A recent action by the Connecticut Medical Examining Board (a unit of that state's Department of Public Health) should serve to remind covered entities and business associates that it is not only the federal government that can act to enforce HIPAA's privacy requirements. In a consent order dated the 21st of March but officially accepted in mid-June, Dr. Gerald Micalizzi accepted a $20,000 fine, six months probation, and additional education requirements for inappropriately accessing the records of patients at Connecticut's Griffin Hospital.
Dr. Micalizzi, an interventional radiologist, worked for a company contracted by the hospital to provide radiology services. His position at the hospital was terminated, along with his access to the hospital's electronic record system, as of February 3, 2010. From February 4 through March 5, 2010, however, Dr. Micalizzi used the system credentials of another physician (who was unaware his credentials were being used) to access nearly 1000 patient records. He downloaded information belonging to 339 of these patients, and contacted them personally to inform them that he would be providing radiology services at another facility.
The consent order permits the fine to be paid in four monthly installments and requires that Dr. Micalizzi complete courses in physician ethics and patient confidentiality.
Ober|Kaler's Comments
An apparently simple case offers several important reminders for covered entities and business associates alike:
- Workforce members may pose the largest threat to your HIPAA compliance efforts. Members may, like Micalizzi, actively seek to undermine access protocols, or, more simply, they may simply be lax with regard to their access credentials – as was the unnamed physician whose access credentials were used here.
- Routine access audits are a must – it would have been better had the hospital caught the improper access before the physician began contacting patients.
- State attorneys general are empowered to bring civil actions, but licensing boards may also act as to violations of patient privacy requirements, generally under their broad powers to prevent "unprofessional conduct" or state patient privacy laws.
- There is no way of knowing how this apparent breach was handled between the hospital and Dr. Micalizzi's employer. The fact pattern, however, serves as a good reminder that Business Associate agreements MUST spell out the steps each entity will take with regard to reporting identified breaches. To go a step further, it is not a bad idea to also include indemnification provisions, to protect each entity from the intentionally or grossly negligent actions taken by the workforce members of each party.
- The Medical Examining Board's decision may or may not be the end of this particular issue. Either HHS OCR or the Connecticut Attorney General are free to initiate their own investigation and/or to bring their own civil or administrative enforcement actions against Dr. Micalizzi, the hospital, or the contracted radiology provider.