This Legal Alert discusses recent updates regarding the Privacy and Security regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA).
The Department of Health and Human Services Office of Civil Rights (OCR) has received 32,487 complaints regarding the HIPAA Privacy regulations. It has referred 419 cases to the Department of Justice (DOJ) for criminal investigation. In addition, OCR has referred 215 cases that may represent potential violations of the HIPAA Security regulations to the Centers for Medicare and Medicaid Services (CMS). CMS has also announced that it will begin on-site reviews of hospitals' compliance with the Security regulations, expecting to review 10 to 20 hospitals in the next nine months. The first reviews are expected to be of hospitals where CMS has received complaints about security practices and larger hospitals nationwide. Remote access to data and use of portable storage devices are among the issues that CMS is expected to review.
In addition, a New York State appellate court recently ruled that punitive damages may be imposed on a health care provider for unintentional but grossly negligent and/or reckless breaches of confidentiality or breaches that show callous indifference to a patient's right to confidentiality, where the breach has the potential to cause significant harm to the patient. The court stated that the right of patients to privacy of protected health information is so important a public policy that even an inadvertent breach might in some cases warrant punitive damages. The defendant in the case discussed with a patient's mother information regarding the patient, which led the mother to surmise that her daughter had had an abortion at defendant's clinic. Punitive damages are not always covered by malpractice insurance. Providers dealing with patients under care of a very sensitive nature (HIV-related illness, abortion, sexually transmitted diseases, mental health issues, alcohol and substance abuse treatment, etc.) should be particularly mindful of this case, as it is likely that the disclosure of those types of information might lead to the same analysis by a jury or court.
For providers, these developments further support the need for a sound HIPAA compliance plan. Ensuring compliance before a complaint or investigation is far more effective, and much less expensive than defending an investigation or other review. Hiscock & Barclay, LLP has experience in assisting providers with HIPAA-compliance efforts, including the provision of training, and with responding to regulatory reviews and investigations.
Should you need assistance in these matters or in the development or update of a HIPAA compliance program, please contact Melissa M. Zambri, Partner in the Firm's Health Care and Human Services Practice Area.