In an effort to provide HIPAA covered entities with valuable information regarding CMS compliance and enforcement activities, we are now posting case examples based on actual cases that have been investigated and closed. These are general examples that reflect issues that have been regularly reported to OESS during its enforcement of the HIPAA Rules.

Transactions and Code Sets:

Complaint:  Health plan refuses to exchange a HIPAA compliant transaction
Complainant:  Provider, through a Business Associate  
Filed Against Entity:  Health Plan

A health plan was alleged to have violated the Transaction and Code Sets rule by refusing to exchange one of the adopted standard transactions with a health care provider.  Specifically, the complaint stated that the health plan did not have the capability to conduct the standard for remittance advice (X12N 835), which had been requested by the provider on several occasions.

OESS sent correspondence to the health plan requesting their response to the allegation, with proof that they were in fact conducting all of the adopted standards as required, and when requested by another covered entity.  The health plan submitted their response within 30 days of the OESS letter, as requested.  The health plan included a detailed Corrective Action Plan (CAP) that would allow the organization to conduct the standard transaction within a 90 day timeframe. OESS monitored the CAP by contacting the health plan each month and requesting status of the programming and testing schedule.  At the end of the 90 day period, OESS verified that the complainant was able to receive the transaction as originally requested. The complaint was then closed and appropriate closure correspondence was issued to all parties involved.

Complaint: A health plan's clearinghouse charges excessive transaction fees to a provider
Complainant:  Provider
Filed Against Entity: Clearinghouse

A clearinghouse working on behalf of a health plan was alleged to have violated the Transactions and Code Sets rule by refusing to accept transactions from a provider seeking payment from the health plan unless the provider agreed to pay a minimum fee and a per-transaction fee prior to establishing connectivity.  

OESS sent correspondence to the clearinghouse notifying them that they may not charge fees or costs in excess of the fees or costs for normal telecommunications that the entity incurs when it directly transmits, or receives a standard transaction to, or from a health plan.  Since the clearinghouse is contracted with the health plan, the health plan is responsible for any cost above that which would be required if the health plan and the provider where to exchange transactions directly without the use of a clearinghouse. The clearinghouse modified the agreement by eliminating the fees and allowed the requested transactions from the provider to be processed. The parties involved in the complaint were notified and the complaint was closed.

Security:

Complaint:  Patient data visible to any user on a provider's appointment scheduling website
Complainant:  Patient
Filed Against Entity:  Provider 

A provider utilized the services of a software vendor to develop and maintain an on-line system that captured demographic and other personal health information for the purpose of scheduling appointments. The website had not been properly secured by the software vendor and patient information was viewable by anyone else who visited the site (e.g. to schedule their own personal appointments).  A patient contacted OESS to complain about the situation.

OESS immediately contacted the provider by phone to inform him that the sensitive website information was available to unauthorized users, and requested that the site be shut down immediately.  The provider contacted his software vendor, who promptly corrected the program defect that result in the error.  The provider then followed up with a letter to OESS, containing a corrective action plan that included a new software vendor agreement with appropriate security requirement included.  The new software vendor agreement provided the necessary assurances that EPHI would be made available to only to authorized users of the provider's website. OESS verified that the website was secure and the complaint was closed. Appropriate closure correspondence was issued to all parties involved.

Complaint:  A pharmacy allowed multiple employees to use a single login ID and password to access systems containing EPHI
Complainant:  Covered Entity Employee
Filed Against Entity:  Pharmacy 

A pharmacy allowed a group of workforce members with similar organizational roles to use a single login ID and password to access systems containing EPHI. This practice was a violation of the pharmacy's written policies and procedures but was allowed to occur as that portion or the organization was not included in the entity's existing security risk assessment.

OESS sent correspondence to the pharmacy describing the alleged violation and requesting response either refuting the situation or describing the means by which they would correct it.  The pharmacy responded with a corrective action plan that acknowledged the oversight and provided details that included termination of ID and password shared by the employees and the re-issuance of unique logins and passwords to those employees. In addition, the corrective action plan provided evidence of security policy and procedure reminders sent to all employees and an updated risk analysis for this particular unit. OESS validated that the necessary changes and policy updates had been made and closed the case.

Downloads
There are no Downloads
Related Links Inside CMS
There are no Related Links Inside CMS
Related Links Outside CMS
There are no Related Links Outside CMS

Page Last Modified: 09/03/2008 5:19:09 PM
Help with File Formats and Plug-Ins