What is the name of your state (only U.S. law)? Missouri/Kansas
Good afternoon,
I would appreciate any guidance on the following issue:
A bank's lockbox remittance processing facility processes payments for HIPAA-covered medical providers as a HIPAA-covered business associate. This facility also processes remittances for non-medical clients that are not HIPAA-covered entities.
The simplified process is (1) mail from remitters is received and opened; (2) the payments (checks, money orders, etc.) are run through a scanning machine that identifies the amount being paid and which accounts to debit and credit; (3) copies of the checks/payments are printed; (4) each copy is put back together with any "details" that were mailed with the payment (such as a remittance stub, explanation of benefits, letters, etc.); and (5) the check/payment copies and their respective details are mailed to the company/client.
One day, the check/payment copies (3 personal checks) for a prominent HIPAA-covered medical provider print out and are accidentally stapled to another check copy for a different, NON-HIPPA-covered company. The details for the medical payments are NOT stapled - only the check/payment copies for the medical payments are stapled. These copies, however, are then mailed to the NON-HIPPA-covered company, which reports the issue to the processing facility and returns the incorrect copies.
Multiple management members for the processing company, including the head of the department, are immediately made fully aware of the incident, including complete documentation. Rather than report the issue, however, management decides to conceal and "lose" the documentation/evidence. The incident involves one of the highest-profile medical clients for the facility, and one of the parties responsible for the mistake is part of management. The team of bank employees that had reported the issue attempts to follow up with management on the issue, but these attempts are ignored (e.g. "I don't know, I'm sure it's being handled.") or rebuffed.
Several months later (5-8 months), the same team of bank employees discovers that the incident had been concealed and never reported. This issue is raised during an HR meeting and communicated to management, which holds private closed-door meetings among management personnel only. Eventually, the only response given to the reporting team is essentially "oops, sometimes things slip through the cracks, but it's too late to report now, so we're not going to do anything."
I am a member of the reporting team. The questions I have are:
What is the severity of the HIPAA/Privacy Act incident?
Is this severity amplified by deliberately concealing, and continuing to conceal the incident?
Do I have a duty or a right to report this to the OCR? Is it significant enough to report?
Would the situation I have described likely qualify as grounds for "good cause" to extend the normal 180-day window for reporting incidents?
Thank you for your help.
Good afternoon,
I would appreciate any guidance on the following issue:
A bank's lockbox remittance processing facility processes payments for HIPAA-covered medical providers as a HIPAA-covered business associate. This facility also processes remittances for non-medical clients that are not HIPAA-covered entities.
The simplified process is (1) mail from remitters is received and opened; (2) the payments (checks, money orders, etc.) are run through a scanning machine that identifies the amount being paid and which accounts to debit and credit; (3) copies of the checks/payments are printed; (4) each copy is put back together with any "details" that were mailed with the payment (such as a remittance stub, explanation of benefits, letters, etc.); and (5) the check/payment copies and their respective details are mailed to the company/client.
One day, the check/payment copies (3 personal checks) for a prominent HIPAA-covered medical provider print out and are accidentally stapled to another check copy for a different, NON-HIPPA-covered company. The details for the medical payments are NOT stapled - only the check/payment copies for the medical payments are stapled. These copies, however, are then mailed to the NON-HIPPA-covered company, which reports the issue to the processing facility and returns the incorrect copies.
Multiple management members for the processing company, including the head of the department, are immediately made fully aware of the incident, including complete documentation. Rather than report the issue, however, management decides to conceal and "lose" the documentation/evidence. The incident involves one of the highest-profile medical clients for the facility, and one of the parties responsible for the mistake is part of management. The team of bank employees that had reported the issue attempts to follow up with management on the issue, but these attempts are ignored (e.g. "I don't know, I'm sure it's being handled.") or rebuffed.
Several months later (5-8 months), the same team of bank employees discovers that the incident had been concealed and never reported. This issue is raised during an HR meeting and communicated to management, which holds private closed-door meetings among management personnel only. Eventually, the only response given to the reporting team is essentially "oops, sometimes things slip through the cracks, but it's too late to report now, so we're not going to do anything."
I am a member of the reporting team. The questions I have are:
What is the severity of the HIPAA/Privacy Act incident?
Is this severity amplified by deliberately concealing, and continuing to conceal the incident?
Do I have a duty or a right to report this to the OCR? Is it significant enough to report?
Would the situation I have described likely qualify as grounds for "good cause" to extend the normal 180-day window for reporting incidents?
Thank you for your help.
