Privacy Policies and Procedures for Small Healthcare Providers Under Scrutiny.

Although privacy incidents at the largest healthcare providers attract the most attention, The Department of Health and Human Services Office for Civil Rights enforcement (“OCR”) is actively investigating privacy and security incidents at small healthcare providers. This means that small healthcare providers, including solo practitioners, need to actively review their privacy policies and procedures to ensure full compliance with the Health Insurance Portability and Accountability Act Privacy Rule.

As an example, a small dental practice in Texas responded to a bad review by a patient on its yelp page, accidentally revealing protected health information (“PHI”) about the patient. The violation itself would have had consequences, but this dental practice failed to have sufficient privacy policies and procedures to protect the PHI, resulting in OCR settling with the dental practice in October of 2019. The corrective action settlement included a severe fine and a mandate to correct its policies and procedures. Another recent example pertains to a single physician that received a complaint from a patient through a reporter, and subsequently responded to questions from that reporter. OCR determined that the physician revealed PHI and violated the privacy rule, resulting in a six figure fine and corrective actions to its privacy policies and procedures.

For smaller healthcare providers, these examples are reminders to frequently review and update the privacy policies and procedures, then test to ensure such policies and procedures are enforced. A common issue is that many providers assume simply having the policy is enough, but OCR will review whether the policies are in place and that the policies and procedures are actually followed. Another common shortcoming by a small healthcare provider is neglecting to conduct sufficient diligence on their business associates, including a review of their healthcare technology providers. For a small healthcare provider, best practices means having policies and procedures that contemplate annual diligence on business associates, testing of the procedures, and review of the policies against the latest updates to the privacy and security rule.

VW Contributor: Alex Rainville
© 2019 Vandenack Weaver LLC
For more information, Contact Us

Reviewing Procedures for Breach of PHI

Despite clear compliance plans, annual training, and limiting access, there is still a chance your practice could experience a breach of protected health information (“PHI”).  A “breach” means the use or disclosure of unprotected information that is not permitted by HIPAA and compromises the security and/or privacy of the PHI.  Most practices allocate considerable resources towards preventing breaches, but it is a good idea to review procedures in case a PHI breach should occurs.

  •  When a breach occurs, first gather information.  Determine what type of PHI was disclosed, who accessed it without authorization, and the number of patients exposed.
  •  Next, make every attempt to mitigate the damage.  Can you ensure that the breached PHI has been destroyed or will be returned?
  •  Third, provide the necessary notifications.  Patients must be notified no later than 60 days from when your practice knew or reasonably should have known of the breach.  To help expedite the notification process, make sure that your patient contact information remains current.
  •  Finally, review your practice’s compliance plan, training schedules, and access to PHI to help prevent a similar breach from occurring again.

© 2012 Parsonage Vandenack Williams LLC

For more information, contact

Hospital to Pay $1 Million to Settle HIPAA Privacy Claims

The federal government has made clear that it is serious about enforcing the HIPAA Privacy and Security Rules.  Before HITECH’s data breach notification requirements were in place and being enforced, a Massachusetts General Hospital employee took documents containing protected health information (“PHI”) from her bag and placed them on the seat beside her while commuting on the subway. The documents were left on the subway and never recovered.  Unfortunately, the documents included PHI of 192 patients who had been treated in the hospital’s infectious disease practice, including HIV/AIDS patients. 

The hospital and its physicians’ organization have agreed to pay the federal government $1 million in fines related to the subway incident. The hospital has also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, which includes providing training to workers. The hospital is required to remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost.

Source: Donnelly, Julie M. Boston Business Journal. 24 Feb. 2011.

© 2011 Parsonage Vandenack Williams LLC

  For more information, contact