Parkview Health System will pay $800,000 and adopt a corrective action plan as a result of deficiencies in its HIPAA compliance program

Violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are just plain bad for business and as the old saying goes an ounce of prevention is worth a pound of cure.   When was the last you had an external review to identify risks?  The compliance team at Parkview Health System is probably asking themselves today whether a once of prevention could have saved $800,000 dollars and an immeasurable loss of confidence in the community.

Parkview Health System, Inc. agreed to settle potential Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

Notably, this settlement highlights the significance of conducting routine risk and vulnerability assessments, having adequate written policies in place, and conducting workforce training on HIPAA privacy and security policies. It is imperative that all covered entities and business associates proactively review the mandatory requirements under HIPAA and carefully evaluate and monitor to compliance. To ensure you are compliant, you and business associates should update security policies and procedures and provide ongoing HIPAA compliance training. SiddelLaw can assist you in implementing protections as well as conduct an in-depth risk assessment. If you have any questions or require assistance developing and implementing a compliance plan for your entity or conducting a risk assessment, please contact an experienced healthcare attorney at 831-718-9340.

Even Responding to Fraud Allegations can be Risky

Last week a regional California medical center entered a $275,000 settlement for disclosing patient information to the media, spotlighting HIPAA’s tight reign over covered health providers even when they try to defend their reputations against fraud allegations. On June 13, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new settlement with Shasta Regional Medical Center (“SRMC”) related to the medical center’s use and disclosure of protected health information while attempting to rebut media reports of alleged Medicare fraud. The settlement includes a one-year corrective action plan covering 16 facilities and serves as a sharp reminder that under HIPAA, a covered entity often cannot use or disclose protected health information to respond to allegations without patient authorization, even if the information is publicly known or disclosed by a patient. The settlement stems from a 2011 media report alleging Medicare fraud. In response, SRMC allegedly disclosed protected health information to substantiate that it provided and billed for appropriate medical services. Senior leadership also allegedly sent an e-mail to its entire workforce and medical staff of 785 to 900 persons detailing the patient’s medical information in response to the media attention. According to the resolution agreement, SRMC also allegedly failed to sanction any employees for HIPAA violations related to the incident. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf Contact Siddel Law for advice on how to respond to Health Care Fraud Allegations