[BreachExchange] The Legal Repercussions Of Tech-Based HIPAA Breaches

[Audrey McNeil]

http://www.healthworkscollective.com/jennacyprus/357207/legal-
repercussions-tech-based-hipaa-breaches

HIPAA regulations defining the proper protocols for handling sensitive
medical information have been a great boon for patients, allowing them to
pursue appropriate care – confident that doctors, insurance
representatives, and other involved parties will protect their privacy –
but are medical professionals honoring these practices? As many within the
medical field know, most offices participate in at least some practices
that would be considered questionable under HIPAA, often simple things such
as using public sign-in sheets. Are these habits opening you up to lawsuits?

Though it’s unlikely that a single slip-up will get you in trouble, other
actions, such as irresponsible social media use by medical staff or
improper disclosures could result in legal ramifications. It’s your job to
set the tone for your practice, so make sure to review appropriate office
behaviors with staff – and know what to do if lawyers turn up.

Digital Data Breaches

One of the most common reasons why practices are held responsible for HIPAA
violations is that office staff improperly communicate with patients or
family members, whether by disclosing information to the wrong people or by
sending medical information through texts on unencrypted emails. These
messages can be intercepted, allowing unauthorized parties to obtain
protected information, which is why it’s vital for medical offices to use
only protected channels to communicate with patients.

It’s also important to make sure employees are only accessing authorized,
relevant data when handling patient charts. Many employees find it
difficult to resist the temptation to sneak a look at files unrelated to
their work, but this is an HIPAA violation. Employees should clearly
understand that they could face legal repercussions if they are caught
participating in such behavior.

Consequences and Legal Approaches

What’s the worst that can happen if a member of your practice is held
responsible for an HIPAA violation? There are several factors you should be
concerned about. Although medical entities technically can’t be sued for
HIPAA violations, individuals can be charged in personal injury lawsuits or
criminal cases. The extent of the damage is often related to the extent and
personal ramifications of the violation, such as loss of employment or pain
and suffering.

It’s worth noting that when we say that cases are often adjudicated based
on the extent of damages, it’s often, breaches that are seemingly the
smallest that actually cause the greatest waves in our legal system. Take,
as an example, this Indiana case in which a pharmacist disclosed protected
information to a customer’s ex-boyfriend. Upon finding out, the woman in
question successfully filed a $1.4 million suit against the pharmacy,
making claims including insufficient supervision. These cases gain little
media attention compared to major system breaches and hacks, yet those
large scale invasions often cause far less personal disruption and harm.

Many Cases, Few Charges

HIPAA cases are also processed through the Office for Civil Rights (OCR),
but very few of the approximately 30,000 reports they receive turn into
lawsuits. That means there are many things you can do to prevent claims
against you or your staff from turning into a legal issue.

First, know that the OCR is committed to the concept of voluntary
compliance; they want your practice to be doing the right thing. That means
if staff members have been casually emailing patients unencrypted medical
information, the OCR is likely to approach your practice with reminders of
HIPAA requirements and seek a promise that you will begin using appropriate
communication channels such as EHRs and patient portals. Failure to comply
with this promise, however, can lead to sanctions and fines.

Second, although we often discuss lawsuits tied to HIPAA as though an HIPAA
violation is the underlying legal claim, patients can’t legally sue for
this reason. They are now, however, prevented from seeking another related
reason for a lawsuit. Understanding this can help your office understand
why HIPAA compliance is so important – patients know that they are entitled
to privacy, but may not know that they don’t have direct recourse to a
lawsuit if they’ve been wronged. They may then look for any other potential
cause, even a minor one, in order to feel that justice has been served.

Ultimately, correct use of the many technological solutions available to
medical professionals today can help prevent the vast majority of HIPAA
violations; they’re designed to do that very thing. This is why prompt
adoption of new solutions, even costly ones, is so vital. You may think
your old system works just fine, but failure to join in the medical tech
revolution can open the door to legal problems down the road.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161024/64d23053/attachment.html>