Affinity Health Plan, Inc., a New York based managed care plan, recently entered a settlement with the U.S. Department of Health and Human Service, Office for Civil Rights (HHS), which required them to pay HHS $1,215,780. Why? Because Affinity forgot to erase a leased photocopier hard drive.
Affinity returned multiple photocopiers to leasing agents without erasing protected patient health information from the copiers’ hard drives. One of the photocopiers was later purchased by CBS Nightly News, who subsequently informed Affinity that the copier contained confidential medical information on the hard drive.
In accordance with Federal guidelines, Affinity reported the data breach to HHS in 2010. HHS’s investigation of the mishap determined that Affinity had impermissibly disclosed protected health information of up to 344,579 individuals and failed to implement policies and procedures required under the Health Insurance Portability and Accountability Act of 1996 (HIPPA). In addition to the financial penalty imposed by HHS, Affinity likely incurred thousands of dollars in professional fees addressing the HHS claims during the 3 year investigation.
Why is the Affinity example important? Affinity’s case remind us of some fundamental HIPPA policies that every health care provider must be constantly aware of. These policies come into play with greater frequency as storage, transport, and exchange of private health information is increasingly accomplished electronically in an evolving digital age.
What is HIPPA?
HIPPA was established in 1996 to protect certain health records and extend rights to patients concerning that information. The HIPPA provisions do not just apply to hospitals or major medical providers, but all health care providers, regardless of size, who transmit or store “individually identifiable health information” (commonly referred to as “protected health information,” or “PHI”) in any form, whether electronic, paper, or oral.
PHI is information that relates to: 1) the individual’s past, present or future physical or mental health or condition, 2) the provision of health care to the individual, or 3) the past, present, or future payment for the provision of health care to the individual, AND that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
HHS has established standards for HIPPA covered entities to protect PHI. These standards are the HIPPA Privacy and Security Rules.
HIPPA Privacy Rule
The major premise of the Privacy Rule is to define and limit the circumstances in which PHI may be used or disclosed by HIPPA covered entities. Generally, health care providers can disclose PHI 1) as permitted or required by the Privacy Rule, or 2) with the authorization of the individual who is the subject of the PHI.
Additionally, the Privacy Rule outlines specific requirements for HIPPA covered entities to develop and implement written privacy policies and procedures, train employees, and provide adequate administrative, technical, and physical safeguards to prevent improper use or disclosure of PHI.
HIPPA Security Rule
The Security Rule requires and outlines standards for HIPPA covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic PHI (e-PHI). In short, covered entities must identify and protect against reasonably anticipated threats to the security of e-PHI (one thing Affinity failed to do in the above example), protect from anticipated, impermissible uses or disclosures of e-PHI, and ensure compliance by their workforce.
The lengths a covered entity must go to fulfill their obligations under the Security Rule will depend, in part, on the entity’s size, complexity, the costs of security measures, and the likelihood and possible impact of the potential risks to e-PHI.
The Privacy Rule also requires all health care providers to keep individuals notified on how the entity uses and discloses PHI about the individual, along with the individual’s rights and the entity’s obligations with respect to PHI.
Health care providers must make a written notice available to any person that asks for it and must prominently post and make the notice available on the entity’s web site. It is important for all health care providers to review and update their privacy practice policies and notices regularly.
Sample notices were recently released by HHS, which implement 2013 revisions to the Privacy Rule. These samples can be found at http://www.healthit.gov/providers-professionals/model-notices-privacy-practices.
Bryce J. Mackay is an attorney with Jeffers, Danielson, Sonn & Aylward, P.S., a Wenatchee law firm. Bryce is a member of JDSA’s Commercial Group, practicing in health care, data privacy, corporate law, estate planning, and probate.