What's the Fix?

Real-life HIPAA-compliance Issues and How They Were Resolved

The following are real scenarios taken from the Office for Civil Rights Web site. To see more examples of scenarios, visit www.hhs.gov/ocr and search the site for “HIPAA case examples” to view cases organized by issue and covered entity type.

Private Practice Implements Safeguards for Waiting Rooms

Covered Entity: Private Practice
Issue: Safeguards; Impermissible Uses and Disclosures

A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and procedures. In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.

Private Practice Revises Process to Provide Access to Records Regardless of Payment Source

Covered Entity: Private Practice
Issue: Access

At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual’s right of access regardless of payment source.

Hospital Implements New Minimum Necessary Polices for Telephone Messages<

Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures. One addressed the issue of minimum necessary information in telephone message content. Employees were trained to provide only the minimum necessary information in messages and were given specific direction as to what information could be left in a message. Employees also were trained to review registration information for patient contact directives regarding leaving messages. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training.

Clinic Sanctions Supervisor for Accessing Employee Medical Record

Covered Entity: Outpatient Facility
Issue: Impermissible Use and Disclosure

A hospital employee’s supervisor accessed, examined, and disclosed an employee’s medical record. OCR’s investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee’s medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor’s personnel file and the supervisor received additional training about the Privacy Rule. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate.

Private Practice Provides Access to All Records, Regardless of Source

Covered Entity: Private Practice
Issue: Access

A private practice denied an individual access to his records on the basis that a portion of the individual’s record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual’s request for an amendment when the covered entity did not create that portion of the record subject to the request for amendment, no similar provision limits individuals’ rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their records regardless of whether another entity created information contained within it.

Large Health System Restricts Provider’s Use of Patient Records

Covered Entity: Multi-Hospital Health Care Provider
Issue: Impermissible Use

A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity terminated the nurse practitioner’s access to its electronic records system, reported the nurse practitioner’s conduct to the appropriate licensing authority, and provided the nurse practitioner with remedial Privacy Rule training.