Healthcare News & Insights

Are you watching for this uncommon HIPAA risk?

It’s important for facilities to watch out for HIPAA violations other than security breaches that could also lead to penalties  — something this facility didn’t realize until too late. 

162441463In addition to recent settlements for breaches of protected health information (PHI), the Federal Trade Commission (FTC) announced a settlement with a company for improperly obtaining authorization to access patient’s PHI.

Improper authorization

The company at fault in this case was PaymentsMD, a medical biller that gave patients the option of enrolling in a patient portal to review their records and pay medical bills online.

PaymentsMD was in the process of of developing a new registration process for the portal. This new process asked patient to authorize the company to contact patients’ medical labs, payors and pharmacies in order to collect relevant data and PHI, such as:

  • diagnoses
  • lab tests and results
  • prescriptions, and
  • procedures received.

Allegedly, PaymentsMD asked for these four authorizations with small windows and unclear text. It also provided an option that bundled the authorizations and let patients agree to all four at once.

The FTC filed charges saying that the biller had misled patients to gain their consent without fully explaining their PHI rights.

As a result, PaymentsMD has reached a proposed settlements to resolve the charges. As part of the agreement, the company must destroy all the data it collected and must revise its registration and authorization process to meet the privacy rule standards.

Staying compliant

PaymentsMD got lucky because there wasn’t any monetary penalty attached to the settlement. But the case is still a good reminder about different kinds of compliance issues that can affect facilities.

For one, hospitals need to be careful when getting authorization to use or share PHI with business associates. HIPAA’s privacy rule has very specific  guidelines about how to get consent for sharing PHI. Not keeping on top of those regulations can get you in hot water with the FTC or another government oversight agency.

Kim Stanger, a healthcare attorney  with Holland & Heart, lays out some of the criteria for valid HIPAA authorizations on his firm’s health law blog.

According to Stanger, valid HIPAA authorizations:

  • can’t be bundled with other authorization requests
  • must include specific information about how the PHI will be used, who it will be used by and for how long
  • has to contain explanations of patients’ HIPAA rights for revoking PHI, and
  • must be written in plain English so patients can easily understand the requests.

Note: If patients don’t understand English, providers may be required to translate the authorization for them.

Providers should also retain the authorizations for six years.

This case is also a good reminder to be cautious when contracting with business associates, as some billers and software vendors aren’t aware of these kind of compliance issues.

If your facility is trying to expand with a patient portal, make sure your vendor isn’t making overly broad PHI requests or asking for PHI authorization inappropriately.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.