An employee in the Office of Civil Rights with Health and Human Services — which enforces the federal law governing patient privacy, known as the Health Insurance Portability and Accountability Act or HIPAA — confirmed Wednesday that an anonymous complaint had been filed in March against RMC.
The employee confirmed an investigation was ongoing, but could not speculate on when it would be concluded.
However, the employee’s name was not provided because the Office of Civil Rights has a policy against releasing information about ongoing investigations.
“The Office of Civil Rights does not discuss whether an entity is under investigation or being considered for an investigation,” Amanda Fine, spokeswoman for Health and Human Services, said in a Wednesday email to The Star.
Fine did say that the findings of any investigation would be sent in writing to the complainant and the entity involved once the case was closed.
RMC CEO David McCormack said during a phone interview Wednesday that he did not know an investigation of the incident by Health and Human Services was under way.
“No, I was not aware of anything,” McCormack said. “I know we didn’t get in trouble or anything.”
The complaint was in reference to an incident that occurred in February 2010 at RMC in which a physician there faxed the names of students involved in a school bus wreck to a local law firm.
After several months of internal investigation, the RMC board in June 2010 reprimanded the doctor — whose name was not released — and forced him to attend a class on the hospital’s private policy procedures.
McCormack had previously told The Star that according to hospital attorneys, while the incident was regrettable, it did not violate HIPAA laws.
The notification Wednesday from the employee in the Office of Civil Rights with HHS was the first indication that an external investigation is under way.
According to the website of the U.S. Department of Health and Human Services, HIPAA protects the distribution of any health information that identifies an individual and that relates to an individual’s past, present or future mental or physical health, the provision of health care to an individual or the past, present or future payment for health care to an individual.
Fine said an organization could face various penalties for violating HIPAA laws, depending on the situation.
For relatively minor incidents, the Department of Health and Human Services Office of Civil Rights forces violators of HIPAA laws to make changes to their privacy practices and other corrective measures.
More serious violations can result in resolution agreements, which are contracts signed between the department and the organization in question. Through the contract, the violator would agree to perform certain obligations and make reports to the department for a period of three years. Also, a resolution agreement typically involves a fine.
Star staff writer Patrick McCreless: 256-235-3561.