HIPAA violations are expensive. “The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.”
By Molly Mulebriar
The City of Rockwall, Texas is currently seeking proposals for their self-funded employee health insurance program. The due date for proposals is upcoming.
The city published their Request for Proposals (RFP) on the city’s website along with attachments. These attachments include information regarding benefits, administrative services, census data, and 143 pages of case notes.
Case notes are detailed private health information (PHI) many underwriters would love to have to properly rate for risk. This information provides diagnosis, prognosis, detailed medical history, attending physician information, etc.
The only problem here is the city placed into the public domain the PHI of their plan participants. Nothing was redacted. For example, page 80/143, of one report reveals that _____ ____, age 17 years was involved in a severe auto accident earlier this year, and toxicology tests proved positive for benzodiazepine, cocaine and marijuana.
A breach of PHI is a serious matter. It is an employer’s worse nightmare. A breach can affect all parties involved with the administration of the program, including insurance consultants, brokers, and third party administrators.
According to Morgan Brown (Truevault) HIPAA violations are expensive. “The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.”
As of this writing (Saturday, June 11, 2016) the city has removed the PHI documents from their website.
The question now is, will the city inform plan participants of this breach of PHI?
Secondly, will the city rescind the now flawed RFP process and start over? Those vendors having unredacted case notes gives them a competitive advantage over those who do not. And, will the city have continued confidence with their current insurance consultant after this fiasco, whose job we assume is to oversee and manage the RFP process?
Gobsmacked employees, a flawed RFP process, potential regulatory intervention, and more may make for a very hot summer at the City of Rockwall.
Editor’s Note: Molly Mulebriar is an investigative reporterette from Waring, Texas and former Miss Texas contestant.
Send comments to: RiskManager@RiskManagers.us