How does the government find out about HIPAA violations?

One of the more common causes of Government Investigations into possible HIPAA violations are patient complaints.  Some examples are:

Bayfront Health – St Petersburg Florida:  A patient requested a copy of medical records; the medical records were not provided in a timely manner and Bayfront Health paid $85,000 as a result of the HIPAA Violation

Korunda Medical, LLC - A patient requested a copy of medical records, the medical records were not provided in a timely manner and Korunda Medical paid $85,000 as a result of the HIPAA Violation

Sentara Hospitals – A patient complained about receiving a bill from Sentara containing another patient’s health information.  This was a systemic problem that affected 577 patients. This violation cost Sentara over 2 million dollars

Elite Dental Associates – This one involved an online review.  A patient complained that her information had been wrongly disclosed as part of a response to a Yelp review.  The investigation revealed multiple instances of this type of disclosure by Elite Dental.  This cost Elite Dental $10,000.

Allergy Associates of Hartford – This is an interesting one.  A patient complained to a TV reporter after being turned away due to having a service animal (This is a violation of other rules).  The reporter contacted the practice for a comment on the incident.   As part of their comment to the reporter, the practice disclosed patient information.  This cost the practice $125,000.

The OCR (Office for Civil Rights) investigates complaints filed by patients against health care providers.  There is a very user-friendly website where patients can file these complaints.  The violations listed above are things that could happen to any practice.   Here are some strategies you can implement to minimize the chance of your practice having these types of HIPAA Breaches:

1. Have a policy for responding to medical records requests. 
   1. Keep a log of all requests received, who received the request, when the request was received, when the request was validated, who submitted the request, who logged the request, what information was sent out as a result of the request (always keep a copy of what was sent out), and when that information was sent.
   2. Your staff should be trained on how to use the log and the need to ensure that all requests for medical records are properly logged.
   3. You should review the log on a regular basis and make sure that you are responding to all requests in a timely manner
2. Have a policy to monitor and spot check all mail that is being sent out, especially large mailings like patient bills.  Very often practices will engage a third party to send out bills.  If you use a third party do you have a Business Associate Agreement (BAA) in place?  Does that BAA require the Business Associate to cover all costs – including fines and settlements – if they are the cause of the HIPAA Breach?
3. Have a policy on responding to Online Reviews.   Designate a specific person to monitor and respond to online reviews.  Make sure that any potential responses are reviewed to ensure that patient information is not disclosed in the response.
4. Have a policy on responding to Media Inquiries.  Receive all requests in writing and if you choose to respond, put all responses in writing.  Have the written responses reviewed to ensure that patient information is not disclosed.  Responding verbally is always problematic because once something is said, it can not be unsaid.  Written responses can be reviewed, edited and patient information removed before they are sent out.

Often when we think of HIPAA we do not realize all of the events that may happen in our practice, and we to not plan for and prepare for events.  By being aware of the mistakes made by other practices, and then adjusting our policies and procedures we can avoid the pain and cost of being the target of an OCR investigation for a breach.