For Calendar Years 2009 and 2010:
The Department investigated and resolved over 150 cases involving allegations of violations of the Security Rule by requiring changes in security practices and other corrective actions by covered entities. The Department has successfully enforced the Security Rule in all cases where an investigation indicated noncompliance by providing technical assistance to and requiring the covered entity to take corrective actions. Corrective actions taken by covered entities include: correcting any problems indicated by evidence in the investigation; training employees; sanctioning employees; revising policies and procedures; and mitigating any alleged harm. Corrective actions obtained by the Department from covered entities have improved the privacy protection of health information for individuals served by such covered entities. The Department has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.
In another 139 cases, investigations by the Department found that no violation of the Security Rule occurred.
Other Security Rule Resolutions
From April 20, 2005, the compliance date of the HIPAA Security Rule, to December 31, 2010, OCR received 803 complaints alleging violations of the Security Rule. The Department resolved 577, or seventy-two percent, of the complaints received.
In the remaining 288 resolved cases, the Department determined that the complaints did not present eligible cases for enforcement of either the Security Rule or the Privacy Rule. In these cases, the Department also lacked jurisdiction under the Rules, because the complaint alleged a violation prior to the compliance date, alleged a violation by an entity not covered by the Rules, was untimely or withdrawn, or because the activity described in the complaint did not violate the Rules. Also during this time period, the Department opened 38 compliance reviews and closed 23 compliance reviews.
The following examples are summaries of actual Privacy and Security Rule cases investigated and resolved by the Department in 2009 and 2010.
- An individual filed a complaint with OCR alleging that a private practice physician denied her access to her medical records because she had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the individual was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual with access to her medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.
- An individual who was both a patient and an employee of the hospital filed a complaint with OCR alleging that her PHI was impermissibly disclosed to her supervisor. OCR’s investigation revealed that the hospital distributed an Operating Room (OR) schedule to employees via e-mail; this OR schedule contained information about the individual’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR schedule with the individual’s supervisor, who was not part of the employee’s treatment team, and did not need the information for payment, health care operations, or other permissible purposes. The hospital disciplined and retrained the employee who made the impermissible disclosure. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have “a need to know.”
- A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence. OCR required the covered entity to cease using the patient agreement that conditioned the entity’s compliance with the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.
- Media reports indicated that computer backup tapes containing electronic PHI for two million individuals were stolen from a vehicle used by a hospital’s off-site storage vendor. OCR investigated the surrounding circumstances and subsequently instituted a compliance review to evaluate the hospital’s overall compliance with the Security Rule. The compliance review revealed gaps in the hospital’s Security Rule compliance program. As a result of the review, the hospital developed a corrective action plan, which included: the adoption of encryption technologies on all backup tapes that contained electronic PHI; termination of the off-site storage contract and reevaluation of contactor requirements to transport and store backup tapes; improvements to security awareness training policies; and revision of the process for periodic review and updates of policies and procedures.
- An individual filed a complaint with OCR after receiving a letter from a health care clinic reporting the theft of a computer that held PHI. OCR’s investigation determined that the computer had been stolen while a reception desk was left unattended and that the electronic PHI on the computer’s hard drive was not encrypted. OCR’s investigation revealed that, following the theft, the covered entity took corrective actions to improve its physical security safeguards and prevent similar unauthorized disclosures from occurring in the future. The entity retrained its employees on privacy and security policies and procedures, encrypted its computers and electronic devices, installed locking mechanisms, and instituted a policy of closing and locking doors when offices were unattended.
- An individual filed a complaint with OCR alleging that the PHI of health plan members was available on the internet through online searches. OCR’s investigation of the complaint revealed gaps in the covered entity’s Security Rule compliance program. Specifically, the entity implemented system changes to its web servers without analyzing the associated risks, and without performing an evaluation of how well its securitymeasures responded to the changes, as required by the Security Rule. As a result, the entity was unaware that unsecured member information was exposed on the internet and did not take actions to evaluate and revise its practices until several months later, when it was notified of the impermissible disclosure. At the conclusion of the investigation, OCR obtained assurances from the entity that it had initiated evaluations of its existing security measures and modifications of its policies, procedures, and system designs to secure its members’ PHI.
- An individual filed a complaint with OCR alleging that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.
- A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Activities considered "preparatory to research" include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. Further, a researcher may not remove PHI from the covered entity. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Under the revised policies and procedures, the practice may disclose PHI to an outside researcher for research recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board.