Mr. D had been employed as a physician assistant in a small suburban office under the supervision of Dr. G, a general practitioner, for the three years. When Mr. D was hired, Dr. G explained to him that since she was a solo practitioner and the office had little in the way of staff, Mr. D would be expected to perform a variety of duties, including some administrative work. Although he wasn’t too keen on the prospect, Mr. D accepted the responsibility.
As it turned out, Mr. D’s office duties were largely confined to a half-day, once a week. The office manager worked only in the morning each Friday, so if any recordkeeping or some other office duty needed to be handled on a Friday afternoon, Mr. D would take care of those administrative tasks that needed immediate attention.
Mr. D’s principal responsibilities, however, involved treating patients on his own or providing a preliminary clinical evaluation before Dr. G saw the patient. The office work structure kept things running smoothly, and the staff seemed to be happy with this setup.
Early one Friday morning, the office manager got a call from Mr. M, a 45-year-old, HIV-positive man who had been seeing Dr. G for routine care for more than a decade. Although Mr. M was happy with the treatment he had been receiving, his company was transferring him to another town. He called to ask Dr. G’s office to fax his medical records to his new health-care provider.
The office manager had not gotten around to faxing the records by the time she left on Friday afternoon, so this task was one of a score of jobs Mr. D needed to attend to that day. Instead of personalized fax cover sheets, the clinic used forms that the office manager printed off once a week, with blank spaces requiring the sender to complete the “to” and “from” sections.
Mr. D quickly filled in the form and sent the fax to Mr. M’s new clinician before his next patient arrived. He did not give the fax another thought until the following Monday, when the office manager came into the back office to speak to him. She was pale and looked shaken, and Mr. D immediately asked her if she was okay.
“It’s about Mr. M,” the office manager explained. “He just called, and he is absolutely furious. Apparently, someone faxed his medical records to his current employer rather than to his new clinician. This means that his company is now aware of his HIV status. Needless to say, Mr. M is extremely upset with us right now.”
“I don’t believe it,” said Mr. D, feeling a swell of rising panic. “I sent that fax out late last week. I must have accidentally copied the wrong fax number from his file. What should we do?” Both Mr. D and the office manager looked to Dr. G for guidance.
Dr. G rubbed her forehead, trying to figure out the best way to remedy the situation. “The first thing we are going to do is call Mr. M and apologize,” she announced. “Then we’ll take it from there.”
Both practitioners called Mr. M and apologized profusely for the mistake. Mr. M understood that this had not been done maliciously, but he was still not satisfied, and ultimately reported the incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). A preliminary investigation determined that the incident was not criminal, so the case was handled by the OCR rather than being referred to the Department of Justice.
After a more thorough on-site investigation, the OCR issued a letter of warning to Mr. D and ordered the office staff to undergo privacy training. The OCR also had the office revise the format of the practice’s fax cover sheets to underscore the confidentiality of the communication for the intended recipient.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to protect the personal health information of patients and specifies to providers how such information may be used. In the time since HIPAA took effect, the HHS has received a total of almost 80,000 complaints. Of those complaints, more than 44,000 were dismissed, more than 19,000 were investigated and resolved with changes to privacy practice, and more than 9,000 were investigated and found no violation.
According to HHS, private medical practices were most often required to take corrective action as a result of enforcement. The top two compliance issues most frequently investigated are the impermissible use and disclosure of protected health information and a lack of safeguards for protected health information.
When a HIPAA complaint is filed with HHS, investigators attempt to determine if there is a possible privacy violation and whether or not it is of a criminal nature. If a violation is determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution. When the offense is not considered to be criminal, the OCR is charged with investigating the matter.
Once a HIPAA violation is confirmed, the OCR can either obtain voluntary compliance from the offender or take corrective action (often requiring the offender to engage in mandatory changes). Finally, the OCR can issue a formal finding of violation and force the offender to change its practices.
In this case, Mr. D and Dr. G immediately took corrective action by apologizing to the patient. As a result of the official investigation, Dr. G’s office agreed to two OCR recommendations: (1) to have the staff undergo special HIPAA compliance training, and (2) to change office faxing procedures, specifically indicating when faxed materials are confidential.
This situation was the result of a careless error. Mr. D was doing too much at once and not paying attention to the task at hand. While anyone can make a careless error, one such as this could cause irreparable harm to the patient, if his employer were to view or treat him differently because of the revelation of his HIV-positive status.
Confidential patient records must be treated with the greatest of care, as they often contain sensitive information. Many HIPAA cases have involved the unintentional divulging of the HIV status of a patient. In a similar case, a dental practice was reported to HHS for using red stickers and stamping the word “AIDS” on the outside of patient folders. And in a case that took place in a hospital, a nurse and an orderly lost their jobs for discussing a patient’s HIV status within earshot of other patients.
Always remember to treat a patient’s confidential information as you would want yours to be treated, and then add a little extra security for good measure.