LEGAL ISSUE IN INFORMATION SECURITY

profilepapiyor07
legal_ts_hipaacaseexamples.pdf

HIPAA Case Examples

© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com

This handout is a reprint of several HIPAA case examples published by the U.S. Department of

Health and Human Services (http://www.hhs.gov).

Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html

URL Last Verified: 2014-05-16

HIPAA Case Examples

Hospital Implements New Polices for Telephone Messages

Covered Entity: General Hospital

Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone

message with the daughter of a patient that detailed both her medical condition and treatment plan. An

OCR investigation also indicated that the confidential communications requirements were not followed, as

the employee left the message at the patient’s home telephone number, despite the patient’s instructions

to contact her through her work number. To resolve the issues in this case, the hospital developed and

implemented several new procedures. One addressed the issue of minimum necessary information in

telephone message content. Employees were trained to provide only the minimum necessary information

in messages, and were given specific direction as to what information could be left in a message.

Employees also were trained to review registration information for patient contact directives regarding

leaving messages. The new procedures were incorporated into the standard staff privacy training, both

as part of a refresher series and mandatory yearly compliance training.

HMO Revises Process to Obtain Valid Authorizations

Covered Entity: Health Plans / HMOs

Issue: Impermissible Uses and Disclosures; Authorizations

A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire

medical record to a disability insurance company without her authorization. An OCR investigation

indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the

Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created

a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain

patient signatures on these forms before responding to any disclosure requests, even if patients bring in

their own “authorization” form. The new authorization specifies what records and/or portions of the files

will be disclosed and the respective authorization will be kept in the patient’s record, together with the

disclosed information.

Mental Health Center Corrects Process for Providing Notice of Privacy Practices

Covered Entity: Outpatient Facility

Issue: Notice

Page 2

A mental health center did not provide a notice of privacy practices (notice) to a father or his minor

daughter, a patient at the center. In response to OCR’s investigation, the mental health center

acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental

health evaluation. To resolve this matter, the mental health center revised its intake assessment policy

and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed

acknowledgement of receipt of the notice prior to the intake assessment. The acknowledgement form is

now included in the intake package of forms. The center also provided OCR with written assurance that

all policy changes were brought to the attention of the staff involved in the daughter’s care and then

disseminated to all staff affected by the policy change.

Entity Rescinds Improper Billing for Medical Record Copies

Covered Entity: Private Practice

Issue: Access

A patient alleged that a covered entity failed to provide him access to his medical records. After OCR

notified the entity of the allegation, the entity released the complainant’s medical records but also billed

him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the

imposition of a reasonable cost-based fee that includes only the cost of copying and postage and

preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered

entity refunded the $100.00 “records review fee.”

Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety

Covered Entity: General Hospital

Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health

or Safety

After treating a patient injured in a rather unusual sporting accident, the hospital released to the local

media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the

complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-

ray and an article that included the date of the accident, the location of the accident, the patient’s gender,

a description of patient’s medical condition, and numerous quotes from the hospital about such unusual

sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to

health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy

Rule’s standard for such actions. The investigation also indicated that the disclosures did not meet the

Rule’s de-identification standard and therefore were not permissible without the individual’s authorization.

Page 3

Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to

develop and implement a policy regarding disclosures related to serious threats to health and safety, and

to train all members of the hospital staff on the new policy.

Page 4