By Glory Francke, Adam Greene and Becky Williams
A not-for-profit health care system recently agreed to pay the U.S. Department of Health and Human Services Office for Civil Rights $2.4 million as part of a settlement over potential Health Insurance Portability and Accountability Act violations. The incident at issue involved the system releasing a patient’s name to the press, consumer advocacy groups, and politicians following a highly publicized event at a clinic.
The lesson: covered entities and business associates should educate their public relations staff and leadership about what qualifies as “protected health information” (PHI), and that PHI may be disclosed only as permitted by HIPAA, regardless of whether the information is already known publicly.
(Not a) Routine Check-In
The HIPAA settlement concerned the alleged disclosure of one patient’s identity without her consent. According to various published reports, the patient in question checked in for a follow-up visit with her OB/GYN. After an office staff member escorted her to an exam room, a waiting police officer handcuffed her and brought her to the county jail. The issue? A falsified driver’s license and other false identification.
During check-in, a clinic staff member thought the patient’s driver’s license looked suspicious. The staffer called the licensing bureau of the Texas Department of Public Safety (DPS), which in turn instructed the staffer to contact the local law enforcement agency. After confirming the false license number, law enforcement officials decided to arrest the patient. The clinic complied with HIPAA up to this point: HIPAA’s privacy rule allows providers to report PHI — which would include driver’s license information — if the PHI is believed to be evidence of a crime that occurred on the entity’s premises.
But the arrest sparked protests and criticism. The patient was an unauthorized immigrant, but she had health insurance under her husband’s private plan. She was taken away in a police car in front of her crying, 8-year-old, U.S.-born daughter. Immigrant advocates questioned whether the arrest would have a chilling effect on other unauthorized immigrants seeking medical care.
What Went Wrong Under HIPAA
The health care system responded to its critics with a press release campaign, calling the incident “unfortunate” and citing “quality and safety reasons” for the procedure that led to calling the DPS. The health care system also named the patient in the press release.
About two months later, OCR initiated a compliance review of the health care system based on multiple media reports indicating it disclosed the patient’s PHI to the media and various public officials without the patient’s authorization. According to the resolution agreement, the health system appeared to be responsible for the following:
- Knowingly and intentionally failing to safeguard PHI in its possession.
- Impermissibly disclosing the patient’s PHI through a campaign of press releases, meetings with an advocacy group, state representatives, and a state senator, and by posting a statement on its website.
Although the facts here were unusual, the settlement nonetheless provides a plethora of HIPAA compliance guidance. Covered entities and business associates will benefit from considering the following lessons:
If you think it might be PHI, it probably is: Train your staff — including those in public affairs, government relations and leadership — that OCR can interpret PHI broadly to include any information that identifies someone as a patient. When in doubt, leave the information out.
Public knowledge is no excuse: Even if someone (such as the media) knows an individual was a patient, a provider cannot release additional PHI or even confirm that the individual was a patient without a valid basis under HIPAA.
HIPAA protects everyone: HIPAA protects every patient’s PHI regardless of immigration status or potentially criminal acts, even if the act was committed on the covered entity’s premises. Once an individual steps into the protected role of patient, that person should be considered a patient first.
Follow-up is critical: The failure to take disciplinary action against workforce members who did not follow policy may have accounted for a significant portion of the settlement amount (possibly more than the disclosures themselves). This highlights the importance of applying some sort of sanction any time there is a potential HIPAA violation. This can be retraining or a warning, so long as consistent with your sanctions policy. Be sure to document all such follow-up actions immediately.
Consider a privacy rule risk analysis: While the security rule requires a risk analysis for electronic protected health information, there is no similar requirement for the privacy rule. But a company may find that, despite the significant burden, it is a good compliance return on investment to conduct a risk analysis with respect to hard-copy and verbal information, identifying high risk areas where workforce members may impermissibly use or disclose protected health information. A number of past OCR settlements indicate interactions with the media as one such high-risk area at many institutions.
Keep up with your training: Aim to have documented evidence that your workforce is trained on HIPAA policies and procedures. Obtain an active confirmation from each team member acknowledging that they understand HIPAA’s “do’s and don’ts.”
Build a procedural safety net: Anticipate mistakes happening and try to build a “safety net” into your procedures and processes to help prevent impermissible PHI disclosures. For example, put a process in place to ensure all public communications and marketing material undergo multiple rounds of “PHI-scrubbing” review. Consider implementing a procedure whereby the act of a workforce member contacting law enforcement triggers a red-flag that ensures the employee in question receives additional support.
Size matters: The significant settlement amount was likely due in part to the large size of the health system. For reference, in 2015, the health system reported total operating revenue of $4.4 billion and an asset base of $6 billion. By contrast, OCR has reached significantly smaller settlements when dealing with smaller-sized organizations.
Glory Francke is an associate at Davis Wright Tremaine LLP in Seattle. Adam H. Greene is a partner at Davis Wright Tremaine in Washington, D.C. and a former regulator at the U.S. Department of Health and Human Services. Becky L. Williams is a partner and chairwoman of the health information technology and HIPAA practice at Davis Wright Tremaine in Seattle.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.