The US Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has joined the New Hampshire Attorney General’s Office in an investigation of Wentworth-Douglass Hospital in Dover, New Hampshire, concerning HIPAA violations based on allegations that upwards of 1,500 patient records were improperly accessed and altered. Two pathologists who learned of the incident allege the hospital retaliated against them for reporting the HIPAA breach. The hospital contends that a comprehensive audit which resulted in the termination of the employee who accessed and altered the files, as well as notification of the breach to the physicians but not the affected patients, resolved the matter. However, CMS surveyors have begun conducting a survey of the hospital’s privacy issues, medical recordkeeping, and quality assurance to determine whether the facility meets the Medicare and Medicaid “conditions of participation” for reimbursement under the federal programs. Deficiencies discovered during the survey in turn would result in a full survey of the hospital. In addition to possible HIPAA violations, New Hampshire law requires businesses, presumably including hospitals, to notify consumers “as quickly as possible” regarding data breaches of computerized, unencrypted personal information. The state law also requires the business to inform the New Hampshire Attorney General or state regulators of the breach.

TIP: Be sure to comply not only with HIPAA but all applicable state laws governing consumer medical data.