HHS announced in a recent settlement agreement (with a corrective action plan) a long list of medical centers alleged to have violated HIPAA. The medical centers, in what appears to be a well-intentioned defense of allegations against them, disclosed information. Their argument, as detailed in this story from last year, was that the patient implicitly waived her HIPAA protection by disclosing aspects of her treatments publicly. While that argument has some logical appeal, logic does not always carry the day when it comes to the law, and in particular HIPAA’s privacy protections.
While this settlement involved a health care provider, health plans should take notice of the settlement for two primary reasons:
- It serves as yet another indication that HIPAA enforcement is on the rise.
- More importantly, it underscores that covered entities and their workforce members should not disclose protected health information unless permitted by HIPAA or pursuant to an express authorization. (Hint: communicating with a reporter without an authorization is not permitted by HIPAA.)
Given the release of the updates to the HIPAA rules earlier this year, now (or in the next couple of months) is a good time for health plan sponsors to brush up on their policies and procedures and revisit whether any workforce members need training (or a refresher of previous training).