The following case, which resulted in a complaint to the HHS Office for Civil Rights with a subsequent investigation and corrective action, demonstrates that HIPAA privacy violations can readily occur with paper health records and by small providers that may seem to operate under OCR’s radar. It also demonstrates that health consumers are often aware of HIPAA violations when they see them, and they do take action:
A dental office was in the practice of flagging some of its medical records with red stickers containing the word “AIDS” on the outside cover. Further, office staff handled the records in a manner such that other patients and staff could read the stickers, even though they had no reason to know about the patients’ diagnoses.
- What HIPAA violation(s) can be identified in this scenario?
- What are some ways to identify records of AIDS patients to safeguard staff while also maintaining the privacy of the patients?
- As a representative of the Office for Civil Rights, what corrective action steps would you require the dental practice to make? Create these steps
- What other types of mitigation could the dental practice employ?
- Presume that this office had electronic health records instead of paper records. Would the risk of a privacy violation be as great? How could records of AIDS patients be identified to safeguard staff, while also maintaining the privacy of the patients? Construct these methods.