The first HIPAA settlement of 2020 brings home a couple of key considerations for compliance. The first consideration is to be comfortable with one’s own level of adherence to HIPAA before filing a report (even a necessary one) that will inevitably result in an investigation. The second consideration is that no healthcare entity is too small for the Office for Civil Rights to take a look and impose a monetary penalty.
A better background the settlement involving Steven A. Poeter, M.D., P.C. (the “Practice”) will be helpful. According to the Resolution Agreement, the Practice submitted a breach notification to OCR in November 2013 complaining that the Practice’s electronic medical record vendor was denying access to the Practice’s medical records, unless a fee was paid. Given the inability to access the medical records, the Practice told OCR that a breach occurred, which was arguably a correct interpretation.
From the perspective that no good deed goes unpunished though, OCR then investigated the Practice. An investigation of the Practice should not have been surprising since most breach notifications will trigger some level of investigation. However, the investigation proved to be the Practice’s downfall in this case. Once OCR got in the door, no risk analysis could be found or appropriate documentation of any security obligations. Additionally, OCR did not find appropriate documentation of the business associate relationship with the electronic medical record company.
Interestingly, OCR’s press release concerning the settlement goes into more detail about the problems leading to the settlement than the resolution agreement. The primary detail and likely the biggest factor in the decision to issue a penalty is the following statement: the Practice “despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”
When OCR shines a light on the path to compliance, take it. This is not a new concept, nor one that is coming out of nowhere. OCR’s historical practice has been to offer technical assistance in the background when an issue is reported rather than blow a problem out into the open. If OCR’s hand is forced though because widespread non-compliance is not being addressed despite what would arguably have been a lot of help, patience can only last so long.
Underlying the need to heed advice from OCR is the initial premise that all policies and procedures should be reviewed before taking any action that will likely result in OCR wanting to investigate. Alleging that an electronic medical record company was blocking access to data, especially in 2013, should have been known that it would trigger an attentive response. Without knowing the facts of the situation, attention to the alleged wrongdoing could well have been the motivating factor in submitting the breach notification. Regardless, before taking that step, an organization should absolutely ensure that it will be able to demonstrate compliance and not draw ire upon itself. Based on the reported facts, the Practice did not take that set of circumstances into consideration. Instead, the Practice seems to have just winged it, which is not likely to be a good approach.
Winging it on compliance leads to the second issue underscored by this settlement: OCR can and will expect compliance from all sizes of entities. It is possible that the settlement with the Practice is the first one with a solo physician practice. Size does not matter though when it comes to compliance. HIPAA applies in a blanket manner to all organizations that fall within its scope. The security is flexible and scalable, which means the nature of the Practice’s compliance, if done well, would very well have looked different than a major hospital system. Even though the nature of the compliance would have looked different, it does not mean that compliance could be skipped. Hopefully, this settlement is a wake-up call that deliberate ignorance or disregard for obligations will result in a problem arising.
A final matter to touch on is what happened to the electronic medical record company in this matter. The conduct underlying the complaint certainly sounds like prototypical information blocking and something that should not have occurred. Under the pending regulations that derive from the 21st Century Cures Act, the activity, if it happened, would clearly not be permissible. Even without those regulations, a business associate is on shaky footing at best if it wants to prevent a physician or other covered entity from access the patient data that it created. Blocking access is not a good look and should be bad for business.
As always, the HIPAA settlement provides some lessons and food for thought. To avoid similar troubles, every organization should take the time to review and then take an honest look in the mirror.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.