Many of us have found ourselves complaining, or have heard clients complain, about HIPAA. Hospitals and doctors’ offices now require the completion of additional paperwork. Hospitals, doctors, and health insurers sometimes refuse to share information with patients or with family members, citing HIPAA as the barrier even when it isn’t.
But recent news reminds us why certain pieces of this law were enacted in the first place. In February of this year, in response to particularly egregious infractions, the U.S. Department of Health and Human Services (HHS) imposed its first civil monetary penalty against a healthcare provider for HIPAA violations. The penalty amount: $4.3 million. Shortly thereafter, HHS announced a settlement of $1 million with another provider for a significant HIPAA breach.
These cases illustrate two major types of personal privacy violations that HIPAA is designed to curtail. In the first, HHS found that a health care entity failed to provide timely personal health information (PHI) to patients upon their request. The organization essentially ignored patient requests for their medical records for months at a time. HHS also found that the healthcare provider did not cooperate with the HHS investigation, and that it did so out of willful neglect. This neglect resulted in an additional fine of $3 million, on top of the $1.3 million for the initial infractions.
Conversely, in the second case, a healthcare provider disclosed patients’ personal health information without approval. An employee lost documents from an Infectious Disease practice by leaving them on a subway while commuting (the employee intended to work on them at home). These documents, never found, included patients’ billing records with names, birth dates, medical record numbers, health insurers and policy numbers, and diagnoses. Some of these patients were being treated for HIV/AIDS. In addition to the $1 million settlement, the covered entity agreed to a three-year remediation plan to help it prevent future infractions.
By imposing these large financial penalties, HHS appears to be getting serious about enforcement of patients’ privacy rights. And while HIPAA may create administrative hassles that patients will continue to complaint about, patients can also take some comfort in knowing that there is now a greater deterrent to doctors and hospitals mistreating their personal medical information, either by disclosing too much or too little of it.
For more detail on these cases, see, among others: Pepper Hamilton LLP Health Law Alert.
Randi J. Siegel, MBA, is the President of DocuBank, the largest advance directive registry in the U.S., which ensures that the healthcare directives of its 180,000 enrollees are immediately available 24/7/365. Working with estate planning professionals since 1997, Randi frequently speaks at national estate planning conferences and has appeared on radio and television as an authority on registries. She is active in health policy pertaining to advance directives and serves as a Senior Fellow at the Jefferson School of Population Health in Philadelphia. Randi is an ongoing contributor to the Academy blog.
Academy Guest Blogger
American Academy of Estate Planning Attorneys, Inc.
6050 Santo Road Ste 240
San Diego, CA 92124
- Voluntary Stopping Eating and Drinking: A New Frontier in Dementia Decision-Making - September 10, 2018
- Dementia-Specific Advance Directives: A Budding Trend - August 13, 2018
- Make the Most of NHDD Week, April 16-22 - April 9, 2018