Are Solo and Small Medical Practices Safe from HIPAA penalties?

IMG_0628.jpg

(Updated December 22, 2020)

This year, we are all talking about small turkeys, small social bubbles, and small outdoor gatherings. Many are spending the holidays alone.  The pandemic is raging and our healthcare system is straining to keep us all safe. But solo and small medical practices are not safe from privacy and security enforcement under HIPAA.

While investigations of and fines imposed on larger health systems and insurance companies make headlines, in the last two years, the Department of Health and Human Resources Office for Civil Rights (OCR) has settled enforcement actions brought against a number of solo or small healthcare providers, resulting in substantial fines that can significantly impact profitability and even the ability to remain in practice. 

And when the OCR conducts an investigation into one issue, it is likely to find other problems with HIPAA compliance. These findings generally result in negotiated settlements with high monetary penalties and lengthy Corrective Action Plans (CAPs) which require the practice to provide regular reports to the OCR and may require a comprehensive review and revision of the practice’s overall HIPAA program under OCR’s ongoing review and oversight. 

So. how did these practices attract OCR’s attention, what were the consequences and takeaways? 

Interactions with Media

Two of the investigations into small practices grew out of complaints filed with the OCR regarding interactions with televised and social media. 

  • Allergy Associates of Hartford, PC, a 3-physician practice, agreed to a $125,000 fine after OCR received a complaint that protected health information (PHI) was disclosed to a  reporter for a local TV station that was investigating a dispute reported by the patient. OCR also noted that the practice had failed to sanction the workforce member who spoke to the reporter.

  • Elite Dental Practice, a now closed solo practice, agreed to pay $10,000 following a compliant that the dentist disclosed PHI while responding to a negative review on Yelp. OCR’s subsequent investigation found multiple disclosures of PHI on Yelp, and failures to implement policies and procedures and include minimum content in its Notice of Privacy Practices. In negotiating the settlement, OCR took into account Elite’s size, financial circumstance and cooperation with the investigation.

Breach Reports

In one situation, OCR commenced an investigation of a solo practice following a report of a breach. 

  • Steven A. Porter, M.D. reported that a subcontractor of his electronic health record company (Dr. Porter’s business associate) impermissibly used PHI by blocking patients’ access to PHI pending payment to the subcontractor of $50,000. Dr. Porter agreed to pay $100,000 after OCR’s investigation found that he had failed to:  1) conduct a risk analysis; 2) implement security safeguards; 3) develop HIPAA security policies and procedures; and 4) obtain a business associate agreement with the electronic health record company. 

Failure to Provide Access to Medical Records

In the past year or so, OCR commenced a right of access initiative that has included investigations into a number of small practices following receipt of patient complaints. 

  • NY Spine Medicine, which appears to be a solo practice with several nurses and medical assistants, agreed to a $100,00 fine following a complaint that it had failed to respond to multiple requests for a copy of a patient’s medical records and that it failed to provide all requested records, including diagnostic films.  OCR also contacted the practice multiple times by mail and phone without response. 

  •  Rajendra Bhayani, M.D., a solo practitioner, agreed to a $15,000 fine after it failed to provide a copy of medical records even after receiving a technical assistance letter and two additional letters from the OCR. 

  •  Korunda Medical, LLC, a 7 physician practice, agreed to pay $85,000 for failure to provide requested records to a third party in electronic format.  OCR sent the practice a technical assistance following an initial complaint, but received a second complaint regarding the same records. 

  •  All Inclusive Medical Services, whose website shows a total staff of 22, agreed to a $15,000 penalty after it refused to provide a patient with access to and a copy of her medical records.

  • Peter Wrobel, M.D., P.C dba Elite Primary Care, a 3-physician practice, agreed to pay $36,000 for failure to provide access to medical records. OCR sent the practice a technical assistance letter with detailed instructions after the patient’s filed the first of two complaints.

This fall, OCR seems to have had a special focus on psychiatrists. In one case, OCR explained that while HIPAA does not require production of psychotherapy notes, practices must provide a written explanation if it denies access to any records and must provide access to all other medical records.

  • Riverside Psychiatric Medical Group:  $25,000 after failing to provide copy of medical records despite multiple requests. OCR sent a technical assistance letter but received a second complaint regarding the same records.

  • Wise Psychiatry:  $10,000 after it failed to provide a patient’s parent with access to the minor patient’s complete medical record (including the patient’s birth certificate and the parent’s driver’s license).

  • Patricia King, MD. & Associates:  $3,500 for failure to provide access to medical records.  OCR sent Dr. King a technical assistance letter but received a second complaint regarding the same records

Takeaways for Practices of All Sizes

  1. Be careful when speaking with reporters and reviewing social media activity. Do not take the bait and disclose PHI. 

  2. Develop complete and easy-to-understand HIPAA privacy, security, and breach response policies and procedures that are tailored to your practice.  These policies must include sections on business associate agreement requirements and patients’ rights. Make sure that your staff understands the policies and knows who to contact with questions. 

  3. Conduct regular and as-needed training on your policies and procedures and provide regular reminders of key issues. 

  4. Make sure you have conducted a risk assessment and analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI. Review and update it regularly, and as you implement new systems and processes. Adopt appropriate security measures.

  5. Obtain business associate agreements as required by HIPAA in order to ensure that your business associates and their subcontractors will protect the PHI that they obtain on your behalf. 

  6. Understand your obligations to provide patients with access to their medical records, including the timeframe, format, and reasonable fees. If applicable, understand the distinctions between psychotherapy notes and other medical information.

  7. Review your Notice of Privacy Practices and make sure it is up to date, provided to patients as required and posted on your website.

  8. Do not ignore technical assistance letters or other communications from the OCR.  In addition, cooperate with OCR during investigations; it may result in reduced fines.

  9.  Stay safe during this challenging time.