlawful retaliation.” As complaints to OCR for alleged HIPAA violations and other civil rights complaints are on the rise, this enforcement announcement is a good reminder that a covered entity must ensure that it maintains and enforces strong policies against retaliating against any individual who files a complaint with OCR.