Announcing: Mary Vandenack and her team are now the Omaha office of DUGGAN BERTSCH.
Omaha attorneys can still be reached via direct lines or 402-504-1300.

Privacy Policies and Procedures for Small Healthcare Providers Under Scrutiny

Although privacy incidents at the largest healthcare providers attract the most attention, The Department of Health and Human Services Office for Civil Rights enforcement (“OCR”) is actively investigating privacy and security incidents at small healthcare providers. This means that small healthcare providers, including solo practitioners, need to actively review their privacy policies and procedures to ensure full compliance with the Health Insurance Portability and Accountability Act Privacy Rule.

As an example, a small dental practice in Texas responded to a bad review by a patient on its yelp page, accidentally revealing protected health information (“PHI”) about the patient. The violation itself would have had consequences, but this dental practice failed to have sufficient privacy policies and procedures to protect the PHI, resulting in OCR settling with the dental practice in October of 2019. The corrective action settlement included a severe fine and a mandate to correct its policies and procedures. Another recent example pertains to a single physician that received a complaint from a patient through a reporter, and subsequently responded to questions from that reporter. OCR determined that the physician revealed PHI and violated the privacy rule, resulting in a six figure fine and corrective actions to its privacy policies and procedures.

For smaller healthcare providers, these examples are reminders to frequently review and update the privacy policies and procedures, then test to ensure such policies and procedures are enforced. A common issue is that many providers assume simply having the policy is enough, but OCR will review whether the policies are in place and that the policies and procedures are actually followed. Another common shortcoming by a small healthcare provider is neglecting to conduct sufficient diligence on their business associates, including a review of their healthcare technology providers. For a small healthcare provider, best practices means having policies and procedures that contemplate annual diligence on business associates, testing of the procedures, and review of the policies against the latest updates to the privacy and security rule.