As Telehealth grows and becomes more relevant to healthcare, so too are the protections around it. Through Telehealth, medical providers are creating, storing, exchanging and deleting Electronic Protected Health Information (ePHI) all the time; but is this safe? Can video streams be tapped without their knowing? Is the information that’s stored online secure? Will PHI end up in the public view? HIPAA regulations have standards to prevent these, but are providers and their associates following them? Here’s what happened to 10 that didn’t.
(These 10 are not in any order and were chosen only to outline the various reasons and amounts for which one can be penalized)
1) $4.8 Million – New York-Presbyterian Hospital and Columbia University Medical Center
The largest HIPAA settlement at the time, however the OCR had been investigating large scale violations since before this incident in early 2014. The reason this case is so special is because it was a joint breach between NYP and CU by the actions of one CU physician. According to HHS’ report: “The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” 6,800 people’s sensitive health information released to the internet; this is definitely cause for a hefty fine. After a full investigation sparked by this incident, OCR found these other violations:
- Failure to conduct an accurate and thorough risk assessment
- (As a result ->) Missing risk management and contingency plans
- No implemented policies and procedures for authorizing access to its databases
2) $445,000 – Presence Health
A significantly smaller fine than the last but still not small, the U.S. Department of Health and Human Services has fined Presence Health for lack of a timely breach notification. (According to the HIPAA Breach Notification Rule, Covered Entities are to notify the affected individuals within 60 days of discovery.)
3) $2.14 Million – St. Joseph Health
A nonprofit yet large network, SJH was served a hefty fine along with a comprehensive corrective action plan. They were reported to have ePHI that was publicly accessible through internet search engines. Other violations include:
- Vulnerabilities to the PHI of 31,800 individuals
- Implementation of a new server without proper evaluation on environmental and operational changes
- While hiring a number of contractors to assess risk, as required by the HIPAA security rule, it was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis”.
4) $2.75 Million – University of Mississippi Medical Center
While aware of the vulnerabilities to its system since 2005, UMMC did nothing and an investigation was sprung when approximately 10,000 individuals ePHI was breached via a stolen laptop. It contained easy access to thousands of patient files. Other violations found include:
- Did not implement policies to prevent, detect, contain and correct security violations
- Lacked policies on physical safeguards (i.e: for workstations, restricting access to ePHI)
- Did not assign unique user information to track and identify identity in information systems
- Did not notify individuals of the breach
5) $1.7 Million – Alaska Department of Health and Social Services
Choosing this one to show that even a state health division must be careful following HIPAA regulations. There are no exceptions; if you are investigated by the OCR, you are not immune to penalty. In this incident, an unencrypted hard drive containing PHI was stolen from an employee’s car. This sparked an investigation which found violations of:
- No risk assessment
- Did not implement security measures
- Neglected to have security training
6) $4.3 Million – Cignet Health Center
OCR had investigated Cignet for refusing 41 patient requests for their medical records. A violation that resulted in a $1.3 Million fine. This wasn’t the only one Cignet committed. They were also in violation of refusing OCR’s request for records / refusing to cooperate overall. (Fined $3 million for this)
7) $650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia
Due to the theft of an employee’s mobile device containing PHI of nursing home residents, CHCS was fined over half a million dollars. The company is a provider to six nursing facilities but it had neglected to cover these HIPAA rules:
- Encrypt any ePHI that is created, received, maintained, etc.
- Conduct an enterprise-wide risk analysis
- Have a contingency plan
- Train staff on security measures
8) $750,000 – Raleigh Orthopedic Clinic, P.A. of North Carolina
This hefty fine was simply the result of not having a Business Associate Agreement (BAA). This is a section of HIPAA that many are finding they cannot disregard. Raleigh Orthopedic had disclosed the information of over 17,000 patients to a potential partner without signing a BAA / without protecting their patients’ information from misuse and improper disclosure. While it may seem easy to overlook, its consequences are no light matter.
9) $1.55M – North Memorial Health Care of Minnesota
Just to underscore the importance of a BAA, here is another fine issued by the OCR. This fine was particularly expensive because they had released the information of almost 300,000 patients. In the end they had overlooked two major cornerstones of HIPAA rules: a. BAA b. Enterprise-wide risk assessment.
10) 750,000 – University of Washington Medical
Because an employee opened up an email containing malicious malware, the ePHI of 90,000 individuals was compromised. In addition to this, the OCR fined them for not having procedures to prevent, detect, contain and correct such violations. With this relatively miniature fine (though not at all miniature on its own), they must now include a corrective plan with annual reports on their compliance efforts.
The main reason to follow HIPAA regulations so closely is to protect our patients, clients and ourselves. Privacy and confidentiality in this day is increasingly cherished and we have to work to secure that. For those of you that need another reason, these penalty examples are for you. For those that are genuinely concerned, don’t worry; just take action. The theme in these incidents is repetitive and preventable:
- Have a signed BAA with anyone handling your PHI
- Guard your mobile devices and encrypt them
- Implement security policies and procedures
For some of the same reasons telemedicine is being welcomed into hospitals, prisons or private practices, we are finding that it’s also gaining popularity with schools. Moving past those general reasons why, here’s what makes telemedicine in schools particularly special:
Image from ArkansasOnline: Rural Arkansas schools to go telemedicine route
It keeps kids on campus and in classrooms!
Kids get scrapes, sniffles and sneezes as surely as the sun rises every day and while many schools have an onsite nurse, only some are permitted to independently administer medication. The difference in permission depends on licensure and state certification which Registered Nurses (RN) are given and Licensed Practical Nurses (LPNs) are not. This important detail factors into why Telemedicine in school matters.
(Quick difference between the two types of nurses)
RN: 2-4 year college degree and exam in the state they work. Allowed to perform various medical activities and make decisions about how and when to treat injuries or illnesses.
LPN: High school diploma, nursing program and exam for a license. Their actions must be supervised by an RN or doctor.
According to Deb Group that specializes in occupational skin care and hand hygiene, there are 164 million lost school days per year from students in K-12. Missing school puts students at a disadvantage. Each day that a student misses school means 7.5 hours of catch up in addition to the hours they already have. It’s burdensome and overwhelming, and we haven’t even considered that the day they missed was a test prep day.
So let’s consider the case of an asthmatic child enrolled in a school with LP nurses. The child is wheezing and gasping for air and seeks the nurse for help. The LPN recognizes this as an asthma attack and has access to asthma medication, however laws are preventing the LPN from administering them. The child at this point can be in desperate need with the remedy readily available, but only a doctor or RN is permitted to provide medication.
In this time sensitive situation the LPN is only authorized to call an ambulance and/or the legal guardian and wait. By the time they finally arrive, the condition may have worsened causing the student to lose the rest of the day and maybe another for recovery.
How having Telemedicine helps
If the school had implemented telemedicine, the LPN could have contacted an offsite doctor or RN to show them the child and ask about the appropriate steps to take. Seeing the child, the doctor or RN would then be able to make a diagnosis and authorize the LPN to act on their behalf (while they supervise) and treat the child in-need right then. Telemedicine is not just beneficial to helping kids with asthma. A similar scenario could be played out if it were a stomachache, headache, earache, fever, strep throat – you name it.
This is not to say that secure video conferencing can end all mid-day visits to the family doctor’s office. Instead this should be seen as a frontline solution that can help treat kids right away – at school, and back in classrooms so they don’t fall behind.
Here are the states that already authorize Medicaid reimbursement for telemedicine services in schools. Does Medicaid offer reimbursements for telemedicine in your state?…Read More