HIPAA Violation Complaints Rising

June 25, 2020
Patient Complaints Rising Blog

#HIPAAViolation may not be trending yet, but with the way COVID-19 stories are making waves in the media – we can expect that a news feed full of unauthorized disclosures is not too far off.  As COVID-19 continues to make headlines, it seems all too common to see protected health information (PHI) plastered all over without thinking twice about the impact it has on the individual behind the positive test result. Healthcare professionals who have access to this information have been pressed with the responsibility of disclosing PHI only when necessary while also protecting the patients’ rights to privacy. 

Recently, two high-profile individuals became top news stories when their positive COVID-19 results were shared publicly. 

  • Eziekiel Elliot, a running back for the Dallas Cowboys, questioned whether the public release of his medical information was a HIPAA violation. An NFL reporter broke the news via Twitter and Elliot expressed his frustrations by responding with “HIPAA??” The football player claims that his agent only confirmed the story and the original source of the information has yet to be disclosed.
  • Louisiana Mayor Melinda Mitchell found herself in a similar position when her positive test results made the local newspapers without her consent. It’s unknown at this time where the information originated from but the Mayor’s lawyers claim to be taking the “appropriate action” to determine if HIPAA laws were violated.  

While discussion of whether the guilty parties in these instances were liable under HIPAA continues, it only takes one patient complaint like this to open the door to an investigation from the Office for Civil Rights (OCR). Even if it is determined that the practice is not liable for the violation in discussion, the OCR could find other violations during investigation. For example, the first thing the OCR usually asks for in an investigation is an up-to-date, properly documented Security Risk Analysis (SRA). Even if the patient complaint has nothing to do with your SRA – you’ll still be liable for a HIPAA fine if you’re lacking the required documentation.  

No one can argue that stopping the spread of COVID-19 is healthcare’s overarching focus right now, but oversharing to the point of a patient complaint is not what recent waivers had in mind. Even before we entered  2020, if we can remember a time before face masks and toilet paper shortages, patient complaints were on the rise – in 2019 alone there were 28,261 separate HIPAA complaints. That’s almost a 10% increase from 2018. Following the increase in complaints, investigations by the OCR have increased even more – up 14% from 2018 to 2019. If the oddness of 2020 so far has been any indication, the number of complaints can expect to skyrocket by the time we make it through to 2021.

Complaint data from HHS website.

Unfortunately, the ‘it won’t happen to us’ mindset is a recipe for disaster. Even if your practice is ‘trying to do the right thing,’ there’s no guarantee that you’ll avoid a patient complaint. Just like anyone who has ever worked in the hospitality industry can attest, there’s always that one person who doesn’t care how much you bend over backward – it’s never quite good enough. The best way to protect yourself – and your patients? Get HIPAA compliant before the complaints hit the fan.

Understanding the rise in regular complaints, coupled with how sensitive COVID-19 results are, means that all providers are walking a fine line to make sure information is shared securely and only disclosed to authorized individuals. Sharing COVID-19 information, in particular, affects the individuals named and has far-reaching ramifications beyond just their diagnosis including employment, treatment, and more. It’s important to remember that in your efforts to mitigate the risks and impact of the virus to the general public, Abyde also recommends ensuring the protection of your  patient’s privacy which will safeguard their well being and ultimately save you from unnecessary financial burdens and valuable time spent fighting HIPAA complaints.