HIPAA Biannual Update

Digital Debut

HIPAA Biannual Update

July to December 2019

Since ASCA’s last update in July, healthcare organizations across the country posted 241 breaches of protected health information (PHI) affecting 500 or more individuals. This is the highest number of breaches reported in a six-month span in the past three years and exceeds the number of breaches in the first half of 2019 by more than 12 percent. Consistent with previous time periods, most of the breaches—88 percent—were caused by unauthorized access or hacking. The percentage of breach investigations due to theft continues to decrease, comprising only 7 percent of breaches in the second half of 2019 down from 21 percent in the first half of 2017.

Within the US Department of Health & Human Services (HHS) the Office of Civil Rights (OCR) is the enforcement agency responsible for protecting rights related to health information privacy. This includes enforcement actions for violations of the Health Insurance Portability and Accountability Act (HIPAA), which delineates who can view or receive an individual’s PHI and sets standards for security of PHI when being stored or transferred electronically.


ASCs can take important steps to help prevent breaches and limit their liability. They can review and update policies and procedures frequently to help prevent unauthorized access, improper disposal, loss and theft of PHI. ASCs also can review the OCR website to review enforcement actions and consider how they can avoid the mistakes made by others.

Below are selected enforcement actions that highlight certain precautions ASCs can take.

Continue Reading Below

Bayfront Health and Korunda Medical

What Happened: These are the first enforcement actions under a new HHS Right of Access initiative. The initiative seeks to ensure that patients receive requested medical records promptly, at a reasonable price, and in a readily producible format of their choice as is their right under HIPAA. In the Bayfront Health case, the St. Petersburg, Florida-based hospital failed to provide a mother with the medical records of her unborn child for more than nine months, in violation of HIPAA standard practices, which generally require a response within 30 days of a request. Korunda Medical in Naples, Florida, a primary care practice, failed to provide a patient’s medical records in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. Both companies agreed to an $85,000 fine as well as undertaking a corrective action plan.

Takeaway for ASCs: The HIPAA Privacy Rule provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical records maintained by health providers. Protecting this right has become a focus for HHS in recent years, with a number of new guidances since 2016 that clarify processes around a patient’s request for access. ASCs should be sure to review the current rules and respond to any patient requests in a timely manner to avoid a penalty. A good standard to keep in mind is providing information within 30 days, in the manner requested, with only the minimum amount of costs due to labor, supplies, or postage associated with fulfilling the request.

Elite Dental Associates

What Happened: An OCR investigation found that Elite Dental Associates, a privately-owned dental practice in Dallas, Texas, had impermissibly disclosed PHI including names and details of health conditions in response to reviews on the practice’s Yelp page. Furthermore, Elite had no policies in place regarding social media interactions or any HIPAA-compliant notice of privacy practices. The eventual $10,000 settlement was a reduced amount due to the practices size and financial circumstances; the practice will undertake a corrective action plan that includes two years of OCR monitoring.

Takeaway for ASCs: As with any place of service, there might be patients that are less than satisfied with aspects of care at an ASC and choose to voice that opinion on public platforms. It is never proper policy, however, to discuss treatment or PHI on a public forum. As OCR Director Roger Severino noted in the settlement press release, “social media is not the place for providers to discuss a patient’s care.” If your center has a social media presence or interacts in public online spaces in any manner, there must be policies and procedures in place to ensure that specific patient PHI is never disclosed.

Sentara Hospitals

What Happened: In 2017, OCR received a complaint that Sentara Healthcare, a not-for-profit organization of acute care hospitals and other care centers across Virginia and North Carolina, had incorrectly mailed medical bills that contained patient PHI. Further investigation found that Sentara had mailed 577 patients’ PHI to wrong addresses including names, account numbers and dates of service. In an attempt to reduce the size of its penalty Sentara improperly reported that the breach had affected only eight individuals. The final agreement reached between OCR and Sentara included a $2.175 million settlement, a corrective action plan and two years of OCR monitoring.

Takeaway for ASCs: Breaches can occur by simple negligence and aren’t always the result of a bad actor. When a breach does occur, however, it must be reported as quickly and as accurately as possible. In this case, Sentara incorrectly believed that disclosures must include a patient diagnosis or other medical information to qualify as a HIPAA violation. Its persistence in refusing to properly acknowledge the extent of the breach no doubt played a factor in the eventual multi-million dollar settlement.

ASCA provides several resources to help ASCs remain HIPAA compliant. The HIPAA Resources page can be found in the Federal Regulations section of ASCA’s main site. It provides background on the act itself, as well as the four key provisions: privacy, security, breach notification and enforcement. ASCA’s facility and corporate members also have free access to the HIPAA Workbook for ASCs, a comprehensive resource for designing, updating and evaluating HIPAA compliance programs.

For more information or for questions and concerns, write Alex Taira, ASCA’s regulatory policy and research manager.